Organizational Resilience – Positioning Against ISO 22301-Based Business Continuity

Approaches and methods to successfully and sustainably run businesses are being rapidly developed. Recently, the term of Organizational Resilience was interpreted as being the new expression for the term Business Continuity. According to industry sources, based on recent ISO standardization work (ISO 22316:2017), Organizational Resilience is an all-encompassing concept that extends far beyond Business Continuity.

Historic Roots

Both business continuity and organizational resilience aim to run a successful and sustainable business, but there are significant differences within their respective approaches. It might not be useful to discuss which of the two concepts under consideration was first. It’s likely that both disciplines have been observed by company management for quite some time. After all, owners and managers of enterprises are always concerned with running their businesses in a way that would not result in failure if something went wrong.

Business Continuity

The roots of Business Continuity (BC) lie in the military sector where operations must perform under constant threats and attacks in changing environments. BC received a new focus once electronic data processing was deployed. While paper records have been vulnerable to destruction (e.g. fires, floods, etc.) since ancient times, the phenomenon of electronic data vanishing through a simple malfunctioning device, or human error, was a new concept. These risks led to the development of procedures to protect businesses from electronic data losses. The same concept was later developed to protect businesses from other sudden events such as loss of a production site, interruption of a supply chain, or loss of a large percentage of the work force due to a pandemic. Business continuity has developed into a widely-accepted discipline for many industries, especially those where any business interruptions would immediately be felt by customers. It is also practiced by businesses where a loss of life or substantial material losses would occur without any proactive or reactive measures. In 2012, ISO published the first international standard on Business Continuity as ISO 22301:2012, specifying the requirements for a BCMS (Business Continuity Management System). Even some years earlier, ISO published ISO 27001 as an ISMS (Information Security Management System), which focused on safeguarding the information systems of an organization. Learn more how to use these safeguards in the article How to use ISO 22301 for the implementation of business continuity in ISO 27001.

Organizational Resilience

As outlined above, resilience isn’t a totally new concept. However, it took quite some time for an international body like ISO to publish international standards on Organizational Resilience. Typically, creating standards is a group effort comprised of experts (delegates from ISO national member organizations). These experts agree on a compromise regarding the definition and structure of a certain subject matter, supported by a lengthy dialogue with other experts in the field, followed by a final vote (of ISO national member organizations) on the proposed international standard.

According to ISO 22316:2017, the standard provides guidance to enhance organizational resilience for any type and size of the organization. It is not specific to an industry or sector and The standard can be applied throughout the life of an organization. In short, the standard calls for several so-called management disciplines to be brought to maturity; all of them positively interacting with other management disciplines. The standard lists around 20 management disciplines, such as:

  • Asset management
  • Business continuity management
  • Cyber security management
  • Environmental management
  • Information security management
  • Risk management, etc.

Not listed, but still important for specific businesses, are marketing management, monitoring the competition, production technology and engineering capabilities. Learn more about ISO 22316:2017 in the article Organizational resilience according to ISO 22316 – Is this another buzzword?

Let there be Light

This sheds a clear light on how to position Organizational Resilience versus BC: Organizational Resilience is an overarching approach, comprising much more than business continuity. It can possibly encompass all management disciplines important to an organization. Against this background, ISO 22316 – as an attempt to describe Organizational Resilience – may be regarded as an extension of business continuity. Businesses have realized that protection against sudden interruptions is necessary, but is still not enough to ensure the long-term development of an organization.

Slow Threats

Threats may not just be the sudden events that BC is designed to deal with. They may emerge slowly and hardly be noticeable. However, if left unchecked, these “slow” threats may seriously harm the organization over the long-term. For example, an emerging competitor with a convincing product or service may not be a threat tomorrow, but may seriously harm an organization a couple of years down the road. Examples: Nokia, Kodak.

Overarching Approach vs. Special Discipline

We can consider Organizational Resilience an integrated approach for “hardening” an organization in order to ensure long-term progress. This approach is, in turn, based on mastering relevant management disciplines that are important for the organization. In our context, important pillars or building blocks of Organizational Resilience are business continuity management (according to ISO 22301) and information security management (according to ISO 27001). An organization simply cannot reach significant levels of Organizational Resilience by ignoring or neglecting basic management disciplines. Every skyscraper needs a solid foundation.

Use this free Diagram of ISO 22301 implementation process to implement ISO 22301 as one of the important cornerstones of the organizational resilience.