What Is Business Resilience?

What is the definition of business resilience?

As defined above, business resilience is the ability for the organization to recover, survive and thrive amidst disruption and demonstrate adaptability to new operating models. The term is a relatively new one, used by analyst firms and some software vendors to describe an increasingly vital discipline.

Business resilience is based on other concepts and definitions, including resilience and organizational resilience, but furthers those terms to encompass a more holistic view of resilience. For background, here are some foundational definitions from key organizations.

• The ISO 22316:2017 standard defines organizational resilience as, “The ability of an organization to absorb and adapt in a changing environment to enable it to deliver its objectives and to survive and prosper.”
• The Information Technology Infrastructure Library (ITIL) defines resilience as the ability of an organization to anticipate, prepare for, respond to and adapt to both incremental changes and sudden disruptions from an external perspective.
• According to Gartner, “Resilience is identified as a top organizational priority, accelerated by the COVID-19 pandemic. However, many organizations and industries define it differently.”

What is operational resilience?

Operational resilience is the ability to prevent, respond and quickly recover from events that have the potential to disrupt key business processes, service delivery and access to technology. It includes resilience for both digital resources (cyber resilience) as well as offline resources, such as physical security systems or facilities. A resilient business can spot early signals (from real-time data) with an aim of preventing or reducing the impact on mission-critical service delivery. Going a step further, a resilient organization will have conducted (and regularly conducts) business impact analysis and risk assessment to develop a disaster recovery plan when the inevitable business disruption does occur.

What is cyber resilience?

According to the U.S. National Institute for Standards and Technology (NIST), cyber resilience is “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources.”

You could also reasonably define it as the ability to keep core digital systems and services running, and as such it is the bedrock of any organization. However, technology leaders often face tradeoffs; staying secure and maintaining performance is hard when trying to adapt quickly to a rapidly changing landscape. Different functional teams including IT, product development and security have addressed the issue of resilience separately, creating siloed “pockets” of resilience across the organization. Leaders need a way to see across the silos and build a strong foundation of cyber resilience so the business can adapt to anything.

What is the difference between cyber resilience and digital resilience?

While cyber resilience encompasses measures such as robust cybersecurity practices, incident response capabilities and the ability to restore systems and data after an attack, digital resilience is a broader concept that encompasses not only cyber threats but also other disruptions that impact an organization's digital systems, such as system failures, natural disasters or supply chain disruptions. It includes the ability to maintain reliable digital operations, adapt to changing digital landscapes and ensure the overall resilience of an organization's digital infrastructure.

Why is business resilience important?

Security and IT decision makers struggle to balance security and performance needs with agility as they build resilience within an ever-expanding technology ecosystem. Typically, these executives are held responsible when service disruptions occur for any reason, from adverse market conditions to cyberattack to major vendor outages.

The path to business resilience requires organizations to move from being reactive to proactive in order to prevent customer-facing, revenue-sapping problems before they happen. But the next step is just as critical — moving from proactive to generative. A generative organization not only solves problems before they affect customers, but also turns challenges into opportunities and seizes new opportunities to delight customers as it protects employee safety, improves company culture, increases revenue and generally grows the business.

While some organizations are likely on a resilience journey to move from being reactive to proactive, even sophisticated organizations still face challenges with becoming generative. According to analyst firm Gartner, 70% of CEOs will mandate a culture of organizational resilience by 2025, 50% of asset-intensive organizations will expand their operational resilience initiatives and 30% of enterprises will establish new roles focused on IT resilience.

What factors affect business resilience?

Because business resilience is a relatively new discipline, it's important to not only define what it looks like, but to identify the characteristics of organizations in which it doesn’t exist. Here are some challenges to business resilience that can serve as bellwethers.

Security, IT and Development cannot keep up with threats and incidents: Teams are under a constant barrage of alerts and suffer from overwhelming ticket queues. At the same time, they must accurately and quickly interpret signals from a multitude of tools that are not designed to alert on incremental or systemic risks. To top it off, analysts and incident responders also must go into each individual point solution and perform analysis to understand what is happening in their environment. This “swivel chair syndrome” means teams lose valuable time and context as they switch between tools. These manual, disjointed workflows increase mean time to acknowledge (MTTA), mean time to detect (MTTD), mean time to respond (MTTR) and ultimately the likelihood of a threat or otherwise manageable incident inflicting more serious damage.

Organizations cannot meet customer needs when interdependent systems fail: Leaders struggle to manage the vast and interconnected technology ecosystems of today’s world, where failure in one application or system creates multiple downstream effects. Operations and underlying technology are not designed to easily pivot on the fly, or scale up and down flexibly, a problem made worse by lack of visibility. According to Gartner, “It’s hard to manage something you can’t see … yet only 47% of organizations have mapped IT dependencies for its critical activities and applications.” This negatively impacts churn, revenue and productivity; organizations face an average of $87 million per year in downtime costs from lost revenue and productivity.

Organizations struggle to continuously evolve due to technology complexity: Digital transformation continues at a relentless pace, putting even greater responsibility on security and IT leaders to meet new demands like remote work and fully digitized customer experiences. Technology executives are now expected to enable new business outcomes through digital transformation, such as scalability and flexibility from moving to the cloud. However, organizations struggle to maintain consistent security and performance in complex environments. As a result, transformation efforts may stall, keeping organizations from realizing benefits like enhanced scalability, flexibility and agility.

What is the difference between business resilience and business continuity?

Business continuity is an organization’s ability to continue to operate following a disruptive incident of any kind, be it a technology outage or a natural disaster or some other issue. The International Organization for Standardization (known by the short form ISO in all languages) has a standard, ISO 22301:2019 (Security and resilience — Business continuity) that lays out requirements for planning, implementing, operating and maintaining a documented management system to address disruptive incidents. While this is certainly a worthwhile standard for organizations to adopt, it is far more limited in scope than the larger concept of business resilience. Business continuity management is purely operational in scope, dealing with getting business operations and business processes back up and running following an incident. Business resilience is broader and more comprehensive and designed to incorporate a more holistic approach.

What is the difference between business resilience and operational risk?

Operational risk is, essentially, the risk of anything going wrong in an organization, caused by factors as disparate as bad policies to bad processes to employee theft to random acts. A poorly trained employee losing a sale can be defined as an operational risk; so can a loss of reputation due to poor customer service. The discipline known as operational risk management is designed to plan for operational risks as much as possible and minimize their impact. As such, it is an even broader category than business continuity (see above) and significantly broader and less focused on business outcomes than business resilience.

What is incremental risk?

Incremental risk includes cumulative, distinct events that can ultimately break something downstream. Individually these events typically produce signals below some threshold and do not trigger an alert on their own.

What is systematic risk?

Systematic risk includes distinct events that point to an underlying issue not evident from one indicator alone.

What are the benefits of business resilience?

An operational practice built on business resilience has significant benefits for organizations of all sizes, in both the short and long term. Some specific benefits include:

Accelerated time to detect, investigate and respond to issues: By centralizing data across tools and surfacing key risks, a resilient process empowers teams to streamline and standardize workflows to reduce mean time to acknowledge (MTTA), mean time to detect (MTTD) and mean time to respond (MTTR). Using a resilient platform, teams can expedite decision making and quickly and easily manage threats and IT issues, pre-empt incidents before any serious damage occurs and ensure SLAs/SLOs are met, regardless of the source of an issue.

Increased ability to absorb shocks to digital systems: Ideally, a resilient platform helps organizations see and act on all their data at unlimited scale, in any scenario — from managing millions of online transactions, to rapidly troubleshooting a complex environment with thousands of apps. A resilient platform provides the tools needed for organizations to minimize the impact of outages and breaches. Teams can recover and restore services faster to realize significant cost savings from reduced downtime, as well as maintain customer confidence.

Agility and flexibility in digital transformation: When organizations need to move quickly, a resilient platform allows technology to be a business-enabler, not a blocker, giving teams the data needed to safely and securely roll out and roll back changes. This agility enables organizations to transform, from modernizing applications and infrastructure to adopting radically new business models like telehealth and remote work. With a resilient platform, organizations have reimagined how they can serve stakeholders like customers and end users with digital apps for delivery, intelligent point-of-sale devices, online classrooms and more, all while staying secure and performant.

What are the challenges of business resilience?

Given the current state of the market, two key challenges with resilience emerge:

Lack of mature, overarching strategy: Many technology executives still associate resilience with basic compliance and risk management functions of business continuity planning and disaster recovery. Most organizations make no distinction between organizational resilience (a strategic imperative) and operational resilience (a tactical solution). They limit their focus in both efforts to IT-related initiatives and a few business functions.

Pockets of resilience: As organizations undergo their digital transformation efforts, they are becoming more modular, adopting microservices, cloud architecture and standardizing on different platforms. This allows them to reduce single points of failure and focus on value-added differentiation. Ultimately, modular organizations are more adaptable and can quickly pivot to deliver new services, or implement new processes that create competitive advantage. Consequently, resilience responsibilities are distributed across teams, creating “pockets” of resilience with no unified view, forcing organizations to struggle with the resulting complexity.

How do you build and grow business resilience?

Similar to popular frameworks for evaluating cybersecurity maturity, different levels of resilience maturity exist for organizations in the market. Organizations can make progress by making appropriate investments in foundational technologies, processes and people.

• Foundational visibility: These organizations have investments that allow them to see across hybrid environments with security monitoring, incident management and analytics that help teams troubleshoot.
• Prioritized actions: Businesses that have taken steps to reduce and overcome alert fatigue are able to spend more time and resources on mission-critical work, rather than putting out endless fires.
• Proactive response: Organizations that can get ahead of issues through advanced threat protection and observability practices are more resilient and adaptable to anything.
• Optimized experiences: In the end, if the customers aren’t happy, no one is. Businesses that have optimized web and mobile performance for end users and employ automated security measures are able to delight customers, build trust and protect their reputation.

What should you incorporate in a business resilience plan?

When creating a business continuity plan, there are core values that need to be included to ensure the plan provides what it promises. Here are examples of those core values that can be used to build a comprehensive plan.

End-to-end visibility: To foster resilience, teams need visibility to see in real-time across their entire environment to identify issues and know the downstream impact of any change. A resilient platform provides access to all relevant data with context, along with the tools and intelligence to stitch it together so teams can see everything and act fast. It brings together disparate data sources for a holistic view across your entire environment with the ability to surface incremental risks and systemic risks, even before an incident occurs. The platform should be data-source agnostic, with coverage that extends across on-premises and cloud infrastructure, security tools and application monitoring. Furthermore, the platform should be able to access data wherever it resides, even in third-party data sources like Amazon S3.

Rapid time to action: Whether managing a day-to-day incident, major disruption or supporting transformation, teams need to act fast to pinpoint issues and manage response. A resilient platform lets teams search, analyze and visualize log, metric and trace data at unlimited scale for granular investigations. Analysts can separate signals from the noise and overcome alert fatigue with directed troubleshooting and intelligent alerting to ensure they spend their time where needed most. Built-in orchestration and automation capabilities, enhanced by predictive artificial intelligence (AI)/machine learning (ML), enable teams to respond at machine speed and manage incidents before customers notice.

Unified security and observability: A sudden spike in traffic on a webpage could be a distributed denial-of-service (DDoS) attack in progress, a new code push with a poorly written API making too many calls, a very successful marketing campaign or simple mispricing. A unified view across security, IT and development teams helps detect these signals of disruption and identify the root cause of issues, regardless of the source. With a shared work surface that maintains context across tools, cross-functional teams can interact using the common language of the platform. Ultimately, using the same foundation allows teams to better identify opportunities for ongoing optimization so they can increase efficiency and use resilience to drive better business outcomes.

In today’s world, different tools and technologies are owned by different teams that create a massively complex ecosystem that’s impossible to hold in any one person’s head. No one can see exactly what’s going on at any given time, and that makes it hard to know what your systems can withstand or how you can go about changing them while ensuring end users enjoy the seamless, secure experience they expect.

With a resilient platform, organizations get the visibility they need so they can see everything, to act fast and adapt to anything. The end-to-end visibility allowed by a resilient platform gives you the information you need to understand the impact of any change in your environment, power rapid time-to-action with robust investigation and automation and enhance detection and collaboration across teams with a unified security and observability platform.

The concept of business resilience may be relatively new, but it’s built on solid and long-lasting fundamentals, including the concept that change is good, assuming it can be anticipated, understood and acted upon.