New regulations have organizations focusing on resilience more than ever. We find that even if enterprises are not obliged to meet new requirements, they are developing resilient capabilities. Their leaders know that resilient organizations possess the capacity to withstand adverse unexpected changes and that these organizations will succeed with “business as usual,” even in the face of potential disruption.
Resilience components that impact mature operating models include business, technology, cybersecurity and third-party resilience disciplines. The implementation of an enterprise resilience program must consider the lifecycles of each of these disciplines in a cohesive and interrelated manner.
Resilience is not limited to one industry or even to one global region. For example, financial services institutions with operations in the European Union (EU) must comply with the Digital Operational Resilience Act (DORA) by its January 2025 compliance date. However, all businesses can benefit from the leading practices, guidance and frameworks that increasingly encompass and promote the notion of resilience. The U.S. and APAC have already seen similar regulatory pressures and we expect these regulatory requirements to increase in coming years.
DORA will require financial services enterprises with business in the EU to follow rules to protect against, detect, contain, recover from and repair capabilities following information and communication technology incidents. It’s meant to address a lack of operational resilience that could jeopardize the stability of EU financial systems. DORA articulates rules on risk management, incident reporting, operational resilience testing and third-party risk monitoring for information and communication systems.
Does this sound like business continuity or disaster recovery planning? It isn’t. These Resilience practices are essential, but they are based on activating/ invoking response, recovery, or resumption plans when an inevitable disruption occurs (i.e., is reactive). Resilient organizations think ahead to avoid disruptions proactively, not merely aim to recover after a disruption occurs. Operational resilience deals with measures that anticipate adverse changes, rather than just responding to disruption. The scope of “resilience by design” encompasses anticipating everything from a data breach to a hurricane, from network disruptions to geopolitical events. Resilience is about being proactive to avoid the impacts of hazards that befall businesses every day.
All enterprises should be proactive — resilience is just good business. When one considers the interconnectedness of the global marketplaces today, it’s easy to see how readily customers can transfer their business to other suppliers. Customers’ desires go unmet when a business supplier they rely on gets disrupted. Customers may very well go elsewhere; the competition will make that easy and the risk of customer loss increases.
What’s required? Leadership engagement
A resilient organization requires proactive and vigilant leadership to promote changes that anticipate and prepare the enterprise to fend off hazards. These considerations must remain in focus for critical planning in all strategic aspects of the enterprise, including business units, workforce decisions, technology considerations and third-party service providers’ own security and resilience.
Resilience starts at the top, where leadership sets the tone of corporate culture and values. This includes both Board level directors and senior executive leadership. Corporate leaders establish the organization’s priorities, and make critical strategic, operational and financial decisions that shape the operating environment. Organizations that prioritize resilience are better equipped to identify and manage risks as a result of being willing to invest in resources that enable them to prepare for, respond to and recover from potential disruptions. Effective organizations establish clear communication channels and business contingency plans that minimize the impact of adverse events.
Board-level support is critical to developing enterprise resilience: it’s important that Board level directors become vocal in their support. Ideally, directors should articulate values beyond driving down costs and increasing profits and extend corporate strategies and policies toward ensuring the enterprise’s longevity by designing in resilience. Boards and other leaders should support the implementation of comprehensive resilient strategies and governance models.
It is essential such messages and behavior come from the top because resilience by design — as a proactive approach — is often a more costly way to operate a business than merely managing costs and boosting profits. One strategy is to apply chaos engineering to implementing distributed failover testing as part of normal operations, for instance, increases business-as-usual operating costs. Further, advanced organizations are developing digital twins to leverage chaos testing against a simulated production environment(s). Ultimately, when the board of directors perceives the value in such measures and supports them, the organization becomes more resilient.
What’s required: widespread adoption
Developing resilience requires leadership support from the Board and senior executives, but it also calls for awareness and enablement throughout the organization. Beyond the Board and the C-suite, organizations also require support and promotion of resilience within every pillar of the organization, including lines of business and back-office support functions, workforces, information technology and even third-party service providers and other vendors. Leadership at all levels of the organization must engage their lieutenants to promote resilience throughout the enterprise as well.
An organization in which leaders prioritize resilience creates a culture moving from reaction and defense toward one that encourages employees to be proactive, innovative and “resilient ready.” Effective change management is critical to the success of resilience programs; boosting adoption of operational resilience principles and raising awareness are essential. Governance, policies, standards, and procedures are all core elements to ensure resilience is integrated into each in-scope function and process. Clear communication, with codified roles and responsibilities, are crucial for success. Finally, leaders may incorporate these desired behaviors and activities into regular performance evaluations to enable ongoing attention and adherence to compliance at all levels.
Deep change often calls for revising, refining, or rewriting what’s already there. A key risk to developing resilience is an audience that perceives it merely as the latest iteration of business continuity or disaster recovery planning. Consistent communication will help audiences master the difference between reaction and resilience. Change agents can work to attain adoption within the business, then conduct operational evaluations and gather key performance metrics to test the success of their efforts.
What’s required: a program tailored to the enterprise
The scope and structure of any enterprise’s resilience program will vary by industry, business model, regulatory obligations, locations and other factors. Designing resilience, therefore, is a highly customized and individualized effort. Whether compelled by DORA, other regulations, or of their own accord, whether with external partners or internal resources, enterprises in a variety of industries can achieve the long-lasting benefits of operational resilience by cultivating support at all management levels and carefully managing change to achieve successful resilient business outcomes and results.
Read our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.