Disaster Recovery Journal Winter 2024

as evidenced by ISO’s recent inclusion of climate change concerns in certifica tions. More specifically, Clause 4.1 of ISO 22301 now suggests organizations to “determine whether climate change is a relevant issue” while a note under Clause 4.2 suggests, “relevant interested parties can have requirements related to climate change.” BCM has metrics like BIA, recov ery time objective (RTO), recovery point objective, minimum tolerable period of disruption, while resilience has its own like service impact analysis, technology impact analysis and impact tolerance. Despite the different terminologies the fundamental approach and methodology for both are quite similar. An effective way to gauge the maturity of resilience efforts is by observing the gradual reduction in RTOs over time, reflecting improvements in your recovery strategies and overall resilience capabilities. Let’s now discuss another aspect that is testing and exercising in BCMS or stress testing in resilience. Often, we have seen, businesses give a go-ahead to conduct tabletop exercise as it doesn’t involve much expenditure and effort. While table top exercises are valuable for discuss ing scenarios and strategies, they are not always comprehensive. A realistic way of assessing organization’s documented BIA and recovery strategies, is to go for full simulation exercise or war-game involv ing actual physical movement. More mature organizations involve key third party dependencies in these exercises to make a joint effort to protect and prepare against disruptions. Businesses that shy away from these due to budget or time constraints are neglecting an essential aspect of continuity health check. If lead ership is not fully committed for BCMS or the CCO struggles to convince the board on the need of these exercises, the issue lies again with the execution and com mitment rather than the intrinsic value of BCM discipline. Regulatory Push Behind Resilience Visibility The growing emphasis on organiza tional resilience, is driven by recent regu

ated standards across both operational and strategic layers, the primary role of CCO and his team of BC professionals is coor dination and facilitation with functional leaders. They are not expected to know everything about each function. Their role is akin to advocating for COVID-19 vac cination: while it may not guarantee 100% immunity, it ensures recovery is faster and more manageable if an infection occurs. What more value does a resilience leader provide a CCO cannot? BCM Vs Resilience: A Critical Assessment BCM is often seen as inward-looking and reactive, focused on surviving and restarting after a major disruption. In con trast, resilience is viewed as proactive and integrated, focusing on building organi zational capabilities to withstand external stresses. However, ISO 22301 emphasizes both proactive and reactive measures, showing that BCM is not just about recov ery but also about preparation. Clause 7.3 (awareness) emphasizes individuals work ing under the organization’s control shall be aware of their roles and responsibili ties before, during and after disruptions. Clause 8.3.1 specifies that based on the outputs from the business impact analysis (BIA) and risk assessment, the organiza tion shall identify and select business con tinuity strategies that consider options for before, during and after disruption. The inherent idea of developing a busi ness continuity plan is proactive. This plan is not just about having a fire extinguisher for our business but also putting additional proactive measures like smoke alarms, sprinklers, regular fire drills, testing fire doors, using fire resistant materials, fire escapes and adherence to fire codes and regulations. It involves equipping the organizations with the necessary tools and strategies to manage disruptions effec tively, both in advance and in response to actual events. Resilience proponents argue BCM pro fessionals focus too narrowly on common risks, while resilience experts take a broader, enterprise-wide view. However, BCM professionals are not restricted from assessing risks comprehensively,

latory pressures especially on financial institutions in various geographies. Those institutions must not only recover from disruptions but also maintain operational integrity under stress. Regulators such as the Bank of England, the Central Bank of Ireland, OSFI Canada, RBI’s Guidance Note on Operational Resilience and Risk Management, the European Union’s Digital Operational Resilience Act (DORA) have introduced comprehensive frameworks that require financial institu tions to enhance their BCM, DR, cyberse curity, and resilience measures. Certainly, those mandates can also be emulated in other sectors; however, the answer to who will do it is not necessarily CReO. It has been led by leaders with functional specialization, supported by BCM pro fessionals, to ensure continuity in their operational strategy. Re-branding or Reinforcement? ISO 22301:2019 standard is titled “Security & Resilience.” Definition of security as per ISO/TC 292 is “State of being free from danger or threats where procedures are followed or after taking appropriate measures.” Resilience, as per definition for ISO/TC 292, is the ability of an organization to prevent, or resist being affected by an event or the ability to return to an acceptable level of performance in an acceptable period after being affected by an event. Everything is there in the stan dard which encompasses resilience, and it’s time to follow it in true letter and spirit. Ultimately, resilience is not a replace ment for BCM. It is an aspirational state, an ongoing journey supported by BCM as one of its most crucial enablers. If resilience is BCM done well or BCM re-branded or BCM 2.0, then it’s time to return to BCM holy grail to understand in its entirety and up-skill us for agility. v

Maitreya Buddha Samantaray, MBCI, CBCP, serves as vice president in strategic risk consulting at Marsh Advisory, based in New Delhi, India. With more than 15 years of professional experience in crisis manage

ment, business continuity, and resilience engagements, his insights are rooted in extensive industry expertise. The views expressed in this article are solely his own and do not reflect the opinions or positions of his organization.

38 DISASTER RECOVERY JOURNAL | WINTER 2024