Fill in the form below and we will contact you shortly to organised your personalised demonstration of the Noggin platform.
An integrated resilience workspace that seamlessly integrates 10 core solutions into one, easy-to-use software platform.
The world's leading integrated resilience workspace for risk and business continuity management, operational resilience, incident & crisis management, and security & safety operations.
Explore Noggin's integrated resilience software, purpose-built for any industry.
Business Continuity Management
Published November 24 ,2023
Firms today are struggling to find their bearings after years of uninterrupted crises – not just COVID-19 but concurrent emergencies, such as war in Eastern Europe, cyber threats, supply chain disruptions, staffing shortages, rising inflation, natural disasters, and more.
As companies get pushed to the brink, their senior leaders must ask, what will it take to stay ahead?
Organizational resilience and business continuity come to mind. For some, though, these fields all sound the same.
Despite crucial overlaps, organizational resilience and business continuity are distinct practices. Understanding the very real nuances between them is key to staying ahead in today’s volatile business environment.
What are the main differences?
For starters, organizational resilience is the ability of an organization to absorb change and adapt, so as to deliver on objectives, survive, and prosper. Business continuity, on the other hand, is the capability of an organization to continue the delivery of products and services within acceptable time frames at a predefined capacity during a disruption.
Organizational resilience | The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper. |
Business continuity | The capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption. |
The differences go on from there. Indeed, the primary distinctions are sketched out in international standards ISO 22316:2017 and ISO 22301:2019.
Providing best-practice guidance for organizational resilience and business continuity management systems (BCMS) respectively, the standards offer practical advice for firms of any size and in any industry seeking to develop plans and recovery strategies to address risk.
What do the standards say? The following guide lays out important themes in each for organizations looking to ensure better incident response, decision making, and continuous improvement.
A challenge to enhancing organizational resilience is that there is no single approach. Established management disciplines, such as business continuity, contribute to resilience. Yet they won’t, on their own, ensure an organization gets and stays resilient.
That’s because organizational resilience, as argued in ISO 22316, results from the interaction of attributes, activities, and contributions made from other technical and scientific areas of expertise – all of which are influenced by the way in which uncertainty is addressed, decisions are made and enacted, and how people work together.
To this end, the purpose of ISO 22316 is to establish the core principles for organizational resilience. The standard identifies the attributes and activities that support an organization in enhancing its resilience.
Meanwhile, ISO 22301 – the sole, high-level, international BCM standard – specifies requirements to plan, establish, implement, operate, monitor, review, maintain, and continually improve a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents when they arise.
The standard specifies the structure and requirements for implementing and maintaining such a BCMS – one that will develop business continuity appropriate to the amount and type of impact that the organization may or may not accept following a disruption.
And just like an organization’s resilience will be influenced by a unique interaction and combination of strategic and operational factors, the outcomes of its BCMS will also be shaped by legal, regulatory, organizational, and industry requirements, products and services provided, processes employed, size and structure, and the requirements of its interested parties.
Beyond that, the biggest question ISO 22316 answers is, what are resilient organizations? They are entities that exhibit the following attributes:
Resilient organizations also feature strong leaders. More specifically, senior leaders of resilient organizations have taken the time to develop and encourage others to lead under a range of conditions and circumstances. Those conditions include periods of uncertainty and disruption.
Senior leaders of resilient organizations will have also demonstrated commitment to the following resilience enhancing activities:
Now what about attributes of well-functioning business continuity management systems? Such a BCMS will emphasize the importance of understanding the organization’s needs and the necessity for establishing business continuity policies and objectives.
It will also underline the need to operate and maintain processes, capabilities, and response structures that ensure the organization will survive disruption as well as continue to improve based on qualitative and quantitative
measures.
Per ISO 22301, a BCMS, like any other management system, includes the following components:
A well-functioning BCMS also relies on the constant flow of high-quality information. Getting the right information to the right people at the right time, however, is a perennial challenge. As it turns out, it’s also a challenge to achieving organizational resilience, too.
That is why ISO 22301 and ISO 22316 both encourage sharing information and knowledge. ISO 22316 advocates sharing important experiences. It also recommends valuing information, knowledge, and learning – with learnings extracted from all available sources.
To make that happen, though, information must first be accessible, understandable, and adequate to supporting the organization’s core objectives.
That means knowledge and information must be created, retained, and applied through established systems and processes. Those processes include the sharing of relevant information in a timely manner with relevant interested parties and (then) applying it in organizational learning.
Effective business continuity management, too, depends on a thorough understanding of an organization’s internal and external needs, which comes from sharing information and knowledge. As ISO 22301 lays out, the task for business continuity professionals is to set clear boundaries for the scope of the eventual system, consonant with applicable legal and regulatory requirements.
Main components, here, include establishing and documenting the following:
Given what’s at stake, business continuity management shouldn’t be relegated to a back-office activity. It requires serious, senior management engagement. Only that level of engagement can ensure adequate BCM resourcing and staffing.
Further, senior leaders must strive to establish and document the following:
Similarly, ISO 22316 puts a high premium on engaged leaders, going so far as to identify the attributes of such leaders.
Beyond leadership engagement, both business continuity management and organizational resilience entail continually monitoring performance against predetermined criteria. The reason is to learn and improve from experience.
Continual improvement, as such, should be an organizational ethic or value. Demonstrated by a commitment to validate and continually improve resilience activities and capabilities, such an organizational culture would serve to ensure that larger, business objectives, strategies, and procedures are kept relevant and appropriate in supporting the changing needs of the organization.
How can senior leaders make that happen? ISO 22316 recommends prioritizing the following activities:
For its part, ISO 22301 calls out the necessity of internal audit programs, with components including determining and documenting arrangements for the following:
However, organizations change – so too do the business environment around them. The BCMS, as such, needs to keep up with those changes.
What’s more, business continuity teams, with sponsorship from top management, must also identify nonconformities and take corrective actions to continue to enhance the overall performance of the BCMS.
ISO 22301 accounts for this, establishing procedures for the following:
Like organizational resilience, business continuity management doesn’t happen in a vacuum. More than senior management engagement, organizations will need a stock of qualified professionals with relevant knowledge, skills, and experiences. Lower-level staff will also need to be apprised of their role in responding to incidents.
Part of those responsibilities will include establishing the following resources to support the BCMS:
Similarly, ISO 22316 advises organizations to invest in appropriate resources, such as knowledge-sharing assets, which can include people, premises, and/or technology.
Beyond that, ISO 22316 recommends resourcing the following activities:
The standard advocates more pointedly for the use of ongoing monitoring reports to track trends in data that have been used to evaluate organizational resilience.
To this end, organizations will have to confirm whether their current information management systems provide essential data to support the input required for an organization’s resilience monitoring. They also need to verify whether the output of subsequent reporting processes is sufficient to develop action plans that enhance organizational resilience
The only problem is that not all information management systems provide such essential data to support resilience activities. Here again, top management must intervene; in this case considering the critical event management software platforms that can promote resilience.
Key capabilities to consider include the following:
What of implementing BCMS requirements quickly? Software platforms like Noggin carry functionality for pragmatic business continuity as well as for the broader organizational resilience and critical event management use case.
Applying ISO 22301 in addition to other industry standards, such solutions enable organizations to automate their key business continuity management functions and build and maintain well-functioning BCMSs.
What’s more, these platforms help managers and executives alike determine disruption impacts and develop plans and recovery strategies to address risks. They also scale up to any incident and back down to business as usual.
What other capabilities do they offer? Here are a few:
Finally, the threat of serious business disruption is at an all-time high. Where once business continuity and organizational resilience capabilities might have been nice-to-haves, they have now become essentials.
However, they are different practices. Understanding the nuances of each, as this guide has sought to do, is integral to staying ahead in such a volatile business environment.
And indeed, best-practice standards ISO 22316 and ISO 22301 provide the blueprints for resilient organizations with effective business management continuity systems. Implementing these standards, along with integrated platforms such as Noggin, ensure better incident response, quicker decision making, and continuous improvement to your crisis-fighting capacity.