Understanding Business Resilience: There’s More to it Than Meets the Eye

Written by

To different people, a resilient business means different things. Some see it as an organization with watertight cybersecurity. Others think it means being well-placed to cope with unexpected disasters or economic downturns.

A truly resilient business is both of the above but also much more. Business resilience covers a wide range of areas, all of which must work together. Here, we outline these disciplines and what senior leadership teams can do to ensure all bases are covered.

Lots of Plates to Spin

Let’s start with the obvious. Most business leaders recognize the need to secure their offices or manufacturing facilities from intrusive intruders. Most also know that an effective cybersecurity policy is key (although not every organization has one).

Other areas are equally important yet more complex. A comprehensive business continuity plan (BCP) is key, as it ensures the organization suffers minimal long-term financial and reputational impact from an incident such as a cyber-attack, fire or flood. A BCP encompasses disaster recovery, crisis management and risk management strategies.

A resilient business also looks much further afield than the organization’s four walls. Monitoring supply chains is vital, as an issue with one link in the chain can cause chaos further down the line.

There are plenty of plates to spin, but businesses must consider every element to maximize resilience.

New Regulatory Requirements

Organizations must also consider tightening business resilience regulations. The UK government has proposed introducing a Resilience Statement for Public Interest Entities, replacing the existing Going Concern and Viability statement. This places greater scrutiny on companies across all sectors to improve corporate accountability, reporting and show they can cope with major business disruptions.

The term 'operational resilience’ is familiar in regulated sectors like finance, but the new Resilience Statement will make it much more mainstream. Its fundamental tenets will extend out of finance into other sectors, particularly those where there could be a high impact from a major disruption.

It is, therefore, crucial to get on top of this and be prepared when the Resilience Statement comes into play. This is particularly pertinent given the increased threats businesses face regarding cybercrime and volatile economic activity.

How to Build Lasting Resilience

Making a business truly resilient is a significant undertaking but is certainly achievable with the right approach. There are several steps organizations should be familiar with.


Identifying low-probability yet high-impact scenarios is essential. There are many real-world examples of these throughout history, such as the tsunami-driven Fukushima nuclear disaster in Japan in 2011, the eruption of Iceland’s Eyjafjallajökull volcano in 2010 or the Deepwater Horizon oil spill, also in 2010. These were considered unlikely events, but still happened and caused major damage and/or disruption.

Being familiar with the Swiss cheese model is also useful. Introduced by Professor James Reason at Manchester University in 1991, this theory refers to having multiple barriers with different mitigations in place to reduce the probability of a significant system failure occurring. 

One layer (or slice of cheese) could be a watertight physical security system that protects facilities from intruders, while another could be a comprehensive cybersecurity strategy to guard against hackers. Each layer may have its own limitations (the holes in the Swiss cheese), but the likelihood of all defenses failing at once is extremely slim.


Prevention is key, but some incidents are unavoidable. A resilient organization must also have post-incident controls in place, which perform a similar function to proactive measures but aim to reduce the impact of the disruption. 

These should include good response and recovery procedures. A robust crisis and incident management plan is a good example of a post-incident control that all companies should have.

Test, Test, Test

Any resilience measures should be tested and assessed so the business has confidence they will work. Good-quality simulations using a variety of demanding, multi-faceted scenarios will help gauge the impact on the business. Then, leaders can take action to firm things up further if needed. Plan these tests so they are not too broad and end up missing essential elements, but also so they don’t gather vast amounts of data that will be difficult to analyze properly.

Senior Leadership Involvement

Finally, senior leaders must be fully involved and committed in this process, including C-suite executives and individual heads of business functions. Only this way will resilience be taken seriously across the entire organization. Recognize the challenges and prepare well so that building a resilient business becomes much more straightforward.

What’s hot on Infosecurity Magazine?