In our other blogs we have outlined what business continuity and operational resilience are as individual methodologies. Here we are going to look in more detail at the differences, and how they can be combined to improve resilience outcomes.

Business continuity practices have evolved over the past fifty years, as organisations have grown more complex. However, the implementation of business continuity management has tended to focus on the recovery of internal processes, with plans typically addressing specific risks such as the loss of a building or IT system.

The financial sector has been innovative with business continuity practices, using legislation and standards to make business continuity management a core activity. However, this innovation did not enable the sector to effectively prevent, adapt, respond to, recover and learn from incidents such as the 2008 financial crisis and several high-profile IT-related business continuity incidents.

As a result of the impact these incidents had on customers and the sector, along with the outcomes of a Treasury Select Committee’s inquiry, the UK financial services supervisory authorities now view business continuity management alone as insufficient to ensure the continuity of important business services during disruption.

While acknowledging that business continuity management continues to be key for recovery, the sector is now implementing an additional layer of resilience: operational resilience.

The simple answer is no.

Business continuity provides the foundation data and processes to enable resilient outcomes. Business continuity strategies and plans focus on scenarios where core business functions are disrupted, with testing and exercising validating recovery capabilities, within defined organisational timeframes and capacity.

Every organisation should have business continuity management in place as a baseline, to ensure the continuity and recovery of products and services.

Operational resilience adds a layer of data to specific business activities, important business services. These are services that if disrupted could cause an intolerable level of harm to customers, the organisation, sector or wider society. It builds on business continuity to offer another level of protection, through the embedding of resilience by design.

Operational resilience focuses on anticipating, mitigating, and managing vulnerabilities or gaps in the operations of important business services. Its goal is to prevent intolerable harm by embedding resilience across technology, third-party suppliers, facilities, data and people resources.

Operational resilience testing and exercising includes the outcomes of business continuity testing, but extends scenarios beyond recovery time objectives (RTO) and maximum tolerable periods of disruption (MTPD), focusing on complex and prolonged disruptions, exploring when business contingency strategies may not be adequate to prevent intolerable harm or risk the safety and soundness of the organisation or sector, and offering insight into necessary investment to close resilience gaps.

Business continuity is a key component of operational resilience. Including it in your operational resilience framework can provide data to support many aspects of operational resilience implementation and validation, such as:

• Criticality assessments of business processes,
• Identifying and mapping important business services,
• Defining and justifying impact tolerances,
• Developing severe but plausible scenarios.

Operational resilience is then able to build on this data, to integrate resilience into the organisation’s overall strategy, corporate planning and investment to drive better long-term resilience outcomes, by:

• Increasing awareness of the level of impact a disruption to services can have on customers, the organisation, the sector and wider society,
• Provide insights into the design and operational dependencies of important business services, to identify resilience gaps or vulnerabilities that can be addressed to mitigate harm,
• Strengthen preparation for complex disruption scenarios.

While business continuity and operational resilience each offer a different resilience focus, their integration can lead to more robust strategies for managing disruptions. Combining the methodologies ensures not only recovery but also the proactive prevention of significant harm, helping organisations adapt to increasingly complex and prolonged disruptions. Here are a few examples of the impact a joint approach could have on:

• Individual Organisations: A combined approach allows organisations to recover quickly, prioritise resilience investments, enhance stakeholder confidence, and increase adaptability in the face of disruptions.

• Company Groups or Sectors: It enables better coordination across organisations, identification of shared risks, and validation of interdependent contingency plans. It also supports cross-sector collaboration and innovation to build broader resilience.

• Wider Society: By minimising disruption to critical services, operational resilience protects jobs, reduces the impact of systemic failures, and builds public trust in the ability of organisations to recover.