Resilience has become an important boardroom discussion point.  Senior leadership has begun to accept the fact that being able to recover from a disruptive event may not be enough.

It is becoming more important to adapt business operations as needed to improve the firm’s ability to recover from future events.  This “adaptation” can come in different forms, e.g., restructured operations, enhanced backups of mission–critical systems and data, and updating of business policies and procedures. Lessons learned from an event must help transform the business into a more adaptable and survivable organization.

To help provide guidance on achieving a more resilient organization, numerous standards, frameworks, guidance texts and other educational materials have been developed. Many standards and relevant documents have also been developed in support of the business continuity (BC), technology disaster recovery (DR), and incident response (IR) disciplines.  Each of these complements the resilience standards to be discussed.

This article will examine the most current resilience standards, frameworks and guidance, and where they can be obtained.

Resilience Standards

Standards organizations addressing resilience include the International Organization for Standardization (www.iso.org), National Institute for Standards and Technology (www.nist.gov), British Standards Institution (www.bsigroup.com), and ASIS International (www.asisonline.org).  The following is a list of resilience standards.

ISO 22316:2017 Security and resilience – Organizational resilience – Principles and attributes

This standard provides an important starting point with a framework for understanding the attributes of a resilient organization and how to achieve it, and is designed to support both public and private sector organizations.

ISO 22336 Security and Resilience – Organizational resilience – Guidelines for resilience policy and strategy

Not yet officially published, this standard will complement ISO 22316 by providing detailed guidance on designing and formulating a resilience policy, developing strategies to achieve resilience policy goals, preparing a resilience implementation plan, and establishing a synchronized capability to improve resilience.

British Standards Institution BS 65000 (2022) Organizational Resilience – Code of Practice

The 2022 version completely updates the original 2014 release of this comprehensive and detailed standard, as it includes not only guidance on planning, developing, testing, measuring and benchmarking resilient organizational activities, it also provides a framework and maturity model for building and validating the improvement of a resilient organization.

UK Government National Resilience Standards (2020)

Building on the 2004 Civil Contingencies Act (CCA), these standards are designed for local resilience forums (LRFs) and their first responder organizations to ensure their capabilities and overall level of readiness, and to guide continuous improvement of resilience-related practices. Obtain the standard by clicking here.

NIST SP 800-34 Rev1 (2010) Contingency Planning Guide for Federal Information Systems

Widely regarded as one of the key standards for technology disaster recovery and resilience, this standard is widely used in both public and private sectors. It provides extensive guidance on protecting information systems from disruptive events and how to increase the resilience and survivability of those systems.  Obtain a copy of the standard by clicking here.

ASIS ORM.1-2017 Security and Resilience in Organizations and Their Supply Chains

While the title addresses supply chain resilience, this standard was created by consolidating two previous ASIS standards, one on organizational resilience and the other on business continuity management.  The standard describes a comprehensive and systematic risk-based approach for managing risks to enhance operational sustainability, survivability and resilience and how to identify opportunities for improvements.

Resilience Frameworks and Guidance

This section lists frameworks and policy and guidance documents addressing resilience.

The UK Government Resilience Framework (2022)

Also building on the UK’s established civil contingencies frameworks and practices, the Resilience Framework “builds on these strong foundations and strengthen our resilience in order to better prevent, mitigate, respond to and recover from the risks facing the nation.”[1]  The Framework underscore’s the UK’s “whole of society” approach to resilience, and is a multi-year framework with various milestones and alignment to other UK resilience-focused strategies and guidance.  Obtain a copy of the framework by clicking here.

Bank of England Prudential Regulation Authority Statement of Policy – Operational Resilience (2022)

Specifically focused on the financial sector, this document puts forward a policy for operational resilience that UK financial institutions are expected to incorporate into their current continuity and resilience activities.  The policy discusses the relationship between resilience and the following issues: governance, risk, business continuity and outsourcing. Obtain a copy of the policy by clicking here.

Bank of England Prudential Regulation Authority Statement of Policy – Operational Resilience: Impact tolerances for important business services (2021)

This document is the result of an inquiry by the Bank of England in a 2018 Discussion Paper asking for comments on how to improve the operational resilience of firms and protect the wider financial sector and UK economy from the impact of operational disruptions.  It identifies 1) important business services that must be maintained, 2) what their loss could mean to the UK finance sector, 3) levels of tolerance for disruptions that organizations must be able to accept, and 4) identify event scenarios that are severe but which must be survivable.  Obtain the document by clicking here.

Carnegie Mellon University, Software Engineering Institute CERT Resilience Management Model, Version 1.2 (2016)

Developed by Carnegie Mellon University (CMU), this is a process improvement framework for operational resilience management.  In addition to defining detailed operational practices needed for achieving resilience the RMM helps set goals and objectives, identify process areas and strategies an organization can deploy to adapt to and respond to business stresses.  Obtain the document by clicking here.

British Standards Institution Organizational Resilience Index Report (2021)

The BSI asked several hundred business leaders worldwide how they felt they survived during the course of the COVID-19 pandemic. Among the findings in the report are 1) the need to look at business from an holistic view, 2) the need for a greater focus on people, processes and communities, and 3) the need for a more flexible approach to recovery.  Obtain a copy of the report by clicking here.

Summary

This article has briefly examined the leading standards, frameworks and guidance documents addressing resilience. The subject is typically addressed as operational resilience, organizational resilience and supply chain resilience.  Regardless of the ultimate application, the materials in this article can provide a sound background and understanding of the current thinking on resilience.  Documents listed are applicable to both public and private sector organizations.

[1] UK Government Resilience Framework, page 2