By Marcus Allen
Director, Thamer James Ltd
Management Consultants

For many years, organisations have associated resilience with business continuity planning.

If a Business Continuity Management System (BCMS) was in place, recovery plans had been documented and exercises had been completed, organisations often considered themselves resilient.

Today, that assumption is changing.

Increasingly, Boards, regulators and senior leaders recognise that whilst business continuity remains an essential discipline, organisational resilience extends far beyond the ability to recover from disruption.

This broader perspective is reflected in ISO 22316 – Security and Resilience – Organisational Resilience, which provides guidance on developing organisations that can anticipate, prepare for, respond to and adapt to change in an increasingly uncertain world.

Business continuity remains an important component of resilience.

It is simply not the whole picture.

Business Continuity Focuses on Recovery

Business continuity has a clearly defined purpose.

It helps organisations maintain critical products and services during disruption and recover operations within agreed timescales.

A well-developed BCMS enables organisations to:

→ Identify critical activities.

→ Assess business impacts.

→ Develop recovery strategies.

→ Prepare response procedures.

→ Test recovery arrangements.

→ Improve preparedness.

Standards such as ISO 22301 have transformed the way organisations prepare for operational disruption.

However, business continuity primarily addresses how an organisation responds once disruption has occurred.

Organisational resilience begins much earlier.

Resilience Is About Adaptation

ISO 22316 encourages organisations to think differently.

Rather than concentrating solely on recovery, resilient organisations continuously develop the capability to adapt before, during and after disruption.

They recognise uncertainty as part of normal business rather than an exceptional event.

This requires organisations to strengthen areas including:

→ Leadership.

→ Governance.

→ Culture.

→ Organisational learning.

→ Innovation.

→ Decision-making.

→ Risk awareness.

→ Adaptability.

→ Stakeholder relationships.

These capabilities influence how effectively an organisation responds when circumstances change unexpectedly.

Recovery is only one outcome of resilience.

Adaptability is equally important.

Resilience Starts With Leadership

One of the strongest messages within ISO 22316 is that resilience cannot be delegated entirely to operational teams.

It begins with leadership.

Boards and executive teams establish organisational priorities, determine risk appetite and shape organisational culture.

Leaders influence whether organisations:

→ Encourage innovation.

→ Learn from mistakes.

→ Invest in preparedness.

→ Develop future capability.

→ Support collaboration.

→ Respond positively to change.

Without leadership commitment, resilience initiatives often become isolated projects rather than embedded organisational capabilities.

Governance Supports Resilience

Good governance provides direction.

Resilience provides adaptability.

The two disciplines complement one another.

Governance helps organisations understand:

→ Strategic risks.

→ Stakeholder expectations.

→ Organisational objectives.

→ Accountability.

→ Long-term sustainability.

Resilience enables organisations to continue achieving those objectives despite disruption.

Increasingly, Boards are recognising that resilience should be considered alongside governance rather than separately.

This is one reason many organisations are exploring both ISO 37000 and ISO 22316 together.

Organisational Culture Matters

Business continuity plans can be written.

Technology can be recovered.

Facilities can be restored.

Culture is much more difficult to rebuild.

ISO 22316 recognises that resilient organisations possess cultures characterised by:

→ Trust.

→ Collaboration.

→ Openness.

→ Learning.

→ Accountability.

→ Adaptability.

Employees understand how to respond to uncertainty.

Knowledge is shared.

Innovation is encouraged.

Problems are escalated early.

These cultural characteristics often determine whether organisations recover quickly or struggle during disruption.

Learning Is a Key Characteristic

Many organisations review incidents only after significant failures.

Resilient organisations learn continuously.

Every exercise.

Every near miss.

Every operational issue.

Every customer complaint.

Every supplier disruption.

Each event provides valuable learning opportunities.

ISO 22316 encourages organisations to develop systems that capture experience and convert it into organisational improvement.

Learning strengthens resilience over time.

Building Adaptive Capability

One of the defining features of organisational resilience is adaptability.

Markets evolve.

Technology changes.

Customer expectations develop.

Regulations expand.

Economic conditions fluctuate.

Organisations that cannot adapt gradually become vulnerable.

Adaptive organisations typically demonstrate:

→ Flexible leadership.

→ Responsive decision-making.

→ Continuous innovation.

→ Strong stakeholder relationships.

→ Effective communication.

→ Strategic awareness.

These capabilities help organisations respond confidently to uncertainty rather than simply reacting when disruption occurs.

Resilience Supports Sustainable Success

One misconception is that resilience exists solely to protect organisations during crises.

In reality, resilience contributes directly to long-term performance.

Resilient organisations often experience:

→ Greater stakeholder confidence.

→ Faster recovery.

→ Better decision-making.

→ Higher employee engagement.

→ Improved customer trust.

→ Stronger organisational reputation.

Resilience therefore creates value even during periods of stability.

It supports sustainable success rather than merely protecting against failure.

Measuring Resilience

Unlike business continuity, resilience cannot always be measured through recovery times alone.

Organisations should also consider:

→ Leadership capability.

→ Governance maturity.

→ Organisational culture.

→ Adaptability.

→ Decision-making effectiveness.

→ Dependency management.

→ Stakeholder confidence.

→ Continuous improvement.

These broader indicators provide a more complete understanding of organisational resilience.

Many organisations are now undertaking resilience maturity assessments to identify strengths and improvement opportunities against ISO 22316 principles.

Looking Beyond Plans

Business continuity plans remain essential.

They provide structured arrangements for responding to operational disruption.

However, plans alone cannot create resilience.

True resilience exists when an organisation possesses the capability to anticipate change, adapt effectively, recover efficiently and continue delivering value regardless of external circumstances.

This is the central message of ISO 22316.

It encourages organisations to move beyond preparing for disruption and instead develop resilience as an organisational capability embedded within leadership, governance, culture and everyday operations.

Conclusion

Business continuity and organisational resilience are closely connected, but they are not the same.

Business continuity focuses on recovering critical activities.

Organisational resilience focuses on ensuring the organisation can survive, adapt and prosper in an increasingly uncertain environment.

ISO 22316 provides organisations with a valuable framework for strengthening that capability.

As uncertainty continues to grow across every sector, resilience is becoming one of the defining characteristics of successful organisations.

Those organisations that invest in resilience today will be better equipped not only to recover from disruption but also to seize opportunities, build stakeholder confidence and achieve sustainable long-term success.

Because ultimately, resilient organisations do not simply survive change.

They learn from it, adapt to it and emerge stronger because of it.

Marcus Allen
Director | Thamer James Ltd
Management Consultants

Master's Degree in Management Learning and Change – University of Bristol
Diploma in Governance, Risk and Compliance (GRC) – International Compliance Association (ICA)
Member, BSI G/01 Governance Committee

📧 [email protected]

Thamer James Ltd
Governance • Resilience • Business Continuity • Risk Management

#ISO22316 #OrganisationalResilience #BusinessContinuity #ISO22301 #OperationalResilience #Governance #Leadership #RiskManagement #BusinessResilience #CrisisManagement #GRC #CorporateGovernance #Resilience #ContinuityPlanning #ThamerJamesLtd