Defense in Depth: True Resilience Requires Business Continuity and Operational Resilience

Among the organizations we work with, the emergence of operational resilience (OR) has created an interesting division, with some swerving hard toward OR and others doubling down on traditional business continuity (BC). In fact, staying safe in the contemporary threat landscape requires a judicious blend of both approaches.

[Related: “Beyond BC: An Always-On World Requires Operational Resilience”]

The Rise of Operational Resilience

Over the past few years, operational resilience has moved from a niche regulatory idea to a global imperative. Originally developed by financial regulators in the UK and Singapore, OR began as a means to ensure that critical financial services could withstand unexpected shocks, and has since gained traction far beyond the banking sector. 

Now, organizations across industries are being pushed to ensure that their key services can continue, even if supporting systems, vendors, or people go down. This shift, a response to rising customer expectations and increasing global uncertainty, goes a step beyond traditional BC.

While BC is about recovery, OR is about continuity through disruption. 

BC identifies critical systems and processes and prepares recovery plans to restore them after an incident. OR asks, how do we ensure that these essential services continue to run even during an incident?

The Great Divide: Business Continuity Loyalists vs. Operational Resilience Converts

It’s early days yet, but our experience suggests that most organizations still know little about operational resilience—and what they do know, they don’t care for. 

Many organizations are still fixated on creating a traditional BC program (think BIAs, recovery plans, and mock disaster exercises). These folks go on as if the world is unchanged from what it was like 25 years ago.

On the flip side are those people who only want to talk about resilience (hardening their systems to try to achieve an always-on capability). There aren’t as many in this camp, but if anything, they are even more passionate than the BC loyalists. They want to do such a great job at OR that their companies are essentially bulletproof.  

We admire their ambition but are obliged to tell them that, no matter how much they harden their operations, there is no way they can ensure they will never experience a disruption.

The fact is, in today’s landscape, the threats and risks organizations face are diverse and multidimensional. BC and OR each excel at protecting against different things. To be fully protected and to have a defense in depth, organizations need a judicious blend of both approaches.

Why We Still Need Business Continuity

Some people in the operational resilience camp like to say that BC is outdated. Here’s the reality: you can’t plan for everything. No matter how resilient your systems are, there will be times when something breaks unexpectedly or in a way you never anticipated.

That’s where business continuity earns its keep.

When a disruption overwhelms your defenses, a tested, well-documented continuity plan becomes your lifeline. Whether it’s a ransomware attack, a regional blackout, or a pandemic that halts operations, BC provides workarounds and recovery paths to keep your business running smoothly.

In a world that’s becoming more unpredictable by the week, BC isn’t optional—it’s your last line of defense.

Why We Also Need Operational Resilience

At the same time, the nature of risk has changed. It’s no longer enough to rely on reactive recovery plans. 

Customer expectations are too high. They don’t just want services to return eventually; they want them to continue working, regardless of the circumstances.

Meanwhile, the global situation is more unstable than it’s been in decades, and the weather has never been so extreme. And the far-flung, hyperconnected nature of today’s economy means that even remote disruptions can cause shockwaves at home.

This is the world OR is built for. It focuses on hardening systems, removing single points of failure, and designing fallback options in advance. It’s about resilience at the infrastructure, people, and process levels. That could mean creating redundancy in your networks, building workforce cross-training, or maintaining multiple suppliers for key inputs.

Discover the best operational resilience tools here.

Real-Life Example: A Golf-Products Company

I recently had a personal experience that drove home the current shaky state of some companies’ grasp of operational resilience. 

Those of you who know me will know that I am passionate about playing golf. I recently ordered a training aid to help me sharpen my putting. It was supposed to come last week, but instead of the device, I received a note from the company president saying it wouldn’t be delivered for two more weeks due to a hitch in their supply chain. 

My disappointment and annoyance weren’t quite strong enough to get me to cancel the order, but they might have been. The company’s cavalier attitude toward supply-chain resilience is a risky one to hold in this day and age. 

A truly resilient company would have had tripwires in place: early warning systems, alternate plans, and the ability to keep customers satisfied, even if a vendor stumbles.

This is the kind of forward-looking thinking OR brings to the table. And in today’s world, it’s indispensable.

The Case for Defense in Depth

A mature resilience strategy doesn’t choose between business continuity and operational resilience—it builds with both. When integrated thoughtfully, BC and OR form a layered defense: one that reduces the likelihood of disruption while also ensuring a robust response when disruption does occur.

This is the principle of defense in depth. Don’t rely on a single layer of protection. Deploy multiple, overlapping safeguards that can catch what others miss.

Operational resilience focuses on designing strength into your operations. It aims to prevent failure by eliminating single points of failure, diversifying suppliers, building workforce flexibility, and anticipating cascading impacts across systems and services. It’s about asking: How do we ensure this service stays available, no matter what?

Business continuity offers a disciplined and tested approach to responding when prevention is insufficient. It gives you a structured playbook for restoring operations, communicating during crises, and minimizing harm. It doesn’t assume you’ll never be hit—it ensures you can recover when you are.

Together, these approaches reinforce each other. OR helps reduce the likelihood that your critical services go down. BC helps reduce the impact when they do. That’s true defense in depth: minimizing both the frequency and the severity of disruptions.

By combining these disciplines, organizations create a resilient posture that is more than the sum of its parts—one that is ready not only to recover but to endure.

A Unified Path to Resilience

In an era of rising complexity and volatility, relying solely on one approach—whether business continuity or operational resilience—is no longer sufficient. BC and OR protect against different but equally critical failure modes, and organizations that want to thrive need both.

A program that blends the two doesn’t just help you recover from disruption—it helps you prevent it. This is the essence of defense in depth: layering protective strategies so that when one fails, another stands ready.

At MHA Consulting, we’ve helped organizations across industries find the right balance between BC and OR, tailoring programs that match their risk profiles and operational realities.

Get in touch if your organization is ready to adopt a more integrated and resilient approach to minimizing disruptions and accelerating recovery.