What’s new in the updated Code of Practice for Organisational Resilience?
BS 65000: 2022
The British Standards Institute has recently released an updated BS 65000. For those of you in the dark, this is the British Standard for Organisational Resilience, last released in 2014. This 2022 version is a Code of Practice, rather than a guidance document.
Hopefully you're still with me here, as this is actually a very significant publication. It's a pretty comprehensive rewrite, and has been heavily influenced by sound academic research, operational resilience regulations from the Financial Services sector, and leading industry practice. It recognises the convergence between many of the disciplines that resilience practitioners would recognise – Business Continuity, IT Service Continuity, Disaster Recovery, Crisis Management, Risk Management and more.
This Code of Practice provides oodles of excellent advice for organisations seeking to improve their resilience, and I would very firmly suggest that doing so should sit very high on every Executive's agenda. The following are the key extracts that I recommend readers to take note of:
- Like the Financial Sector’s Operational Resilience regulations, which focus on important business services, the Code of Practice urges organisations to think of 'essential outcomes'. This provides a customer or end user, rather than a business activity, focus to resilience activities. How would our customers be affected if we could no longer deliver this outcome?
- It provides helpful advice on cultural approaches and considerations.
- It offers recommendations for designing resilient businesses, based on a sound understanding of how those essential outcomes are delivered.
- The 4 dimensions of resilience (readiness, responsiveness, recovery, renewal) provide greater clarity on building overall resilience, rather than just focusing on responding to a crisis. In particular, it enhances the understanding that learning and adapting ("renewal") are as key to being resilient as anything else.
One of the key contributions in my view is the renewed focus on the customer perspective. Business Continuity historically focused on business processes and activities, the production of goods and services. It didn’t review these from the customer lens. So, what is important to the customer is the ability to take money out of an ATM, or to fill one’s truck with fuel, or to make a payment, or to get home insurance. This does of course apply on the B2B level as well.
Particularly useful, is a framework for a Maturity Model, offered in the Annex. Whilst this Code of Practice is not a detailed Specification for Organisational Resilience, and therefore is not aimed at certification-minded companies, the Maturity Model certainly allows for companies to assess where they are and what their target might be. It’s an informative basic Maturity Model, but nonetheless allows organisations to determine whether they might be below, aligned with, or leading good practice.
- An example of ‘below’ good practice would be if the organisation suffers excessive optimism and the potential for disruption is denied or trivialised.
- Good practice: an example would be an organisation that is focused on the need to satisfy regulators and authorities.
- Leading practice: an example would be a company that is focused on essential outcomes and the impact on customers, end-users, other stakeholders and the wider ecosystem across the 4 dimensions of resilience.
I'll finish by stating what the Code of Practice uses to define resilience, right at the start.
Resilience is a strategic capability for an organisation. It enables an organisation to (a) prepare for and respond to disruption; (b) adapt in a timely and appropriate manner; and (c) thrive in a changing environment.
I'd highlight both 'adapt' and 'thrive' as these two words are what stand out for me as the most important attributes of a resilient organisation.