When I wrote this article in 2019, I was searching for clarity. Like many of my peers, I was excited by the promise of “Organizational Resilience” but frustrated by the lack of substance behind the term. Over the past six years later I have worked to answer the questions it raised.
Everywhere I looked, I found compelling language but no clear method. I wasn’t trying to criticize the idea – I wanted to believe in it. But belief alone wasn’t enough. I needed to know how it worked.
In 2019, a survey and an article captured that inflection point: a moment when the field seemed to be pivoting toward something new, but hadn’t yet figured out how to deliver it. Looking back now, it also marked the beginning of a journey. The questions I posed then became the foundation of what would eventually become a new approach – what I now call “Control-Based Resilience”.
I’ve chosen to republish the original article in full, with only minor edits for clarity. Following it, I’ve included a brief update on how those unresolved questions led to the development of a measurable, capability-based framework that’s now been deployed at scale across multiple global organizations.
Organizational Resilience is Not a New Term
The term “Organizational Resilience” has been around for decades, but only recently began gaining traction in the Business Continuity Management (BCM) world. Like many BCM professionals, I was intrigued. People were updating their titles, renaming programs, and declaring a new era. I was tempted to join them. But before I did, I needed to understand what it actually meant – and more importantly, how to integrate it into real work.
As I soon discovered, that second part – the “how” – was surprisingly elusive.
I wasn’t alone. Others in the field were also wondering whether “resilience” had become more of a branding exercise than a meaningful shift. Despite the flurry of new terms—holistic, integrated, cultural DNA – the actual methods remained vague. Everyone was talking about transformation, but no one could show how it worked.
This led me to two questions.
First: Why were so many of us in BCM drawn to Organizational Resilience in the first place? Second: If we adopt the language of resilience, how does the work itself actually change?
Why Organizational Resilience?
The first question was easier to answer. Over the last few decades, business operations had changed dramatically – faster, always-on, globally distributed – while BCM practices largely stayed the same. Recovery plans and annual exercises hadn’t kept pace with the way real work happens. Deep down, many of us sensed that the field was falling behind. Organizational Resilience felt like a path back to relevance.
Is BCM Different Under a Resilience Framework?
The second question was harder. When I asked colleagues how BCM looked different within a resilience framework, the answers were abstract. Words like “holistic,” “embedded,” and “cross-functional” came up frequently – but when pressed for specific practices, most couldn’t articulate what had actually changed. No one could point to a concrete method. The shift was aspirational, not operational.
So I turned the question outward. I launched a short survey to peers across the field, asking three things: How confident are you in your understanding of Organizational Resilience? Does your organization practice BCM any differently under a resilience framework? And if so, how?
I received 198 responses. While not a massive sample, it offered a diverse and representative snapshot of the field. Respondents came primarily from North America (56%) and the UK (25%), with the rest spread across India (8%), APAC (4%), the Middle East (4%), and the EU (3%).
Most self-identified as experts in Business Continuity, and over half (58%) said they had received formal training in Organizational Resilience. Confidence levels were high – an average of 8.1 out of 10 overall, with UK respondents reporting the highest average confidence at 9.1 out of 10.
But when asked whether their organizations actually practiced BCM differently within a resilience framework, the answers diverged sharply: 43% said yes, 25% said no, and 32% said they didn’t know. Even among those who had formal training or reported high confidence, uncertainty was widespread. Notably, only 26% of UK respondents said BCM looked different under OR – compared to 52% of North American respondents.
An Inconsistency Among Experienced Practitioners Was Telling
I also asked for examples. The answers fell into three categories: vague references to standards and best practices, comments about structural alignment (e.g., closer ties to Risk or Cyber), and a few nods toward risk mitigation or impact prevention. But few responses pointed to changes in the actual work. The “how” remained mostly undefined.
That ambiguity was the breakthrough. It wasn’t that Organizational Resilience was a bad idea – it was that it lacked operating instructions. We had a label, not a method. We weren’t failing because the concept was flawed. We were failing because no one had built a way to deliver it at scale. And that, I realized, was the opportunity.
Six Years Later: From Questions to Practice
Since writing this piece, I’ve spent the better part of six years working to answer the questions it raised. What began as a gap – between vision and execution – eventually led to a new way of approaching operational resilience: one that prioritizes capability over documentation.
Capability vs. Documentation
The shift has been moving away from tracking documents toward measuring real capability. What follows are some of the key differences that highlight why this matters.
• Documentation shows intent; capability shows reality.
• Documentation is about producing plans; capability is about proving functions can withstand disruption.
• Documentation measures effort spent; capability measures resilience delivered.
• Documentation often satisfies auditors; capability satisfies leadership by exposing risk and guiding investment.
• Documentation is static; capability is dynamic, continuously updated as conditions change.
• Documentation is about program maturity; capability is about actual resilience maturity.
Rather than focusing on plans and templates, this approach measures how well a function or system can withstand disruption, using clear, repeatable controls across availability, responsiveness, and recoverability. From that, resilience risk becomes something measurable – not a feeling, but a gap between what’s needed and what’s currently in place.
Over time, this control-based model has been tested, refined, and implemented across a range of organizations. It’s helped teams cut through ambiguity, focus their investments, and see their resilience posture more clearly. That clarity has been the real shift – not just in methodology, but in mindset.
What started as frustration became direction. And while the search for “how” is far from over, it’s no longer abstract. We now have a foundation to build from – one that continues to evolve through practice.
Fascinating. You definitely have something there with Capability vs. Documentation. I can relate to this. We’re doing an overhaul of our BCM and using controls makes sense. Thanks for the revisit, Scott. I remember your article in 2019 as our CSO wanted to change us from BCMP to OR.