Resilience: Business Continuity in disguise?

BCP mask
Organisational resilience vs. business continuity

For many - (including me), much of what is described as resilience still looks suspiciously like “warmed up” business continuity. Nevertheless, I believe that resilience is different to business continuity. I don’t see it as an alternative to business continuity – rather, that there is a strong inter-relationship and that they complement each other as part of an overarching framework for operational stability. In the financial sector there are regulatory developments in this area, and they are forming a useful backdrop by which to differentiate what resilience is, what business continuity is and how they are related. To assist with this comparison I’m going to use the recent PWC paper “Operational resilience: How to set and test impact tolerances” for comparison. The report clarifies a number of concepts contained in the regulatory discussion paper, DP18 - Building the UK financial sector’s operational resilience” issues by the Bank of England, the Prudential regulatory Authority and the Financial Conduct Authority. The regulators define operational resilience as: “an approach to operational risk management that includes preventative measures and the capabilities – in terms of people, processes and organisational culture– to adapt and recover when things go wrong”. This would seem to point us towards a wider perspective of managing operational impairment above and beyond the scope of most business continuity programmes.

There are significant differences between resilience and business continuity, and it all depends on the way in which potential threats to impairment of operational stability are treated:

Resilience mitigates operational impairment by:

- Strengthening infrastructure to make less likely to fail in different circumstances

- Making infrastructure “elastic” so that it can scale up (as well as down) during periods when operational volumes may be subject to sudden, large fluctuations

- Establishing “self-repairing” capabilities so that single points of failure are removed

- Embedding the firms risk appetite throughout the organisation by influencing day-to-day behaviour.

- Resilience measures are embedded in the day-to-day operations of the firm