Helen Molyneux comments on the Operational Resilience Report 2022, which was published recently by the BCI and asks whether the report has added to confusion in the profession about business continuity and operational resilience.
Having just read the Operational Resilience Report 2022 (1) from the BCI, I feel compelled to question some of the conclusions.
It is clear that, with the emergence of ‘resilience’ as a concept, there is a lack of clarity in the differences between organizational resilience and business continuity, and the water has been further muddied by references in recent years to a new term, ‘operational resilience’. This report could have presented an opportunity for some clarity and consistency, but in this short article, I propose that, instead, the report has created additional confusion and, in some cases, denigrated the expertise of business continuity professionals.
I will start with a short background in order to give some historical context based on my own experiences within the industry. I will then analyse some of the specific content and apparent contradictions of the report, before highlighting my conclusions and concerns.
Personal historical context
I joined the business continuity management (BCM) profession in 2001, initially as part of a local authority emergency planning role, before transferring into more BC focussed positions. I have therefore seen the transition and standardisation of the industry, from the early days of PAS 56 (2) that glorious acronym-laden document that first gave a structure to business continuity, to BS25999 (3) and, more recently, to ISO 22301 (4)(5).
I have clear recollections of discussion and debate about raising the profile of business continuity, with many voicing concerns that the title of the profession was not very alluring or ‘sexy’, and that there was a failure to gain traction with senior management. Many expressed concern that BC would never become a ‘c-suite’ role, and endeavoured to expand the scope to ensure that more senior positions could be obtained. Moreover, those in the public and third sector were keen to point out that they did not do BC, but focussed more on ‘service continuity’.
Gradually, the term ‘resilience’ became more of a feature in discussions, without ever being clearly defined within these discussions. BS25999 did broadly define resilience as ‘ability of an organization to resist being affected by an incident’. An updated definition can be found in ISO 22300 (6) as the ‘ability to absorb and adapt in a changing environment’.
The many debates around the role of business continuity within an organization led to some to call for a wider input into more general business resilience, such as reacting to market changes, and beyond those ‘catastrophic’ events that were generally considered for BC planning purposes. This, personally, always seemed a little beyond the scope of a business continuity role, and stepping into the role that would traditionally be covered by, for example, CFOs and COOs, the majority of whom I could safely suggest would have a greater experience at dealing with, for example, swings in the markets. However, the concept of 'organizational resilience' was formed and with it, naturally, another standard (7).
Organizational resilience has been defined within ISO 22316 (7), and is clearly quite distinct from business continuity management. In this article, therefore, I do not propose to look at the content and context of organizational resilience. Instead, I intend more to look at what has appeared to become more prevalent terminology, without actually being defined…'operational resilience'. The use of the term appears to be largely led by the finance sector, in particular the Financial Conduct Authority (FCA) in the UK, and this is acknowledged in the BCI report. However, as is also recognised by the report, there is no agreed definition for this concept.
Have the BCI got it wrong?
The Executive Director of the Business Continuity Institute suggests in the report that operational resilience is separate to business continuity, concluding that ‘most commonly the Chief Operations Officer, is responsible for championing operational resilience programmes, the implementation and day-to-day management of operational resilience frequently falls on the shoulders of the Head of Business Continuity. This has inevitably led to some confusion; “operational resilience is just business continuity done well” was a sentence often repeated by respondents over the course of this project. As a result, this report seeks to define the very real difference between the two interlinked resilience methodologies.’ This blatant disregard for the experience of some survey respondents is surprising.
If we break down some different aspects of the report’s findings, this article will demonstrate that ‘business continuity done well’ is, indeed, effective operational resilience.
The report suggests that ‘business continuity focuses around getting processes back up and running in an agreed timescale. Operational resilience centres around the principle of having to get a process up and running before it causes intolerable harm to the business, its customers or its peers.’ Perhaps the authors should consider the definition of business continuity within ISO 22301: the ‘capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption’. Or, indeed, the definition within the BCI’s own Good Practice Guide, which states that business continuity is ‘A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.’ Note that this makes specific mention of stakeholders, defined as ‘person or organization that can affect, be affected by, or perceive itself to be affected by a decision or activity. EXAMPLE Customers, owners, personnel, providers, bankers, regulators, unions, partners or society that can include competitors or opposing pressure groups’, a definition which, I think, covers customers and peers, as well as others.
Fundamental to any business continuity programme is ‘Understanding the needs and expectations of interested parties’, whereby an organization needs to identify the interested parties that are relevant to the business continuity management system (BCMS), and the relevant requirements of these interested parties. This is clearly demonstrated in ISO 22313, which depicts the relationship in Figure 4 in that document.
Time and again, the standards and guidance documents make reference to stakeholder requirements and expectations, and the need for these to be taken into account.
The BCI report gives a quote from an operational resilience consultant, who states that “Business continuity is about how quickly you want to have a process back up and running, whereas operational resilience is how quickly must that service be back. And it’s a different question.”
This shows staggering naivety, and it is very surprising that the BCI chooses to list this quotation within one of their own surveys. The report states that ‘Some 17.1% of respondents believe there is no need for an operational resilience programme within their organization as “business continuity is all that they need.” When you consider this rises to 25.0% when looking at responses from the financial sector alone, this is even more alarming. Indeed, the opinion that operational resilience is “business continuity done well” is one subscribed to by many resilience professionals’. Perhaps the authors of the report should consider that these respondents are BC professionals who have a level of experience within their field.
I am not sure for what reason the BCI appear to be being led by the FCA as seems apparent throughout the report, but it is worth reflecting on some of my own experiences within the BC profession.
As far back as 2008, we illustrated the difference between disaster recovery and BC, showing the following slide to a client as part of a training session:
Here, it is clear that, almost 15 years ago, business continuity was focussed on customer interests. This same focus has been promulgated by BC practitioners time and again.
Another example could be the business impact analysis (BIA) looking at impacts on the customer. Thus a BIA with a pharma client, for example, required our clients to revaluate their top 10 product list to develop one from a patient criticality perspective as well as from a profit perspective. Or the printing company that knows that it has clients that come under the Civil Contingencies Act 2004 and therefore have specific requirements around continuity of supply. Or the manufacturer of printers who split customers into different groups dependent on their specific time-critical supplies.
The consultant quoted earlier simply does not seem to understand that to know how quickly you want to have a process back up and running, you need to understand how soon your various stakeholders require that service or product.
Another aspect of the report’s comments on staff awareness, highlighting ‘interviewees reporting knowledge of operational resilience simply was not there in the organization. With operational resilience still a new concept however, even the experts in the field believe that this knowledge can only come once the regulators have learned themselves what best practice is’. Given that there are relatively few regulated industries, it is difficult to see how there can be widespread awareness of operational resilience at this point particularly, as highlighted in the report, ‘Operational resilience means different things to different sectors and also companies within the different sectors’, and that there is no single definition of this concept’.
The BCI report suggests that ‘the Board and, most commonly, The Chief Operations Officer is most likely to have overall accountability for operational resilience, although other board level members are responsible in some organizations’, whilst ‘Business continuity is most likely to take the day-to-day lead on operational resilience, particularly in organizations without a dedicated operational resilience team’.
Taking aside the fact that most organizations simply will not have the resources or staff to have two teams working on identical work, the ISO 22301 requirements include top management demonstrating leadership and commitment, whilst being able to delegate roles, responsibilities, and authorities. The BCI’s own guidance (8) suggests ‘assigning a member of top management overall accountability for business continuity and its effectiveness’, whilst allocating roles and responsibilities based on competency.
So where does this lead us?
Significant mention is made of the FCA approach to operational resilience and business continuity within the recent BCI report, with a surprising amount of deference to the FCA approach. Having worked with a start-up challenger bank, it is obvious that the guidelines and requirements are causing duplication of effort and, possibly, the creation of yet more siloed thinking. Despite demonstrating that an effective approach to business continuity completely mapped into the operational resilience requirements, the bank simply did not have the confidence to merge the approach, and insisted on maintaining a separate set of documentation to satisfy the requirements for operational resilience, thus creating needless duplication, and increased likelihood of errors, and a lack of joined up thinking leading, possibly, to a reduction in resilience.
It saddens me to see the business continuity profession’s institute adopting an approach which seems to separate business continuity and operational resilience. Surely, they should be taking account of those practitioners who ‘do business continuity well’, and recognising that business continuity is operational resilience, just under another name. Possibly a ‘sexier’ name, and it certainly seems to have gained traction in some industries. However, I am sure that those practitioners who debated name changes all those years ago did not envisage that this could lead to a schism in the industry, and accusations that business continuity is basically an internally focussed and retrograde approach.
Helen Molyneux is Director, Cambridge Risk Solutions Ltd.
A response from the BCI
“At the BCI, we welcome healthy debate and discussion around our reports – this is what shapes the industry and is the key to industry progression. We would, however, like to highlight that the findings of this report are not the opinions of the BCI but rather conclusions drawn from 335 survey respondents, nine industry experts, and 20 hours of interviews with members. We would also like to encourage attendance at launch events and webinars – this is the opportunity for such opinions to be voiced and discussed.”
Make a comment
If you would like to make your own comment about this article please email email@example.com
- Operational Resilience Report 2022: BCI report
- PAS 56:2003 Guide to Business Continuity Management
- BS25999:2006 Business Continuity Management Part 1 Code of Practice and Part 2: Specification
- ISO 22301: 2012 Social Security – Business Continuity Management Systems - Requirements
- ISO 22301: 2019 Security and Resilience - Business Continuity Management Systems - Requirements
- ISO 22300: 2021 Security and Resilience - Vocabulary