Request a Demo

Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.

The Noggin Platform

The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.

Learn More
Resilience Management Buyers Guide - Thumbnail
A Resilience Management Software Buyer's Guide
Access the Guide

Who We Are

The world’s leading platform for integrated safety & security management.

Learn More
Whitepaper

Business Continuity versus Organizational Resilience: The differences between ISO 22301 & ISO 22316

Noggin

Business Continuity Management

Published November 24 ,2023

Staying ahead in today’s business environment

Firms today are struggling to find their bearings after years of uninterrupted crises – not just COVID-19 but concurrent emergencies, such as war in Eastern Europe, cyber threats, supply chain disruptions, staffing shortages, rising inflation, natural disasters, and more.

As companies get pushed to the brink, their senior leaders must ask, what will it take to stay ahead?

Organizational resilience and business continuity come to mind. For some, though, these fields all sound the same.

Despite crucial overlaps, organizational resilience and business continuity are distinct practices. Understanding the very real nuances between them is key to staying ahead in today’s volatile business environment.

What are the main differences?

For starters, organizational resilience is the ability of an organization to absorb change and adapt, so as to deliver on objectives, survive, and prosper. Business continuity, on the other hand, is the capability of an organization to continue the delivery of products and services within acceptable time frames at a predefined capacity during a disruption.

Organizational resilience The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.
Business continuity The capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.

The differences go on from there. Indeed, the primary distinctions are sketched out in international standards ISO 22316:2017 and ISO 22301:2019. 

Providing best-practice guidance for organizational resilience and business continuity management systems (BCMS) respectively, the standards offer practical advice for firms of any size and in any industry seeking to develop plans and recovery strategies to address risk. 

What do the standards say? The following guide lays out important themes in each for organizations looking to ensure better incident response, decision making, and continuous improvement.

Core principles of organizational resilience and business continuity

A challenge to enhancing organizational resilience is that there is no single approach. Established management disciplines, such as business continuity, contribute to resilience. Yet they won’t, on their own, ensure an organization gets and stays resilient. 

That’s because organizational resilience, as argued in ISO 22316, results from the interaction of attributes, activities, and contributions made from other technical and scientific areas of expertise – all of which are influenced by the way in which uncertainty is addressed, decisions are made and enacted, and how people work together.

To this end, the purpose of ISO 22316 is to establish the core principles for organizational resilience. The standard identifies the attributes and activities that support an organization in enhancing its resilience.

Meanwhile, ISO 22301 – the sole, high-level, international BCM standard – specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.

The standard specifies the structure and requirements for implementing and maintaining such a BCMS – one that will develop business continuity appropriate to the amount and type of impact that the organization may or may not accept following a disruption.

And just like an organization’s resilience will be influenced by a unique interaction and combination of strategic and operational factors, the outcomes of its BCMS will also be shaped by legal, regulatory, organizational, and industry requirements, products and services provided, processes employed, size and structure, and the requirements of its interested parties.

Attributes of organizational resilience and effective business continuity management systems

Beyond that, the biggest question ISO 22316 answers is, what are resilient organizations? They are entities that exhibit the following attributes:

  • Behavior is aligned with a shared vision and purpose
  • Have an up-to-date understanding of the organization’s context
  • Rely upon good governance and management
  • Supported by a diversity of skills, leadership, knowledge, and experience(s)
  • Have coordinated across management disciplines and garnered contributions from technical and scientific areas of expertise
  • Effectively managing risk

Resilient organizations also feature strong leaders. More specifically, senior leaders of resilient organizations have taken the time to develop and encourage others to lead under a range of conditions and circumstances. Those conditions include periods of uncertainty and disruption.

Senior leaders of resilient organizations will have also demonstrated commitment to the following resilience enhancing activities:

  • Providing adequate resources to enhance the organization’s resilience
  • Finding mechanisms to ensure those investments are appropriate to the organization’s internal and external contexts
  • Developing appropriate governance structures to achieve the effective coordination of organizational resilience activities
  • Investing in systems that support effective implementation of organizational resilience activities and arrangements to evaluate and enhance resilience in support of organizational requirements
  • Pursuing effective communications to improve understanding and decision making

Now what about attributes of well-functioning business continuity management systems? Such a BCMS will emphasize the importance of understanding the organization’s needs and the necessity for establishing business continuity policies and objectives.

It will also underline the need to operate and maintain processes, capabilities, and response structures that ensure the organization will survive disruption as well as continue to improve based on qualitative and quantitative
measures. 

Per ISO 22301, a BCMS, like any other management system, includes the following components: 

  •  A policy
  • Competent people with defined responsibilities
  • Management processes relating to:
    – Policy
    – Planning
    – Implementation and operation
    – Performance assessment
    – Management review
    – Continual improvement
  • Documented information supporting operational control and enabling performance evaluation

The importance of sharing information and knowledge in ISO 22316 and ISO 22301

A well-functioning BCMS also relies on the constant flow of high-quality information. Getting the right information to the right people at the right time, however, is a perennial challenge. As it turns out, it’s also a challenge to achieving organizational resilience, too.

That is why ISO 22301 and ISO 22316 both encourage sharing information and knowledge. ISO 22316 advocates sharing important experiences. It also recommends valuing information, knowledge, and learning – with learnings extracted from all available sources. 

To make that happen, though, information must first be accessible, understandable, and adequate to supporting the organization’s core objectives. 

That means knowledge and information must be created, retained, and applied through established systems and processes. Those processes include the sharing of relevant information in a timely manner with relevant interested parties and (then) applying it in organizational learning. 

Effective business continuity management, too, depends on a thorough understanding of an organization’s internal and external needs, which comes from sharing information and knowledge. As ISO 22301 lays out, the task for business continuity professionals is to set clear boundaries for the scope of the eventual system, consonant with applicable legal and regulatory requirements.

Main components, here, include establishing and documenting the following:

  • What the organization does and the potential impact of disruptions
  • Relationships with other policies and wider risk management
  • Contractual and other requirements
  • Interested parties
  • Scope of the management system

The role of senior leadership in monitoring performance

Given what’s at stake, business continuity management shouldn’t be relegated to a back-office activity. It requires serious, senior management engagement. Only that level of engagement can ensure adequate BCM resourcing and staffing.

Further, senior leaders must strive to establish and document the following:

  • Their commitment with respect to Business Continuity Management
  • The BCM policy
  • Relevant roles, responsibilities, and authorities

Similarly, ISO 22316 puts a high premium on engaged leaders, going so far as to identify the attributes of such leaders. 

Beyond leadership engagement, both business continuity management and organizational resilience entail continually monitoring performance against predetermined criteria. The reason is to learn and improve from experience.

Continual improvement, as such, should be an organizational ethic or value. Demonstrated by a commitment to validate and continually improve resilience activities and capabilities, such an organizational culture would serve to ensure that larger, business objectives, strategies, and procedures are kept relevant and appropriate in supporting the changing needs of the organization. 

How can senior leaders make that happen? ISO 22316 recommends prioritizing the following activities:

  • Implement performance monitoring and evaluation mechanisms to support continual improvement
  • Ensure that performance management criteria are responsive to changes that affect organizational objectives

For its part, ISO 22301 calls out the necessity of internal audit programs, with components including determining and documenting arrangements for the following:

  • Monitoring, measurement, analysis, and evaluation
  • Internal audit
  • Management review

However, organizations change – so too do the business environment around them. The BCMS, as such, needs to keep up with those changes.

What’s more, business continuity teams, with sponsorship from top management, must also identify nonconformities and take corrective actions to continue to enhance the overall performance of the BCMS. 

ISO 22301 accounts for this, establishing procedures for the following:

  • Non-conformance identification, reporting, and consequence control
  • Corrective actions (system changes
  • Continual improvement

Support and resourcing requirements

Like organizational resilience, business continuity management doesn’t happen in a vacuum. More than senior management engagement, organizations will need a stock of qualified professionals with relevant knowledge, skills, and experiences. Lower-level staff will also need to be apprised of their role in responding to incidents. 

Part of those responsibilities will include establishing the following resources to support the BCMS:

  • A competence system
  • An awareness program
  • A communications plan, to include both incident and non-incident situations
  • Documentation and its management

Similarly, ISO 22316 advises organizations to invest in appropriate resources, such as knowledge-sharing assets, which can include people, premises, and/or technology. 

Beyond that, ISO 22316 recommends resourcing the following activities: 

  • Taking appropriate decisions on resourcing and capacity diversification, replication, and redundancy to avoid single points of failure and respond to incidents and change, so that core services are maintained at an acceptable, pre-determined level
  • Selecting and developing employees with a diverse set of skills, knowledge, and behavior that can contribute to the organization’s ability to respond and adapt to change 
  • Developing an ability to identify and respond to changes in a flexible manner, including modifying and redeploying capabilities, arrangements, structures, activities, and behavior to adjust to new conditions
  • Routinely reviewing the suitability, availability, and allocation of resources, taking account of the impact of any changes in the organization and its context

Digital technology to ensure standard compliance

The standard advocates more pointedly for the use of ongoing monitoring reports to track trends in data that have been used to evaluate organizational resilience.

To this end, organizations will have to confirm whether their current information management systems provide essential data to support the input required for an organization’s resilience monitoring. They also need to verify whether the output of subsequent reporting processes is sufficient to develop action plans that enhance organizational resilience

The only problem is that not all information management systems provide such essential data to support resilience activities. Here again, top management must intervene; in this case considering the critical event management software platforms that can promote resilience. 

Key capabilities to consider include the following:

  • Crisis management. Advanced solutions apply best practices to plan for, respond to, and manage critical events and exercises. Built on international standards, such as ISO 22398, the solutions enable faster response, better collaboration using plans and playbooks, smart workflows, and real-time dashboards and insights, ensuring better incident response, decision-making, and continuous improvement.
  • Incident response plans and checklists. Best-practice libraries come included do organizations can easily create crisis strategies and action plans for different types of events that define the required strategy, action items, completion time targets, and people involved.
  • Critical infrastructure protection. Innovative solutions keep up with the escalating risk to key assets, assessing those risks in advance and monitoring critical facilities throughout the emergency response process.
  • Welfare checks. The solutions enable organizations to send welfare check messages to their event response staff or any other type of contact. Organizations can easily collect their replies to identify who needs assistance and prioritize follow-up actions. 
  • Crisis communications. These single systems help organizations manage complex communications, centralizing, approving, and standardizing their crisis response. These solutions provide effective communication pathways for all aspects of incident management.
  • Emergency management. These tools provided all that is needed to manage any incident effectively through the entire lifecycle of mitigation, preparedness, response, and recovery, following ISO, ICS, and other national standards. They keep your whole team following the same plans, communicating on the same platform, and viewing the same operating picture - from any place or device.
  • Incident and resource mapping. Comes equipped with powerful mapping tools to create multilayers maps, integrating both external feeds and any information housed within the platform.
  • Operational cycle management. These systems support the battle rhythm of your response operations, understanding and tracking reporting periods.
  • Community lifeline monitoring. These systems provide executive-level insight into safety threats to the public and to staff, by regularly assessing community lifelines.

What of implementing BCMS requirements quickly? Software platforms like Noggin carry functionality for pragmatic business continuity as well as for the broader organizational resilience and critical event management use case. 

Applying ISO 22301 in addition to other industry standards, such solutions enable organizations to automate their key business continuity management functions and build and maintain well-functioning BCMSs.

What’s more, these platforms help managers and executives alike determine disruption impacts and develop plans and recovery strategies to address risks. They also scale up to any incident and back down to business as usual.

What other capabilities do they offer? Here are a few:

  • Business impact analysis. Built-in BIA tools provide a step-by-step process to identify critical activities, determine maximum periods of disruption, assess the risk and impact of disruptions, collect and document recommendations, and report across the business.
  • Find gaps easily. Collecting and aggregating data to highlight any critical activities, processes, assets, and resources lacking recovery strategies as well as untested recovery strategies that put the business at risk.
  • Monitor critical dependencies. Quickly identify dependencies between business activities and supporting assets or vendors and stay informed when one is at risk.
  • A central location for all plans. Business continuity plans, recovery strategies, and crisis response plans can all be developed, tracked, and reviewed to ensure optimal coverage.
  • Battle-test your recovery strategies. Supports tests and exercises to help business continuity and crisis teams refine and improve their response.
  • Integrated crisis and incident management. Built with crisis management principles to include response teams and embedded notifications workflows. 
  • Activities, process registers, and dependency dashboards. Get a consolidated view of all business activities, critical dependencies, or the status of BIAs to stay up to date and make better informed decisions.
  • Contact, asset, and vendor management. Manage key details of staff, contractors, customers, suppliers, regulators, and external parties. See reliant activities and related recovery strategies at-a-glance, to know which ones are potential risks to the business.
  • Monitoring dashboards. Display key information where (and when) it’s needed using flexible dashboards, analytics, and reporting that caters to stakeholders.

Finally, the threat of serious business disruption is at an all-time high. Where once business continuity and organizational resilience capabilities might have been nice-to-haves, they have now become essentials.

However, they are different practices. Understanding the nuances of each, as this guide has sought to do, is integral to staying ahead in such a volatile business environment. 

And indeed, best-practice standards ISO 22316 and ISO 22301 provide the blueprints for resilient organizations with effective business management continuity systems. Implementing these standards, along with integrated platforms such as Noggin, ensure better incident response, quicker decision making, and continuous improvement to your crisis-fighting capacity.

New call-to-action