Operational Resilience Versus Business Continuity

Renewed focus on resilience is needed for all organizations regardless of sector or size

What Is Operational Resilience?

Commentators and software vendors propound that the impact of Covid-19 has increased the need for organizational resilience to cater for changes to working, cloud ramp-up and increasing ransomware attacks. However, there is often confusion between the terms organizational resilience and operational resilience. There is also confusion between operational resilience and business continuity. So how can we clarify the differences and what role will each increasingly play?

Taking the ISO definition of organizational resilience and its embodiment within ISO22316, it is defined as: “the ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper”.

By contrast, operational resilience has been defined as: “initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders”.

The fit between operational resilience and business continuity is that they both, along with risk management, comprise the foundations of organizational resilience. In the case of business continuity, the focus is upon the systems and processes that determine the ability to deliver products and/or services to clients. This entails a bottom-up approach to mapping and the creation of response plans covering a defined number of areas. With increasing technology integration, this frequently prioritises system and IT downtime impacts, with contingency plans and 3rd party dependency assessments.

By contrast, operational resilience has a far wider envelope than BCM and commences with a top-down approach, with client acceptance as a key driver. What will a client accept before there is lost custom, reputational damage, and customer churn. Additionally, operational resilience encompasses the overall operating environment that includes regulations, a large number of stakeholders and new/emerging technologies and their potential impact. As such, operational resilience may be better regarded as a management framework within which an organization is required to conduct its business within.

As Covid-19 has demonstrated, many firms and governments globally were clearly lacking business continuity plans, let along operational resilience programmes. The ISO: 22316 Enterprise Resilience Standard was launched in 2017 and provides a template for the creation of baseline resilience plans and yet seems to have been ignored by the majority.

Covid and has sped up changes previously anticipated and exposed frailties ranging from the global supply chain to security compromises arising from changing working practices. Incoming laws such as the E.U.’s Digital Operational Resilience Act (DORA) was formulated way before the impact of Covid and applies only to the financial services sector. However, the increased recognition of endemic weaknesses across sectors will surely lead to further laws to mandate organizations to undertake pertinent actions to increase and maintain organizational resilience – to ensure governments do not have to financially support entire sectors, and operational resilience to reduce exposure to possible, but improbable risks.

Top 10 Benefits of Building Operational Resilience

  • Capital allocation efficiency: addressing risk in a proactive manner rather than high cost remedial autopsy risk management;
  • Stakeholder assurance: corporate value effects  e.g. governance, environment, equality;
  • Higher resilience results in more agile organization to compete in dynamic operating environments;
  • Creates greater organizational resiliency and fit of operations to corporate strategy;
  • Greater accountability for new and emerging technologies in an era of accelerated innovation and digital attacks;
  • Increasing regulatory scrutiny and volume of laws across sectors.
  • Environmental catastrophes and climate change induced major events are increasing in frequency;
  • Reliance upon third parties within the supply chain for products and services requires additional focus and assessment;
  • Probability of reputational damage and brand value reduction in a social media driven world;
  • Internet of Things and increasing OT/IT create a highly complex environment for identifying single points of failure. A resilience programme embodies all aspects of identifying potential risks.


For more on how we can assist your organization in building operational resilience, please contact our sales team.

Leave a Reply

Want to hear how we can help develop your peoples’ cyber awareness and risk management? Get in touch below, and we’ll be happy to help.

Selecting development partners you can rely on in producing the best quality output is critical in cyber risk management

Dr. Phillip King-Wilson
Founder, Quantar Solutions

Need Cyber Risk Training? Get in touch and we’ll be happy to help.

This website uses cookies and asks your personal data to enhance your browsing experience.