Risk and resilience: protect what matters most

Reframe: Change the way we see risk and resilience

We live in a world where disruption is commonplace. Resilience is no longer a ‘nice-to-have’; it is a strategic imperative. This landscape, coupled with a number of resilience-focused regulatory initiatives ‒ such as the EU Digital Operational Resilience Act, Telecommunications Security Act, Critical Third Parties regime, and the EU Critical Entities Resilience Directive ‒ has led organisations across sectors to strengthen their resilience.

There has also been renewed focus on risk and resilience in the Financial Reporting Council’s (FRC) UK Corporate Governance Code, including a requirement for organisations to declare the effectiveness of material controls ‒ potentially covering those that support resilience to risks threatening the business model, solvency, or liquidity.

The growing focus on disruption has shifted attention away from business-as-usual (BAU) risk management, despite the close connection between risk and resilience. Now is the time to identify overlaps and use them to strengthen the resilience of critical services and/or products.

The rapid development of resilience strategies offers a chance to align risk and resilience with broader business goals.

Developing an integrated view of risk and resilience

Achieving integration means establishing both preventative controls, to minimise the likelihood of severe but plausible scenarios from materialising, and the building of ‘resilience by design’. This will enable firms to better anticipate and mitigate cascading contagion events in their environment.

Firms must assess how disruptions impact risks and controls, identifying where BAU controls may need to be substituted to maintain critical services. This requires close collaboration between resilience and risk teams to agree on substitutions and monitor associated risks.

Now more than ever, resilience and risk leaders ‒ backed by executive support ‒ must focus on a strategic vision for operational resilience. This involves not only meeting regulatory requirements but also implementing the necessary changes to sustain resilience in the
long term.

Reassessing first and second line expectations is essential to fully integrate risk and resilience, turning them from compliance tasks into strategic enablers.

This paper explores these connections and outlines strategies for embedding risk and resilience into the broader business framework.

It addresses two key questions:

How does risk and resilience work in tandem within an organisation to prevent disruptions and enhance response and recovery strategies?
Just as importantly, how can both perspectives be embedded into decision-making processes, rather than viewing them in isolation?

Operational resilience

Has a service or product-first lens to assess the cumulative effect of impacts on critical services and products during disruption, by identifying and remediating vulnerabilities to remain within impact tolerance.

Risk management

Has an objective-led lens where associated risks are identified and assessed. Risk practitioners must implement suitable preventative and mitigating controls to manage risks within the defined risk appetite.

Integrate: Realise the benefits of unified risk and resilience

Operational resilience and risk management share the underlying objective of understanding potential vulnerabilities and strengthening the control environment to effectively manage risks and mitigate impacts to a firm’s operations within acceptable levels.

Benefits of risk and resilience integration.

The first step to realising these benefit is through building a resilient ‘bowtie’.

The intersection of risk and resilience can be considered through the concept of the ‘bowtie’ model. Most practitioners are familiar with the bowtie concept of risk and control – but understanding how resilience intersects with the model can help firms to tie the bow together.

Consider the risks and controls mapped to deliver an organisation’s critical services and products, and how they are managed to: a) not only prevent disruptions (left side of the bow tie)that challenge an organisation’s resilience posture; but b) also mitigate impacts of consequences from disruptive events (right side of the bow tie).

Elevate: Optimise risk and resilience integration

Connecting risk and resilience

Integrating risk and resilience means aligning frameworks, operating models, technology, and resources to enable a joined-up approach. Building a future-ready capability requires a long-term strategy that embeds resilience into broader strategic, risk, and control objectives and rethinks how the programme connects with wider risk functions. With senior leadership support, the second line may need to play a more hands-on role in helping the first line strengthen controls aligned to the delivery of critical services and/or products.

Underpinned by a integrated technology view

Technology platforms across risk and resilience disciplines help organisations anticipate, manage, and recover from threats. When integrated, these tools can unify risk and resilience functions around what matters most.

Respond: Adopt a substitution approach during disruption

Organisations must also assess how substituting controls during disruption affects risk and resilience. A flexible, informed strategy is needed to adapt the BAU control environment while continuing to manage risk through disruption. The impact of substitutions on control effectiveness and resilience outcomes should be considered in advance ‒ built into response plans and scenario testing, not left to be decided in a crisis.

Substitution approach – A case study

A substitution approach during disruption might involve switching to an alternative supplier if a primary one fails. For example, if a manufacturing firm’s key transport provider experiences a system outage, it could activate a pre-identified secondary provider or in-house contingency to maintain service. This helps to establish continuity, reduce single points of failure, and strengthen resilience.. However, such substitutions may impact the BAU risk and control environment ‒ so the cost-benefit of each option should be carefully assessed.

Third-party risk management – Increased reliance on multiple suppliers requires enhanced due diligence, ongoing monitoring, and contractual arrangements to facilitate alternative providers meeting the same risk and resilience standards as the primary supplier.

Operational complexity – Managing multiple suppliers introduces additional complexities in procurement, logistics, and integration, which may create new risks related to consistency, data security, and service quality.

Testing and assurance – The effectiveness of the substitution strategy must be regularly tested through scenario planning and operational resilience exercises to enable seamless transitions in real-time disruptions.

Cost and resource allocation – Maintaining secondary suppliers may introduce additional costs, requiring firms to balance resilience investments against efficiency considerations within their risk appetite.

Data and technology integration – The business must ensure that alternative suppliers can seamlessly integrate with existing systems without compromising data integrity, cybersecurity, or service continuity

Control environment adjustments – Controls must be updated to reflect changes in workflows, enabling governance frameworks, risk assessments, and incident response plans account for substitution strategies.

Questions for risk and resilience practitioners to consider when flexing the BAU environment during disruption

Within risk environment:

How does a substitution approach impact existing risk exposures?
Are we operating within our risk appetite?
Are our controls adequate and effective?
How do we monitor exposure and control? Is this covered by existing indicators (e.g. KRIs, KCIs)?

Within the resilience environment:

How does the adoption of a substitution method affect the efficiency and effectiveness of service delivery?
How resilient are controls under stress?
Have response plans been updated to include scenarios where substitution approaches are required?