Disaster Recovery Journal Spring 2025

S ince the introduction of ISO 22301 in 2012, best practices for business continuity have remained largely unchanged. However, global operational resilience mandates have intro duced new expectations, raising the bar for overall resilience. This report helps resilience professionals benchmark their pro grams, build a business case for improvements, and understand how resilience expectations are evolving. Compliance Mandates Drive the Transformation of Resilience Forrester has partnered with the Disaster Recovery Journal to field annual market studies on various topics related to busi ness continuity and disaster recovery to gather data for company comparisons and benchmarking and to publish best practices and business resilience. BC programs focus primarily on creating, maintaining, and testing BC plans in preparation for an incident. Operational resilience programs focus primarily on efforts to ensure critical/important digital services (including those provided by third parties) are maintained throughout an incident. Business

resilience programs focus on the planning and preparation undertaken by an organization to ensure critical/important business functions can continue during and after an incident, including all digital and nondigital processes, such as workarounds for processes, employees, and manufacturing considerations. Today, 46% of respondents primarily work in business continuity, but an inspiring 22% work in an operational resilience program, and another 32% work in a business resilience program. n Transformation will take time. Even 24 months out, organizations are still planning to achieve operational resilience compliance. For example, only 3% of respondents claim APRA Op Res compliance today, but an additional 4% desire compliance in 24 months. The 50 respondents who either are compliant or want to comply within this two-year time horizon will have complied with an average of just over two operational resilience mandates.

recommendations. This year’s study focused on resilience. With the number of worldwide operational resilience man dates already in force or coming into force soon, programs will need to move from plan-based loss scenarios tested to be severe to plausible scenarios tested and backed with detailed IT maps of critical/important services. It is the aspiration many BC programs always had but never materialized due to lack of funding, organi zational support, or business priority. Consider the following: n Compliance forces action. Since ISO 222301 was introduced in 2012 as a standard for business continuity management systems, few other standards for resilience have emerged with the same levels of adoption. Recently, a spate of worldwide mandates for operational resilience has emerged, such as the EU Digital

Operational Resilience Act (DORA), Bank of England Prudential Regulation Authority Statement of Policy on Operational Resilience (PRA Op Res), and Australian Prudential Regulation Authority’s Prudential Standard CPS 230: Operational Risk Management (APRA Op Res). These are either already in effect or will be shortly. Today, these mandates are only required for financial institutions, but adoption is growing as other industries recognize and adopt the best practices to maintain the operation of IT in support of critical/important services (see Figure 1). n Organizations target operational resilience or business resilience goals. We separated the objectives of resilience programs into business continuity, operational resilience, and

DISASTER RECOVERY JOURNAL | SPRING 2025 9