Managing Business Disruptions: Business Continuity Management versus Operational Resilience

In recent years, the conversation on Operational Resilience has gained attention across the financial world. The COVID-19 pandemic taught the industry (and the entire world, for that matter) that operational resilience has become a desirable and necessary objective for businesses. The COVID-19 pandemic is no longer with us, but a barrage of other disruptions, from severe weather conditions to geopolitical factors and economic downturns, keep bombarding organisations, resulting in varied levels of disruption.

In fact, the financial sector is now so heavily dependent on technology that the slightest disruption in technology services can have a dire impact on the industry. On 14^th March 2024, Ghana experienced an unprecedented internet disruption due to a cut in undersea fibre cables for major internet providers. This internet disruption negatively impacted financial services as many customers were unable to transact on digital platforms, which are heavily dependent on the internet. We seemed to have been sent back to the chequebook-wielding days where banking transactions could only be handled in-branch.

Now more than ever, disruptions to technology are likely to create a ripple effect across several industries, and as such, organisations must take steps to be safeguarded in such scenarios.

When it comes to managing disruptions, two key concepts—Business Continuity Management and Operational Resilience, play pivotal roles in ensuring an organisation’s survival. There is a common misconception that these key concepts are one and the same, or that one is the outcome of the other. While the similarities between these concepts cannot be overlooked, it is important to note that the two are intertwined but distinct.

Understanding the basics

Business Continuity Management (BCM):

According to the ISO 22301 standard, Business Continuity is defined as the “capability of an organisation to continue the delivery of products and services within acceptable time frames at a predefined capacity during a disruption.”

The Bank for International Settlements (BIS) in the High-Level Principles for Business Continuity (2006) describes BCM as “a whole-of-business approach that includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational, and other material consequences arising from a disruption.”

This implies that BCM relates to the planning and mitigation activities to primarily ensure that critical business functions continue during and after disruptive events. The key components to note here are risk management, continuity planning, and response strategies.

Operational Resilience:

Operational resilience has been defined as the ability of an organisation to prevent, adapt, respond to, recover, and learn from operational disruptions. Operational resilience extends beyond emergency response; rather, it is proactively building capabilities to ensure that, if a disruption occurs, it does not affect your organisation in the first place. Adaptation is key to resilience, such that if a new “normal” arises from the disruption, the organisation will be able to adapt.

A classic example of adaptation was seen during the COVID-19 pandemic, when work-from-home arrangements became normal in industries with hitherto limited capability for that. Now many organisations have adopted a hybrid approach to work, having adapted to the disruption COVID-19 brought to the world.

Key Distinctions

1. While BCM focuses on response and recovery (reactive), Operational Resilience focuses on prevention, adapting and learning in addition to response and recovery (proactive).

2. BCM operates primarily during crisis conditions, while Operational Resilience spans normal operating conditions as well, ensuring adaptability even when things are running smoothly.

3. BCM prepares for specific risks, whereas Operational Resilience builds overall organisational resilience by considering many aspects of the organization to manage the risk of disruptions.

4. BCM focuses on short-term continuity, while Operational Resilience focuses on the long-term ability of the organisation to withstand disruptions.

In fact, other aspects of the organisation, such as Third-Party Risk Management, mapping of internal & external interconnections and interdependencies, should be in the scope of Operational Resilience as described in the diagram below. (Principles for operational resilience, BIS – 2012)

Conclusion

Business continuity may, at minimum, be seen as one of the tools to achieve operational resilience. Organisations must realise that operational resilience is not only about surviving but also about thriving. While many organisations may already have an established BCM process, not many have well-structured operational resilience strategies in place.

Newly introduced regulations such as the Digital Operational Resilient Act (DORA), which the European Union seeks to apply by January 2025, are proactive steps taken by regulatory bodies to ensure a resilient eco-system. This indicates the attention that national and international regulators are giving to operational resilience.

The writer is a seasoned risk management expert with over a decade’s experience in Enterprise Risk Management, Risk Modeling, Portfolio Analytics and Business Continuity Management. She is a certified ISO 22301 Senior Lead Implementer and may be reached via email at angelaopare@gmail.com.