The term ‘resilience’ is used in Preparing Scotland core document to mean ‘the capacity of an individual, community or system to adapt in order to sustain an acceptable level of function, structure and identity’. Business Resilience is this capacity or attribute of a business or other organisation. Category 1 responders that are sufficiently resilient in this sense will therefore be fulfilling their duties under the Civil Contingencies Act and Regulations to be able to ‘continue to perform his or its functions’. The approach to developing and maintaining Business Resilience recommended in this guidance is to apply the principles of Integrated Emergency Management in a business or organisational context.
Although this definition and approach may appear broad ranging, it does not imply any enlargement of the duties on Category 1 responders. Rather it is a recognition of the wider context within which these organisations exist, the other requirements they face and the existing capabilities they have. This circumspect approach allows Category 1 responders to:
- Consider the duties of the Civil Contingencies Act and Regulations in the context of other requirements, legal duties, governance arrangements, strategic objectives and issues of efficiency and good practice.
- Consider existing skills and capabilities in related areas and how these are interconnected.
- Seek effective ways to meet the requirements of Civil Contingencies legislation along with other requirements, by drawing on resources already available and seeking more integrated solutions.
An important part of this work is to utilise the methods of Business Continuity Management Systems and the expertise that exists in related specialist fields. The standard ISO 22301: Societal security – Business Continuity Management System – Requirements9 describes Business Continuity Management as a ‘holistic management process…which provides a framework for building organisational resilience’. Although the scope and application of the framework and processes will vary between organisations, a number of common elements can be identified that are important to building Business Resilience generally10. The first four of these make up a cycle, comprising:
Understanding the organisation – understanding the strategic priorities of the organisation, including key services and products; using business impact analysis to examine the effects of disruption on these, and risk assessment tools to evaluate threats; determining what is needed to recover key processes to an acceptable level.
- Deciding on a strategy – choosing from the alternative ways available to mitigate loss; deciding on how much risk and how much loss of function is acceptable in different parts of the organisation; deciding on the level of resources to commit to building resilience in light of its potential effectiveness and the importance of delivering critical functions to protect stakeholders.
- Developing capability – developing the response to disruptive challenges and the plans underpinning this, including managing activations of the response, defining roles and responsibilities, clarifying resource requirements, agreeing communications arrangements and other practical issues.
- Reviewing and maintaining Business Resilience – ensuring plans are fit for purpose and quality assured, that they are kept up-to-date as the organisation changes and that plans are exercised and new learning is incorporated.
This cycle is supported by other components:
- Managing the programme – both establishing the process and ensuring that the different parts are carried out effectively.
- Embedding resilience in the organisational culture – this stage involves raising awareness throughout the organisation and its key stakeholders, and providing training to key staff so that these activities become part of the normal operation of the organisation and the thinking of its staff.
The cycle is viewed as continuous as each of the four stages influence the next and the outcomes of review provide a better understanding of the organisation. Although, in practice, the four stages and other components are not distinct or strictly sequential, this is often a helpful model.
This cycle will be familiar to organisations that have business continuity arrangements aligned with ISO 22301. Although accreditation to a formal published standard is not a legal requirement, the principles recommended in this guidance are consistent with ISO 22301. Organisations that are aligned with this, in its most inclusive form, will have in place many of the most important requirements necessary to fulfil their duty to be able to continue to perform their functions.
When working to develop and maintain Business Resilience by applying these processes, it is recommended that particular consideration is given to the areas where related work may be being carried out and where expertise may be available, including:
- Business Continuity Management
- Risk Management11
- Crisis and Communication Management
- Security Management
- Building & Facilities Management
- Information Assurance and Security
- Health, Safety and Environmental Management
9 See ISO 22301:2012 Societal security – Business Continuity Management systems – Requirements at http://www.bsigroup.com/
10 These are codified more formally in ISO 22301 and formerly in BS 25999
11 See ISO 31000 ‘Risk management – Code of practice’ ISO 31000 http://shop.bsigroup.com/