What are the differences between Business Continuity and Operational Resilience?
A troubling stat emerged in the analysis of operational resilience programs. According to the BCI Resilience Report, organizations came to consider operational resilience as “business continuity done well.” Although there are overlaps, the two functions aren’t the same thing. What are the key differences?
Defining operational resilience and business continuity
Well, Gartner defines operational resilience as initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite, and tolerance levels for disruption of product or service delivery to internal and external stakeholders, e.g., employees, customers, citizens, and partners.
What are those initiatives, specifically? Well, again according to Gartner, the initiatives coordinate the management of risk assessments, risk monitoring, and execution of controls that impact workforce, processes, facilities, technology, and third parties across the following risk domains used in the business delivery and value realization process:
- Security (cyber and physical)
- Continuity of operations
On the other hand, business continuity focuses on getting processes back up and running in an agreed timescale, with the Recovery Time Objective (RTO) focusing on the time it takes to get a process back up and running following a disruption.
Business continuity practitioners, for their part, are responsible for the management of prioritized activities, i.e., those activities that make critical products and services happen. These activities are discovered during the Business Impact Analysis (BIA) process.
The main differences between operational resilience and business continuity
Where do the key differences lie?
Operational resilience deals with the management of critical products and services
Critical, here, characterizes products or services provided by an organization, or another organization on behalf of the organization to one or more clients. These services, if disrupted, would cause intolerable harm to customers or pose risk to the soundness, stability, or resilience of the organization or the market in which it operates.
Operational resilience focuses on getting a process up and running before that process causes intolerable harm
That harm can be to the business, its customers, or the market. An impact tolerance goes a step further with a service-based objective focus on preventing harm to customers and risk to the market in which they operate.
Why the differences between operational resilience and business continuity are important to know
So, why does it matter?
Regulatory compliance is one big reason. Companies are increasingly likely to have to comply with both operational resilience and business continuity regulations. Understanding the difference between the two will help organizations avoid regulatory sanction from non-compliance.
For instance, in the financial services space, the Australian Prudential Regulation Authority (APRA) has released draft Prudential Standard CPS 230, focusing on operational risk management. In the EU, the Digital Operational Resilience Act (DORA) seeks to align the approach to managing ICT and cyber risk in the financial sector across all EU member states. And the Federal Reserve released a joint regulatory paper on Sound Practices to Strengthen Operational Resilience.
These policies, regulations, and proposals all seek to uplevel the operational resilience of individual firms, so that no firm can pose a systemic risk to the wider business sector.
This is different than business continuity regulations, mandating the development and updating of a business continuity plan – to cite one oft-seen regulation.
Of course, regulatory compliance isn’t the only reason to understand the differences between operational resilience and business continuity. What are the others? Download our Guide to the Differences Between Operational Resilience and Business Continuity to find out.