Barrierefreiheits-Links Zum Hauptinhalt springen
Nachrichten \ Operational Resilience & risk management

Operational resilience: the dominant perspective

Tom den Hartog & Eva Noordhoek
Juni 30, 2026 · 5 Min. Lesezeit Englisch

For years, organizations have optimized for maximum efficiency. Stable conditions allowed us to design organizations, supply chains, processes, and systems around known constants. These conditions encouraged tight integrations and deep dependencies, because efficiency rewarded them. That stability is gone. 

Inaction now is a strategic risk. The operating environment is shifting faster than traditional structures can adapt. Organizations must now design for uncertainty, not stability. That means to absorb shocks and adapt to externally imposed change.

Operational resilience must be designed across the full system: organizational structures and decision rights, governance and control models, supply chains and partnerships, core processes, talent and culture, and the digital systems that connect and enable them. Weakness in any one of these domains can cascade across the enterprise.

Resilience determines whether an organization can absorb disruption without destroying value, reorganize under pressure, and continue to serve customers, markets, and society when conditions deteriorate. In that sense, resilience is increasingly comparable to other strategic asset classes: it is measurable, improvable, and governable at board level.

At its core, resilience creates value in two ways:

  • it protects downside by limiting financial, operational, and reputational damage during disruption, and
  • it creates upside optionality by preserving strategic freedom.

No-IT is no IT problem

Digital fragility has become a systemic business risk. In our report “NO-IT is no IT problem”, we described how digital dependencies have become systemic: when IT stops, the organization stops. That central diagnosis remains valid.

What has changed is the context and the stakes. Boards now operate in an environment where crises no longer occur sequentially but simultaneously; where geopolitical pressure reshapes supply chains; where regulatory intervention accelerates unpredictably; and where human capital is as fragile as digital infrastructure.

In this environment, the organizations that sustain and grow value are those that can adapt faster than disruption unfolds. Adaptability has become the mechanism through which resilience translates into value.

This shift requires leaders to rethink resilience not as a technology capability, but as an operational, organizational, and societal challenge. As the report states clearly: delegating digital resilience to IT reinforces the misconception that outages are technical incidents, when in reality they are operational disruptions in a digital era.

Resilience, recoverability & adaptability

Many organizations still frame resilience as a defensive requirement: something to be controlled, audited, and “covered.” In practice, this framing creates a false sense of safety. Controls do not guarantee continuity. Documentation does not create recovery. And testing alone does not produce options when conditions fundamentally change.

In a digital operating environment, resilience is not a static state. It is a dynamic capability that determines whether an organization retains freedom of action under pressure.

This requires a shift in thinking. Resilience is not primarily a technology problem, nor a compliance exercise. It is an architectural discipline that spans three tightly connected domains:

  • Technical architecture – platforms, identity, networks, data, and integration patterns
  • Process architecture – continuity of critical service delivery, including degraded and manual modes
  • Organizational architecture – decision rights, crisis leadership, escalation paths, and ownership 

Weakness in any one of these domains will surface under stress—and when it does, the effects propagate rapidly across the system.

Most leaders already accept the principle of “designing for failure.” Observability, redundancy, and safeguards are widely discussed. Yet many organizations discover too late that their architectures offer no real alternatives. Dependencies are deep, switching paths are unclear, and recovery assumes conditions that no longer exist during a crisis.

This is where adaptability becomes decisive.

Adaptability is the ability to reconfigure under pressure: to switch, reroute, rebuild, or reorganize when assumptions fail. It is what transforms resilience from a defensive posture into a strategic asset.

In practice, adaptability is created through concrete architectural options:

  • Options for operational recovery – preserving the ability to deliver essential services, even in severely degraded conditions.
  • Options for portability – enabling workloads, data, or identities to move rapidly between platforms or environments.
  • Options for fast rebuild – restoring processes, applications, or entire environments on clean infrastructure when trust is lost.
  • Options for alternative capability – ensuring continuity when critical technology, suppliers, or expertise become unavailable.

These options are not abstract. They are designed deliberately—or not at all.

Organizations that lack such options are forced to rely on hope: hope that backups are clean, hope that key people are available, hope that external platforms recover in time. Hope is not a resilience strategy.

Modern operational resilience is the capability to operate with choices under uncertainty.

Those choices determine how much value is preserved, how fast trust is restored, and whether the organization emerges weakened—or stronger—after disruption. 

Societal interdependencies and human resilience

Resilience does not stop at the enterprise boundary. Digital fragility amplifies operational risks across supply chains, public infrastructure, and even basic societal functions. When payment systems stop, when logistics freeze, or when communication channels are unavailable, organizations face societal vulnerability, not merely technical downtime.

Equally important is human resilience, which is another theme emphasized in the report: Employees may not be available during a crisis. Their loyalty, safety, or family priorities may pull them away from corporate obligations. In crises, organizations rely on people, yet people themselves rely on societal stability.

Operational resilience therefore requires preparation in three domains:

  • People: availability, training, crisis roles, societal preparedness
  • Processes: manual fallbacks, minimum viable operations, physical workflows
  • Partners: supply-chain continuity, alternative arrangements, cross-sector collaboration

An organization’s resilience is only as strong as the society and suppliers around it.

An economic lens on operational risk

Boards increasingly recognize that cybersecurity and operational risks must be understood in economic terms. Yet the report shows a recurring gap: executives lack actionable insight into the materialized financial impact of disruptions, making it difficult to prioritize investments or weigh trade-offs. 

 

Mehr lesen