Not because they never had a BCP, but because continuity was treated as a document, a lifecycle, a once-a-year test, and then forgotten.

We’ve built an industry that can produce beautiful plans and still fall apart like a fragile deck of cards the moment critical systems disappear. The gap between being “BCP compliant” and being genuinely resilient is far bigger than most boards realise.

The real blocker isn’t just apathy — it’s our own doctrine

It’s easy to blame organisational apathy. Harder to admit that some of the biggest blockers are the conceptual silos and mental models we built around our own profession.

For years, we trained people to see:

• “Business Continuity” over here

• “Resilience” somewhere else

• “Operational Resilience” as a regulatory bolt-on

each with its own language, diagrams, and owners.

The result is a professional prehistoric mindset:

• BCM taught as a linear lifecycle: Assess → Design → Implement → Test → Repeat

• Safety, security, cyber, ERM, BCM operating as separate empires

Resilience research has made this critique repeatedly: fragmentation obscures system-wide dependencies and weakens adaptive capacity (McManus et al., 2008; Linkov and Trump, 2019).

Organisations don’t fail because they lack frameworks.

They fail because frameworks are implemented in silos, rather than as integrated capability.

How “good practice” quietly hard-coded the problem

A lot of this is embedded into what we call “good practice”.

The Business Continuity Institute’s Good Practice Guidelines positioned the Business Continuity Management Lifecycle as the dominant organising doctrine, six phases from policy through analysis, design, implementation, validation and embedding (BCI, 2018).

That lifecycle model shaped a generation of continuity programmes.

But doctrine has consequences.

The COVID-19 era exposed the limits of lifecycle-and-binder continuity, particularly under prolonged disruption where adaptation mattered more than compliance (Herbane, 2019).

In response, BCI launched Good Practice Guidelines Edition 7.0, shifting away from lifecycle language toward a Business Continuity Management System (BCMS) organised around Professional Practices (BCI, 2023).

That evolution matters. But the deeper question remains:

Has practice changed… or have we simply updated the terminology?

Galaitsi et al. (2023) argue that continuity, operational resilience, and organisational resilience remain conceptually blurred in many organisations — often treated as parallel programmes rather than a unified operating capability.

The language has evolved faster than the mindset.

Good practice should be scaffolding — not scripture

Here’s the core argument:

Good practice should not be treated as restrictive scripture.
It should be scaffolding — adaptable around operational reality.

Systematic evidence supports this.

Continuity frameworks strengthen resilience only when they enhance adaptive capacity, learning, and integration with organisational performance, not when implemented as static compliance cycles (Sawalha, 2020; ScienceDirect, 2023).

When “good practice” becomes rigid doctrine, it produces audit outputs, not resilience capability.

That is how continuity becomes theatre.

From lifecycle to Resilience by Design

If we are serious about true organisational resilience, we must move beyond lifecycle continuity thinking.

Traditional doctrine asks:

• “How do we activate the plan?”

• “How fast can we restore a process to its RTO?”

Those questions matter. But alone, they keep continuity reactive, episodic, and compliance-driven.

Resilience reframes the challenge:

• Business continuity = restore priority activities within acceptable limits

• Resilience = absorb shocks, adapt, and continue delivering outcomes under sustained uncertainty

This is foundational in resilience engineering: organisations must be designed not just to recover, but to adjust dynamically as conditions degrade (Hollnagel, 2011).

That shift is what I call Resilience by Design:

• continuity becomes a continuous operational pulse

• plans sit inside decision and feedback systems

• frontline adaptation matters more than scripted recovery

ISO 22301 increasingly reinforces this system orientation: resilience is not documentation, but embedded management capability (ISO, 2019).

The cost of silos — and the cyber tunnel-vision problem

Look at how many organisations remain structured:

• HSE focused on compliance incidents

• Security focused on threats and assets

• ERM focused on registers and appetite

• IT focused on cyber risk

• BCM focused on BIAs and exercises

Each writes its playbooks in isolation.

Analyses of siloed risk management highlight predictable results: blind spots at the interfaces, competing priorities, and no coherent view of systemic fragility (Linkov and Trump, 2019).

Even within BCM, scenario work becomes narrow and fashionable.

After waves of ransomware and outages, many organisations doubled down on IT scenarios, but still failed to model long-duration operational and human consequences (InSecM, 2023).

Post-incident reviews repeat the same conclusion: plans exist, but they do not reflect how coordination actually happens under stress or how failures cascade across functions and geographies (TechTarget, 2023).

That is not an individual failing.

It is structural.

We trained people to be continuity technicians, not resilience designers.

What “embedded” actually looks like

Everyone says BCM must be “embedded”.

In practice, embedded resilience looks like:

• Design, not just for recovery. Resilience principles in how services and supply chains are built

• Integrated governance. One executive view of risk, continuity and resilience

• Routine scenario thinking. Not annual theatre, normal management conversation

• Live dependency mapping. Updated continuously, not frozen BIAs

• Psychological safety for bad news. Fragility surfaced early, not politely after disaster

High reliability research consistently shows that resilient organisations are those that institutionalise adaptation, learning, and early signal detection long before formal crisis response is required (Weick and Sutcliffe, 2015).

None of this is glamorous.

It is slow, political, and uncomfortable.

But it is the only way continuity stops being a binder on a shelf and becomes part of how the organisation operates.

The PillarsGlobal layer: resilience as an operating system

This is where most organisations stall.

They understand the critique.

They still don’t know what replaces the binder.

That gap, between theory and operational reality, is where systems like PillarsGlobal sit.

The principle is simple:

Resilience is not a document.
It is an operating structure built around sensing, decision-making, feedback, and adaptation under pressure.

PillarsGlobal is not “another framework”.

It is an interface layer connecting what continuity doctrine split apart:

• Continuity

• Crisis leadership

• Risk intelligence

• Operational learning

• Human decision-making under stress

In practice, that means moving from BCM as lifecycle…

…to resilience as a living system:

• PillarsLearn builds capability, not compliance slides

• PillarsConsult embeds expertise where fragility actually lives

• PillarsCore acts as the trigger-and-response resilience engine

• PillarsCalm reinforces the human layer, decision-making when comfort disappears

• PillarsWear builds identity, because resilience is cultural before procedural

The organisations that survive disruption are not those with the best binders.

They are the ones with the clearest systems for adapting, deciding, and holding the line.

That is resilience by design.

Where the evolution really begins

A comment I received recently tried to “elevate” my critique by polishing it into smoother buzzwords about silos and “Resilience by Design”.

It wasn’t wrong.

But rephrasing old ideas is not evolution.

Evolution begins when we:

• Stop treating lifecycles as sacred diagrams

• Use good practice as scaffolding, not scripture

• Break silos between BCM, safety, security, cyber and ERM

• Talk less about labels and more about how decisions are made under pressure

Until then, continuity will keep looking impressive on paper…

while organisations fold at the exact moment they claim to be most prepared.

The binder on the shelf is not the problem.

The mindset that created it is.

Resilience isn’t a framework you file, it’s an operating system you build, embed, and live, and that is exactly the space PillarsGlobal is designed to serve.

References

Business Continuity Institute (BCI) (2018) Good Practice Guidelines: Global Edition. Caversham: BCI.
https://www.thebci.org/static/cf455e45-b2c2-4a44-b77da7c99fd6df77/BCI-GPG-2018-Edition.pdf

Business Continuity Institute (BCI) (2023) ‘BCI Good Practice Guidelines Edition 7.0: A new focus on the BCMS’, BCI News, 6 December.
https://www.thebci.org/news/bci-gpg-edition-7-0-a-new-focus-on-the-bcms.html

Galaitsi, S., Keenan, J.M., Linkov, I. and Pescaroli, G. (2023) ‘Business continuity management, operational resilience, and organizational resilience: commonalities, distinctions, and synthesis’, International Journal of Disaster Risk Science, 14(5), pp. 713–721.
https://link.springer.com/article/10.1007/s13753-023-00494-x

Herbane, B. (2019) ‘Rethinking organisational resilience and strategic renewal in SMEs’, International Journal of Management Reviews, 21(1), pp. 1–20.
https://onlinelibrary.wiley.com/doi/10.1111/ijmr.12152

Hollnagel, E. (2011) Resilience Engineering in Practice: A Guidebook. Farnham: Ashgate.

InSecM (2023) ‘Business continuity planning in the wake of cyber incidents’, InSecM Newsletter, September.
https://insecm.ca/en/newsletter/business-continuity-planning-in-the-wake-of-cyber-incidents/

ISO (2019) ISO 22301:2019 Security and resilience — Business continuity management systems — Requirements. Geneva: ISO.
https://www.iso.org/standard/75106.html

Linkov, I. and Trump, B.D. (2019) The Science and Practice of Resilience. Cham: Springer.
https://link.springer.com/book/10.1007/978-3-030-04565-4

McManus, S., Seville, E., Vargo, J. and Brunsdon, D. (2008) ‘Facilitated process for improving organisational resilience’, Natural Hazards Review, 9(2), pp. 81–90.
https://ascelibrary.org/doi/10.1061/(ASCE)1527-6988(2008)9:2(81)

Sawalha, I.H. (2020) ‘Business continuity management: use and effectiveness in practice’, Continuity & Resilience Review, 2(2), pp. 81–97.
https://www.emerald.com/insight/content/doi/10.1108/CRR-05-2020-0016/full/html

ScienceDirect (2023) ‘Business continuity management practices: integrating organisational resilience and performance — systematic literature review’, International Journal of Disaster Risk Reduction, 91, 103690.
https://www.sciencedirect.com/science/article/pii/S2212420923006155

TechTarget (2023) ‘Real-life business continuity failures: examples to study’, SearchDisasterRecovery, 22 March.
https://www.techtarget.com/searchdisasterrecovery/tip/Real-life-business-continuity-failures-Examples-to-study

Weick, K.E. and Sutcliffe, K.M. (2015) Managing the Unexpected: Sustained Performance in a Complex World. 3rd edn. Hoboken, NJ: Wiley.