Operational resilience: moving beyond compliance to secure the future

Tom den Hartog, Annemieke Deering & Jorrit Molkenboer
June 30, 2025 · 2 min read English

Boards and executive leaders today are confronted with a pivotal question: In an increasingly threatening digital landscape, marked by geopolitical uncertainty, growing regulatory pressure and interdependent systems, are we truly in control?

The speed of technological change, the expansion of digital services, and the rising volume of regulations are converging in ways that raise uncomfortable but necessary questions.

Because disruption is no longer the exception. Whether it’s a cyberattack, an update gone wrong, or a shift in regulation, disruptions now shape the normal rhythm of business. The question isn’t if it will happen—but when. And more importantly: how prepared are we when it does?

The reality is this: leaders are not ignoring these issues. On the contrary, most executives we spoke to in our research for the report “No-IT is no IT problem” are deeply engaged with them.

There is growing recognition that the nature of risk has changed. Cyber threats are no longer isolated technical events. And when they strike, the consequences are operational and affecting critical processes, supply chains, customer services, and ultimately, the continuity of the business itself.

When IT fails, it’s a business problem
Despite having solid security teams and frameworks in place, many organizations still frame resilience as an IT matter. However, this perspective can hinder proactive decision-making. When digital systems go down, they don’t just impact servers and software. The impact is felt right away, because finance can’t process, operations stall, and teams across the business are left waiting for the data they need from real-time access to information. Failing to maintain customer trust can result in lost revenue, a damaged reputation, and weakened customer loyalty, ultimately harming both the business and its customers.

That’s why the shift in thinking is so critical. The phrase “No-IT is no IT problem” is more than a clever line—it reflects a deeper truth: cyber incidents are not simply technical risks; they are risks to organizational continuity. They cut across functions and require coordinated, executive-level attention.

Compliance helps, but it doesn't guarantee preparedness
The rise of digital resilience regulations, such as the EU’s DORA and NIS2, is undeniably helpful. It provides clarity, creates structure, and raises awareness. But the shift toward more regulation also comes with a risk: organizations can begin to treat compliance as the goal, rather than a baseline.

Focusing on compliance brings structure and momentum, yet it’s not the whole picture. Several leaders shared during interviews that while meeting regulatory requirements is important, it can sometimes draw attention away from a more fundamental question: What is the actual (business)risk that is addressed by the control(s), how do we design our core processes to be really secure and resilient, sow we can recover quickly when the systems fail?

Preparedness means going beyond checklists. It’s about embedding continuity into the heart of decision-making, investment planning, and organizational culture.

Delegation isn’t control
Most executives acknowledge that they rely heavily on their technical teams for managing cybersecurity and resilience. That reliance is both understandable and necessary. But delegation is not the same as control.

Too often, resilience is viewed through a purely IT lens, as something that sits squarely with technical experts. But IT is deeply embedded in the core processes of every modern business. A disruption in IT is a disruption to the business itself. That makes resilience a matter of core business leadership, not just technical execution.

When disruption occurs, the ability to lead through uncertainty requires clarity. Clarity on who is responsible, how decisions are made, and what priorities take precedence. These are not technical questions; they are leadership ones. And they cannot be answered effectively if resilience is treated as a siloed, technical responsibility.

Executive ownership does not mean micromanaging systems or infrastructure. It means understanding how IT underpins your critical operations, where vulnerabilities exist, what recovery entails, and how potential risks could affect your business—financially, operationally, and reputationally.

True resilience requires business leaders to take a proactive role. Not by becoming IT experts, but by recognizing that resilience is a strategic capability—one that determines whether the organization can continue to serve customers, meet obligations, and protect its reputation when the unexpected happens.

Operational resilience is the strategy
What’s needed now is a broader perspective: resilience as a strategic enabler, not a technical patch. This mindset shift requires organizations to stop treating resilience as something layered onto operations after the fact—and start integrating it into the way the business is structured and led.

Resilience means being ready to operate through disruption—not just respond to it. And that readiness must be tested, funded, and owned across functions.

To embed resilience across the enterprise, leadership should align around four priorities that go beyond IT:

  1. Whole system in the room
    Resilience planning needs multi-disciplinary input. Cross-functional teams—spanning operations, finance, risk, compliance, legal, and IT—should collaborate in identifying, prioritizing, and preparing for disruption. Include critical external partners in these conversations to strengthen resilience across the value chain.
  2. Evaluate operational risk across functions
    Digital threats are rarely isolated. View risk through an operational lens, rather than by department or system. This approach helps uncover interdependencies that traditional risk registers may miss and improves response coordination.
  3. Link risk tolerance to financial impact
    Executives must know which disruptions matter most—and why. Identify the “crown jewels” of the business and quantify the financial impact of their loss. Align resources and recovery priorities accordingly.
  4. Organize and rigorously test recovery
    Planning is not enough—organizations must test under pressure. Run scenarios, stress-test assumptions, and involve leadership in simulations. This is how response capability becomes confidence, and plans become practice.


From awareness to preparedness
Organizations that treat resilience as a strategic capability—not just an operational layer—will be better positioned to adapt, absorb shocks, and maintain trust through disruption.

This doesn’t mean striving for total control over every risk. That’s neither realistic nor necessary. But it does mean owning what can be controlled: clarity in governance, confidence in recovery, and alignment in priorities.

The most resilient organizations don’t rely on luck or isolated expertise. They build strength into their structure. They connect technical capability with business strategy. And they lead from the front—with the board and executive team fully engaged.

In today’s digital economy, preparedness is not an IT issue. It’s a leadership mandate. And that’s why operational resilience must start at the top.