Download Latest Version Demo.zip (267.6 kB)
Email in envelope

Get an email when there's a new version of Open Resilience

Home
Name Modified Size InfoDownloads / Week
README.md 2026-06-01 39.5 kB
0
Open Resilience Setup 1.0.0.exe 2026-05-08 104.7 MB
0
Demo.zip 2026-04-30 267.6 kB
0
open-resilience---community.zip 2026-04-30 25.2 MB
0
tsconfig.json 2026-04-30 542 Bytes
0
Totals: 5 Items   130.2 MB 0

Open Resilience — v3

Business Continuity & Disaster Recovery Management Platform
Built for SMEs and mid-market organisations who need enterprise-grade BCM without enterprise-grade complexity or cost.

Table of Contents

  1. What is Open Resilience?
  2. Tech Stack
  3. Quick Start
  4. Feature Modules
  5. Architecture
  6. Security
  7. Integrations
  8. Roles & Permissions
  9. Competitor Landscape
  10. What We Have vs Competitors
  11. Gap Analysis — What's Missing
  12. Roadmap Priorities
  13. Deployment
  14. Environment Variables
  15. Licence & Whitelabel

What is Open Resilience?

Open Resilience is a full-stack BCM/BCDR SaaS platform that helps organisations plan for, respond to, and recover from disruptive events. It covers the complete ISO 22301 / NIST SP 800-34 lifecycle:

Plan → Do → Check → Act

It is designed to replace spreadsheet-based BCM programmes and to compete with mid-market BCM platforms at a fraction of the cost, while offering features (Digital Twin, AI Copilot, Predictive Risk, Active Directory sync, MS Teams integration) that most competitors charge premium add-on fees for.

Tech Stack

Layer Technology
Frontend React 19, TypeScript, Vite 6, Tailwind CSS, HashRouter
Backend Node.js 18+, Express 5
Database MySQL 8 (31 tables, company-tenanted)
Auth JWT (HS256), bcrypt, localStorage token
AI External AI API via /ai route
Hosting Any Node-capable host (cPanel, VPS, Docker)
File serving Static dist/ folder via Express

Frontend Structure

/components      — Reusable UI components, modals, icons
/pages           — Full-page route components
/context         — React context providers (auth, BIA, IT, docs, etc.)
/data            — Static seed data and mock data
/services        — API client (api.ts)
/types.ts        — Shared TypeScript type definitions
/constants.tsx   — Navigation groups and route definitions

Backend Structure

/backend
  /db            — MySQL connection pool + seed script
  /middleware    — JWT auth middleware, role guards
  /routes        — One file per domain (auth, bia, risks, incidents, etc.)
  /services      — teamsService.js (MS Teams Adaptive Cards)
  server.js      — Express app, route registration, rate limiting

Quick Start

Prerequisites

  • Node.js 18+
  • MySQL 8
  • npm 9+

1. Clone & Install

git clone <repo>
cd open-resilienceV3

# Frontend deps
npm install

# Backend deps
cd backend && npm install && cd ..

2. Configure Environment

# Backend
cp backend/.env.example backend/.env
# Edit backend/.env — set JWT_SECRET, DB_*, AD_ENCRYPTION_KEY

# Frontend
cp .env.example .env
# Set VITE_API_URL=http://localhost:3001

3. Seed & Start

# Start backend (seeds DB on first run)
cd backend && node server.js

# Start frontend dev server
npm run dev

4. Default Login

Role Email Password
Super Admin admin@openresilience.com password
Admin admin@demo.com password
User user@demo.com password

⚠️ All seed accounts prompt for a password change on first login.

Feature Modules

🧭 Plan

Module Description Nav
Resilience Overview Executive dashboard — risk score, open incidents, upcoming tests, BIA completion /
Response Role Mapping Assign individuals to BCM roles (Crisis Manager, IT Lead, Comms, etc.) with contact details /assignments
Team Structure Org chart of BCM teams with contact trees /teams
Continuity Framework Phase-based framework tracker (Prepare → Respond → Recover → Restore) /framework
Reference Materials Policy library, standards, templates, links /resources

🔧 Do

Module Description Nav
Recovery Documents Upload, version, and manage BCP/DRP/IT recovery plans with AI-assisted authoring /documents
IT Service Continuity ITSCM module: IT services, dependencies, RTO/RPO targets, backup strategies /itscm
DR Test Planner Full DR test lifecycle — plan, schedule, run, capture results, report /dr-tests
Declare an Incident Command Center — declare a live incident, activate response plan, RTO/RPO live tracker (RAG), scenario playbooks (Cyber, IT Outage, Natural Disaster, Power, Pandemic), SitRep /command-center
Live Notifications Real-time alert feed for incidents, tasks, and risk changes /notify
DR Readiness Assessment Questionnaire-based DR maturity scoring /dr-assessment
Digital Twin Visual map of your IT infrastructure with real-time status and dependency chains /digital-twin

🧐 Check

Module Description Nav
Business Impact Analysis Full BIA wizard per business unit — MTD, RTO, RPO, dependency mapping /bia
Risk Register Risk catalogue with likelihood × impact matrix, treatment plans, ownership /risk-register
Compliance Dashboard Framework compliance tracking (ISO 22301, NIST, DORA, SOC 2) /compliance
Vendor Risk Reports Third-party / supplier risk scoring and contract tracking /third-party-risk
Change Impact Insights Analyse the resilience impact of proposed IT or business changes /change-impact-analysis
Predictive Risk Insights AI-powered trend analysis and risk forecasting /predictive-analysis
Audit Logs & Reviews Full activity audit trail with filtering and export /audits
System Telemetry HA cluster health, replication lag, node status /telemetry

🔄 Act

Module Description Nav
Governance Settings BCM roles, strategies, review schedules, policy ownership /governance
Preparedness Training Training library + Awareness Campaigns tab — plan, schedule, and track BCM comms to staff (channel, reach, completion rate) /training
IT Security Dashboard 29-question self-assessment producing a security posture score /it-security-dashboard
Resilience Roadmap Feature and initiative roadmap tied to resilience maturity /roadmap

📊 Reports

Module Description Nav
Executive Board Report One-page board pack — BCM maturity score, risk posture RAG, BIA coverage, DR test pass rate, document compliance, printable /executive-report
BCM Programme Calendar Unified calendar pulling document review dates, DR tests, and governance assessments — click any day for detail; overdue items highlighted /programme-calendar
Recovery Resources Physical/virtual recovery resource inventory — hot sites, work areas, generators, cloud environments; contract expiry tracking, allocation status, contact quick-reference /recovery-resources

⚙️ Settings

Module Description Nav
Settings Data management (BUs, IT assets, scenarios, vendors) + Active Directory + MS Teams config /settings
User Management Invite users, assign roles, reset passwords, deactivate accounts /user-management
Automation & Connectors Webhook management, outbound integrations /integrations

Architecture

Multi-tenancy

Every table includes a companyId column. All queries are scoped to req.user.companyId. A superadmin can switch between companies; an admin sees only their own company.

Navigation Views

The sidebar offers two views, persisted per-browser in localStorage:

View Modules shown Best for
Standard 13 core modules covering daily BCM workflow Day-to-day practitioners, new users
Advanced All 30+ modules across all groups Power users, consultants, implementers

Standard view modules: Resilience Overview, Response Role Mapping, Team Structure, Recovery Documents, IT Service Continuity, DR Test Planner, Declare an Incident, Business Impact Analysis, Risk Register, Compliance Dashboard, Executive Board Report, Programme Calendar, Settings.

AI Copilot

The AI Copilot widget is available on every page. It can:

  • Draft BCP/DRP sections from context
  • Summarise open risks
  • Suggest recovery strategies
  • Answer BCM methodology questions

Security

Control Implementation
JWT auth HS256, secret enforced at startup in production (process.exit(1) if unset)
Password hashing bcrypt (cost factor 10)
Rate limiting 20 login attempts / 15 min per IP (express-rate-limit)
First-login flow All seed accounts force password change on first login
Setup route Disabled by default; requires ENABLE_SETUP_ROUTE=true + non-production env
AD bind password AES-256-CBC encrypted with AD_ENCRYPTION_KEY; base64 fallback with warning
Role guards requireAuth, requireAdmin, requireSuperAdmin middleware per route
CORS Whitelist-only, credentials mode

Integrations

Microsoft Teams (Built-in)

Configure Incoming Webhooks per event channel. Events that trigger Teams notifications:

Event Teams Channel Trigger
Incident declared #incident POST /incidents
Critical/High risk added #risk POST /risks (score ≥ 15 or level Critical/High)
New task assigned #assignment POST /assignments
DR test scheduled #drtest POST /dr-tests

Supports single webhook (all events → one channel) or per-channel routing.
Configure in Settings → Microsoft Teams.

Active Directory / LDAP

Full LDAP integration for corporate AD environments:

  • Configure LDAP URL, Base DN, bind credentials (AES-256-CBC encrypted at rest)
  • Test connection before saving
  • Sync & preview org structure (users + OUs)
  • Selective import: system login users, notification address book, Business Units
  • Attribute mapping (sAMAccountName, mail, displayName, department, telephoneNumber, title)

Configure in Settings → Active Directory.

Roles & Permissions

Action user admin superadmin
View dashboards
Edit BIA / risks / documents
Declare incidents
Manage users
Configure integrations (AD, Teams)
Switch between companies
Add / remove companies
Access data management (seed data)

Competitor Landscape

The BCM/BCDR software market is dominated by a small number of established vendors targeting enterprise customers at high price points. Open Resilience targets the under-served mid-market — organisations too large for spreadsheets but priced out of enterprise BCM tools.

Primary Competitors

1. Fusion Risk Management

Profile: Enterprise SaaS BCM platform, Salesforce-native.
Strengths: Deep BIA, supply chain risk, program management, executive reporting, Salesforce ecosystem.
Target: Fortune 1000, financial services, healthcare.
Pricing: ~$50,000–$200,000+/year.

2. Riskonnect BCM

Profile: Enterprise GRC + BCM suite with insurance/claims integration.
Strengths: Integrated risk-to-BC linkage, insurance management, claims tracking.
Target: Enterprise, insurance, financial services.
Pricing: Custom enterprise pricing.

3. Castellan Solutions (formerly Sungard AS)

Profile: Pure-play BCM SaaS with structured programme management.
Strengths: Plan templates library, tabletop exercise tools, plan acknowledgement workflows.
Target: Mid-market to enterprise.
Pricing: ~$20,000–$80,000/year.

4. ServiceNow BCM

Profile: BCM module within the ServiceNow platform.
Strengths: Native CMDB/ITSM integration, change management linkage, enterprise workflow.
Target: Existing ServiceNow customers.
Pricing: Expensive add-on to existing ServiceNow licence.

5. Archer Business Resiliency

Profile: RSA Archer GRC platform's BC module.
Strengths: Deep GRC integration, regulatory reporting, policy management.
Target: Large enterprise, regulated industries.
Pricing: $100,000+/year.

6. BC in the Cloud (BCITC)

Profile: Mid-market BCM SaaS, strong in APAC.
Strengths: Affordable, ISO 22301 aligned, APRA CPS 232 templates, plan review reminders.
Target: Mid-market, government, utilities.
Pricing: ~$5,000–$30,000/year. ← Most direct competitor

7. Noggin

Profile: Crisis management and emergency response platform.
Strengths: Real-time multi-user crisis ops centre, mass notification, mobile-first.
Target: Critical infrastructure, government, utilities.
Pricing: ~$15,000–$60,000/year.

8. Quantivate BC

Profile: GRC + BCM mid-market SaaS.
Strengths: Affordable, plan authoring, vendor risk, regulatory tracking, vendor portal.
Target: Mid-market financial services, healthcare.
Pricing: ~$8,000–$40,000/year.

9. RecoveryPlanner (rp.X)

Profile: Mid-market BC + DR SaaS.
Strengths: Structured DR plan authoring, recovery task automation, BIA.
Target: Mid-market IT-heavy organisations.
Pricing: ~$10,000–$50,000/year.

10. Everbridge

Profile: Mass notification + critical event management.
Strengths: Global SMS/email/voice blast, staff welfare check-ins, geo-alerting.
Target: Enterprise, government, healthcare.
Pricing: ~$30,000–$150,000+/year.

11. LogicGate Risk Cloud

Profile: No-code GRC + risk platform.
Strengths: Highly configurable workflows, process risk management, audit management.
Target: Mid-to-large enterprise.
Pricing: ~$20,000–$80,000/year.

12. Resolver BCM

Profile: Incident + risk management with BCM module.
Strengths: Incident workflow, post-incident review (PIR), security incident + BCM linkage.
Target: Mid-market to enterprise.
Pricing: ~$15,000–$60,000/year.

What We Have vs Competitors

Feature Open Resilience Fusion Castellan ServiceNow BC in Cloud Noggin Quantivate
BIA (full wizard per BU)
DR Test Planner
Incident Command Center
Risk Register
Document Management
IT Service Continuity (ITSCM)
Vendor / Third-Party Risk
Compliance Dashboard
Digital Twin (IT visual map) ⚠️
AI Copilot / Predictive Risk ⚠️
MS Teams Integration ⚠️ ⚠️
Active Directory / LDAP
IT Security Self-Assessment
Preparedness Training
Audit Logs
Change Impact Analysis ⚠️
Multi-tenant / White-label
Affordable mid-market pricing ⚠️ ⚠️
SSO / SAML
Executive Board Reports
Plan Acknowledgement
Post-Incident Review (PIR) ⚠️
Mass Notification (SMS)
Tabletop Exercise Module
Plan Review Reminders
RTO/RPO Live Tracking
Incident Playbooks
Recovery Resource Mgmt
Awareness Campaigns
KRI/KPI Trend Dashboard
Programme Calendar
Mobile App

✅ = Full feature ⚠️ = Partial / add-on ❌ = Not present

Gap Analysis — What's Missing

Features ranked by competitive priority (frequency in buying criteria and competitor prevalence).

Legend: Items marked ✅ BUILT have been implemented natively in v3. Remaining items are open priorities.

🔴 Critical Gaps — Deal-breakers for enterprise sales

1. Single Sign-On (SSO) — SAML 2.0 / OAuth2 / OIDC

Found in: Fusion, ServiceNow, Riskonnect, Castellan, Noggin, LogicGate, Resolver, Quantivate
Why it matters: Every enterprise IT procurement checklist requires SSO. Without it, IT security teams will veto the purchase outright. Needed for Okta, Azure AD, Google Workspace, Ping Identity.
Implementation path: passport-saml + IdP metadata upload UI in Settings.

2. ✅ BUILT — Executive Board Report

Found in: Fusion, Riskonnect, Castellan, BC in Cloud, Quantivate, RecoveryPlanner
Status: Live at /executive-report. Includes overall BCM programme score gauge, sub-scores for maturity/BIA/DR tests/document compliance, risk posture RAG breakdown, self-assessment table, print-to-PDF button. Data is pulled live from all existing modules.
Remaining: Browser print produces a PDF but a dedicated puppeteer-generated PDF with custom branding would be more polished for board packs.

3. Plan Acknowledgement / Attestation

Found in: Fusion, Castellan, BC in Cloud, Quantivate, RecoveryPlanner, Archer
Why it matters: Regulators (APRA CPS 232, FCA, PRA, ISO 22301 clause 7.3) require documented proof that plan holders have read and acknowledged current plans. Without this, companies fail BCM audits. Competitors call this "Plan Attestation".
Implementation path: Add acknowledgements[] to documents — each containing userId, acknowledgedAt, version. Email reminder flow. Acknowledgement completion rate shown on dashboard.

4. Post-Incident Review (PIR) / After Action Review

Found in: Resolver, Fusion, Castellan, Noggin, Riskonnect, RecoveryPlanner
Why it matters: ISO 22301 clause 9.1 mandates post-event evaluation. Currently incidents can be closed but there's no structured PIR with root cause analysis, timeline reconstruction, lessons learned, and follow-up action items. Auditors specifically look for PIR evidence.
Implementation path: Add PIR sub-form to incidents: root cause category, 5-WHY, timeline, lessons learned, corrective actions (linked to /assignments), PIR approver sign-off.

🟠 High-Value Gaps — Significant competitive disadvantage without them

5. Automated Plan Review Reminders & Maintenance Scheduling

Found in: Fusion, Castellan, BC in Cloud, Quantivate, RecoveryPlanner, Archer
Why it matters: BCM plans decay quickly. ISO 22301 requires annual review. Competitors auto-schedule review cycles, email plan owners, and track completion rate. Currently plans can go stale silently.
Implementation path: Add reviewFrequencyDays + nextReviewDate + reviewOwnerId to documents. Cron job sends email reminders. Review completion tracked on dashboard.

6. Tabletop Exercise Management

Found in: Castellan, Fusion, BC in Cloud, RecoveryPlanner, Noggin
Why it matters: DR Tests cover technical recovery. Tabletop exercises test the human/process response — executives walk through a scenario, decisions are recorded, gaps identified. This is a different module to DR Test Planner and is expected by ISO 22301 clause 8.5.
Implementation path: Scenario library, exercise session wizard (date, facilitator, participants, scenario), checklist of injects/discussion points, decisions log, findings and actions, assessment scoring.

7. ✅ BUILT — RTO/RPO Live Tracking During Incidents

Found in: Fusion, ServiceNow, RecoveryPlanner, Castellan
Status: Live in the Command Center. When an incident is active, a full-width panel shows all critical/high BIA processes with elapsed time vs their RTO target, RAG-coded (Green → within target, Amber → 75%+ used, Red → breached). Auto-refreshes every minute.
Remaining: Auto-trigger a Teams notification when an RTO is breached.

8. Mass Notification / Crisis Communications

Found in: Noggin, Everbridge, Resolver, Fusion
Why it matters: MS Teams handles internal IT teams. During a real incident, you need to reach staff, customers, and stakeholders via SMS and email blasts — including people without Teams. Currently there's no way to do this from within OR.
Implementation path: Integrate Twilio (SMS) + SendGrid (email). Contact lists by group/location/role. Delivery tracking (sent/delivered/failed). Two-way: recipients can reply "SAFE" or "NEED HELP".

9. Supply Chain / N-tier Dependency Mapping

Found in: Fusion, Riskonnect, ServiceNow
Why it matters: Major BCM failures cascade from tier-2 or tier-3 suppliers. Currently OR's Vendor Risk module is flat — one tier of suppliers. Real supply chain risk requires mapping supplier→supplier relationships and visualising cascade effects.
Implementation path: Add parentVendorId to vendors table. Visual dependency graph (D3.js force layout). Impact propagation calculator.

10. Regulatory Report Templates (DORA, APRA CPS 232, FCA, NIST 800-34)

Found in: Riskonnect, Archer, BC in Cloud, Quantivate
Why it matters: DORA (EU Digital Operational Resilience Act) took effect January 2025 and applies to all financial entities operating in the EU. APRA CPS 232 is mandatory in Australia. FCA PS21/3 applies to UK financial services. Without templates, regulated customers must map data manually — and they won't buy a tool that makes their job harder.
Implementation path: Pre-built report templates that pull from existing modules (BIA, risks, tests, incidents) and format output to regulatory clause structure.

🟡 Medium-Value Gaps — Frequently requested, differentiating

11. Document Version Control & Approval Workflow

Found in: Fusion, Castellan, Quantivate, RecoveryPlanner
Why it matters: BCM plans must go through draft → peer review → management approval → published lifecycle. Version history allows rollback. Approval signatures provide audit evidence. Currently OR documents can be edited freely without a formal workflow.
Implementation path: Add status (draft/in-review/approved/superseded), version (semver), reviewerId, approverId, approvedAt to documents. Reviewer/approver email notifications. Lock approved versions from editing.

12. ITSM Integration (ServiceNow / Jira / PagerDuty)

Found in: Fusion, ServiceNow (native), Castellan, Resolver
Why it matters: IT teams live in ServiceNow or Jira. Bi-directional sync means IT incidents auto-create OR incidents; OR assignments sync back as Jira tickets. Without this, OR becomes a second system IT teams ignore.
Implementation path: Inbound webhook receiver (/webhooks/servicenow, /webhooks/jira). Outbound task creation via REST API. Configuration UI in Automation & Connectors.

13. ✅ BUILT — KRI/KPI Resilience Trend Dashboard

Found in: Fusion, Riskonnect, Quantivate
Status: Live on the main Dashboard — 4 KRI cards (Open High/Critical Risks, Document Compliance %, Critical Process Coverage %, Assessment Completion %) with SVG sparklines showing trend from baseline to today. All figures derived live from existing module data.
Remaining: Persist monthly snapshots to the database so sparklines show real historical data rather than interpolated trends.

14. Notification Escalation Paths

Found in: Everbridge, Noggin, Castellan
Why it matters: If primary contact doesn't acknowledge an alert within 15 minutes, automatically escalate to their backup. Currently OR sends notifications but has no escalation chain or acknowledgement confirmation.
Implementation path: Add escalateTo, escalateAfterMinutes, acknowledgedAt to notifications. Scheduled re-notify job checks for un-acknowledged alerts.

15. Workforce / Staff Welfare Check-in

Found in: Everbridge, Noggin, Resolver
Why it matters: During major incidents (fire, flood, cyber attack), HR and security need to confirm staff are safe and available. A "Are you safe?" push to all staff with response tracking is standard in crisis management platforms.
Implementation path: Bulk notification to all staff contacts. Response tokens (safe/unsafe/need-help) in SMS/email reply. Real-time response dashboard.

16. ✅ BUILT — Incident Playbooks

Found in: Resolver, Noggin, Fusion, Castellan
Status: Live in the Command Center right-panel during an active incident. 5 pre-loaded scenario playbooks with role-assigned task checklists: Cyber/Ransomware (10 tasks), IT Outage (8 tasks), Natural Disaster/Evacuation (8 tasks), Power Outage (7 tasks), Pandemic/Health Crisis (7 tasks). Per-task checkbox with live completion progress bar.
Remaining: Custom playbook builder (user-defined templates). Auto-select playbook based on incident type declared in the wizard. 72-hour GDPR/POPIA notification countdown for cyber incidents.

🟢 Lower-Priority Gaps — Nice-to-have

17. Mobile Application (iOS / Android)

Found in: Noggin, Everbridge, Fusion, Resolver
Why it matters: Responders need plan access, task acknowledgement, and incident logging on mobile during an actual event.
Implementation path: React Native or PWA with offline caching of current plans and contact lists.

18. Vendor / Supplier Self-Service Portal

Found in: Fusion, Riskonnect, Quantivate
Why it matters: Vendors complete a BCM questionnaire and upload their own BCP directly. Creates an audit trail without manual chasing.
Implementation path: Separate portal login for external users (not internal JWT auth). Questionnaire builder. Document upload. Review workflow for internal team.

19. Geo-Risk / Hazard Proximity Mapping

Found in: Fusion, Noggin, Everbridge
Why it matters: Visual map of company sites overlaid with hazard data (flood zones, seismic risk, hurricane paths). Quantifies location risk in BIA automatically.
Implementation path: Mapbox/Leaflet + hazard data API (FEMA, Copernicus, Tomorrow.io). Site geocoding. Risk radius visualisation.

20. Multi-Language Support

Found in: Fusion, Noggin, ServiceNow
Why it matters: Multinational BCM programmes need local-language plans and interfaces.
Implementation path: i18next. Priority languages: Spanish, French, German, Portuguese (Brazil).

21. Insurance & Business Interruption Loss Tracking

Found in: Riskonnect
Why it matters: Link incidents to insurance policies. Track estimated business interruption loss. Generate claims documentation.

22. Audit-Ready Compliance Evidence Export ("Audit Pack")

Found in: Castellan, BC in Cloud, Quantivate
Why it matters: One-click export of all audit evidence (test results, plan reviews, risk treatments, incident logs, acknowledgements) mapped to ISO 22301 clauses. Removes hours of manual assembly before each audit.

🔵 Confirmed by Competitor Research — Additional Gaps

The following gaps were identified through detailed competitive research across all 13 platforms above and are not covered anywhere in the current application.

23. ✅ BUILT — Recovery Resource Management

Found in: Castellan, RecoveryPlanner, Noggin, CURA, BC in Cloud
Status: Live at /recovery-resources. Full inventory CRUD — resource types include Hot Site, Warm Site, Cold Site, Work Area, Mobile Recovery Unit, Cloud Environment, Generator/Power, Network/Connectivity. Fields: name, type, location, capacity, provider, contract expiry (with 90-day warning), contact name/phone, status (Available/In Use/Reserved/Under Maintenance/Decommissioned), allocated-to, notes. Admin-only write access. Contact quick-reference panel. Backend stored in companies.integrations.recoveryResources.
Remaining: Reservation request flow during live incidents; Command Center integration showing real-time availability during activation.

24. BCM Program Maturity Assessment

Found in: Fusion, Castellan, CURA, Riskonnect, Archer
Why it matters: The IT Security Dashboard gives an IT posture score — but there's no equivalent for the overall BCM programme. A maturity assessment scored against ISO 22301 / BCI GPG across governance, BIA quality, plan coverage, testing frequency, and awareness is what BCM program managers use to justify budget and communicate progress to the board. Distinct from the IT security assessment.
Implementation path: 50-question self-assessment across 6 BCM domains. Weighted scoring → 0–5 maturity level. Radar chart output. Track score over time (quarterly snapshots). Export to PDF for board pack.

25. Scenario Modelling / What-If Impact Simulation

Found in: Fusion (most advanced), Riskonnect, Archer, LogicGate
Why it matters: "What if our primary data centre goes offline for 72 hours?" — A scenario modeller propagates that disruption through the dependency model and automatically shows: which processes breach RTO, which downstream services are impacted, which vendors are involved, and estimated financial exposure. Currently this analysis is done manually in spreadsheets before every exercise. Software-driven simulation compresses exercise prep from weeks to hours and enables board-level scenario reporting.
Implementation path: Scenario builder (select disrupted asset/process + duration). Propagate through BIA dependency chains. Output: affected processes × RTO breach status × estimated revenue at risk.

26. Conference Bridge / Virtual War Room Auto-Launch

Found in: Everbridge, ServiceNow (Live Continuity Workspace), Noggin, Fusion
Why it matters: The most critical bottleneck in the first minutes of an incident is getting the right people on a call. If coordinators must declare the incident, then separately create a Teams/Zoom meeting, find participant contacts, and send invitations — valuable time is lost. Auto-launching a bridge when an incident is declared cuts 5–15 minutes from time-to-team-assembled. Multiple competitors added this after it was the #1 piece of customer feedback following real activations.
Implementation path: On incident creation, call Microsoft Teams /meetings API (or Zoom API) to create a meeting. Post the link to the Teams #incident channel automatically. Log the bridge URL in the incident record.

27. HR System Integration — Automatic Roster Sync

Found in: Everbridge, Riskonnect, ServiceNow, Fusion
Why it matters: Contact data is the single most maintenance-intensive part of any BCM programme. People change roles, phone numbers, and leave constantly. Manually updating BCM contact records is a full-time burden — and outdated contacts are the #1 cause of notification failures during real activations. Auto-sync from Workday, BambooHR, or SAP SuccessFactors eliminates this entirely.
Implementation path: SCIM 2.0 endpoint (most HRIS support this). Or direct Workday/BambooHR REST API. Nightly sync of name, role, department, manager, mobile, email into OR users + notifyUsers. Conflict detection for changed records.

28. ✅ BUILT — Awareness Campaign Management

Found in: CURA, RecoveryPlanner, Castellan, BC in Cloud
Status: Live under /training (Awareness Campaigns tab). Campaign builder with: title, description, channel (Email/Teams/Intranet/Poster/Webinar), target audience, start/end dates, owner, status (Planned/Active/Completed/Cancelled), reach estimate, completion count, and completion rate progress bar. CRUD modal. Summary stats cards at top. Distinct from the Training Library tab.
Remaining: Actual email/Teams delivery integration so campaigns can be triggered from within the platform rather than manually tracked.

29. Situation Report (SitRep) as a Structured Module

Found in: Noggin, Everbridge, ServiceNow, Resolver
Why it matters: The Command Center currently captures a narrative SitRep field. A proper SitRep module produces structured, timestamped reports at defined intervals (e.g., every 2 hours) capturing current situation, actions taken, resources deployed, next steps, and open issues — automatically assembling a chronological incident log. Regulators and lawyers reviewing an incident response look for SitReps as primary evidence of organisational awareness and decision-making.
Implementation path: SitRep template (time, situation, actions taken, resources, next steps, open issues). Each submission timestamped and locked (immutable). Chronological log displayed in Command Center. Export as Word/PDF for post-incident debrief.

30. Vendor Resilience Questionnaire Automation

Found in: Riskonnect, Quantivate, Fusion, Archer, LogicGate, Resolver
Why it matters: The Vendor Risk module currently tracks vendors in a static register. Regulators (DORA, FFIEC, APRA CPS 230) now expect organisations to actively verify vendor resilience on a recurring cycle — not just record that vendors are critical. Automated questionnaire dispatch → vendor completes online → responses scored → low scorers flagged → evidence retained.
Implementation path: Questionnaire template builder. Scheduled dispatch (annual/semi-annual) with automated reminders. Vendor-facing response portal (no login required — token link). Scoring engine. Overdue + score-drop alerting. Feeds into Vendor Risk module score.

Roadmap Priorities

Based on the gap analysis, the recommended development sequence to close the most impactful competitive gaps.

✅ = Completed · 🔄 = In Progress · ⬜ = Planned

Phase 1 — Enterprise Readiness (0–3 months)

Status Feature Why Now
SSO / SAML 2.0 Removes procurement blockers
Executive Board Report Board presentation, audit evidence
Plan Acknowledgement / Attestation Satisfies ISO 22301 §7.3, regulator audits
Structured PIR (Post-Incident Review) Satisfies ISO 22301 §9.1, AI draft exists

Phase 2 — Retention & Stickiness (3–6 months)

Status Feature Why Now
Automated Plan Review Reminders Keeps data fresh, builds daily habit
Document Approval Workflow Formal version control for audits
RTO/RPO Live Tracking in Command Center High-incident-day value
Tabletop Exercise Management Differentiates from IT-only DR tools
KRI/KPI Trend Dashboard Proves ROI to board
Escalation Paths for notifications Completes the comms loop
BCM Programme Calendar Maintenance scheduling, overdue tracking
Awareness Campaign Management ISO 22301 §7.3 compliance evidence
Recovery Resource Inventory ISO 22301 §8.4 compliance
Incident Playbooks (5 scenarios) Accelerates response for most common events

Phase 3 — Market Expansion (6–12 months)

Status Feature Why Now
DORA / APRA Regulatory Templates Opens EU + APAC regulated markets
Mass Notification / SMS (Twilio) Competes with Everbridge/Noggin
ITSM Integration (ServiceNow / Jira) Removes IT-team adoption barrier
Workforce Welfare Check-in Completes mass incident response story
SitRep as structured timestamped module Regulatory / legal evidence standard
Vendor Resilience Questionnaire Automation DORA, FFIEC, APRA CPS 230 requirement

Phase 4 — Premium Tier

Status Feature
Mobile App (PWA / React Native)
Vendor Self-Service Portal
Supply Chain N-tier Dependency Mapping
Geo-Risk / Hazard Proximity Mapping
Insurance & BI Loss Tracking
Scenario Modelling / What-If Impact Simulation
Audit-Ready Evidence Export Pack

Deployment

Standard VPS / cPanel

# 1. Build frontend
npm run build
# Serve dist/ via Express static or Nginx

# 2. Backend — PM2 recommended
npm install -g pm2
cd backend
pm2 start server.js --name open-resilience-api
pm2 save
pm2 startup

Environment Validation

The backend refuses to start in production if JWT_SECRET is not set:

[FATAL] JWT_SECRET environment variable is not set. Refusing to start in production.

Required Ports

Service Default Port
Frontend (dev) 5173
Backend API 3001
MySQL 3306

Environment Variables

Backend (backend/.env)

# ── Database ──────────────────────────────────────────
DB_HOST=localhost
DB_PORT=3306
DB_USER=your_db_user
DB_PASSWORD=your_db_password
DB_NAME=open_resilience

# ── Auth — REQUIRED in production ────────────────────
JWT_SECRET=your-minimum-32-char-secret-here

# ── Active Directory encryption ───────────────────────
# 32-byte hex key for AES-256-CBC (generate with: openssl rand -hex 32)
AD_ENCRYPTION_KEY=796428786ecbb39c06d87c04f3a30e93...

# ── Server ────────────────────────────────────────────
PORT=3001
NODE_ENV=production
FRONTEND_URL=https://your-domain.com

# ── Feature flags ─────────────────────────────────────
# Enable the demo data seeding endpoint (non-production only)
ENABLE_SETUP_ROUTE=false

Frontend (.env)

VITE_API_URL=https://your-api-domain.com

Licence & Whitelabel

Open Resilience is available under a commercial licence.

White-label licensing allows you to:

  • Replace branding, logo, and app name via metadata.json
  • Set custom domain and colour theme
  • Add your own company and support contacts
  • All without touching application code

For licensing enquiries:
📧 openresilience@webtron.co.za

Open Resilience v3 — Built by Webtron (Pty) Ltd
Documentation current as of June 2026 · 8 gaps closed natively this release cycle
© 2025–2026 Webtron. All rights reserved.

Source: README.md, updated 2026-06-01