Ep. 34: Regulations and resilience: Turning compliance into strength

Full transcript

David Stainback: Hello everyone, and welcome to this episode of Emerge Stronger Through Disruption. I’m Dave Stainback and I co-lead PwC’s Global Centre for Crisis and Resilience, or GCCR for short, with my partner Bobbie Ramsden-Knowles. The aim of this podcast series is to explore the challenges facing businesses in this environment of constant crisis and change, and to discuss how successful business leaders can emerge stronger through disruption.

We’re now in the fifth and last episode of the GCCR Summit Series in which we’re focusing on major topics that our crisis and resilience leaders from around the world discussed at our recent PwC Global Crisis and Resilience Summit. I’m delighted to be hosting today’s discussion on regulations and resilience, a topic that’s increasingly impacting organisations across the globe.

And joining me are two of my PwC colleagues and resilience leaders, Jane He and Sandrine Mottin. Jane, Sandrine, great to have you both here.

Jane He: Great to be with you, Dave. Hi everyone. I am Jane He, Forensic Crisis Resilience Partner at PwC Australia. And I’m coming to you from a very sunny morning in Sydney.

Sandrine Mottin: And I’m Sandrine Mottin, Technology Resilience Partner in the United States, and I’m very happy to be here.

David Stainback: Alright. So, we’re talking today about navigating regulations in a rapidly changing environment, really with the goal of providing insights to help businesses stay compliant and competitive. So, let’s get to it.

Jane, do you mind kicking things off by highlighting some of the more recent regulations that you’re seeing out there and some of their intentions?

Jane He: Sure, Dave. We’re looking at global resilience regulations such as CPS 230 in Australia, Digital Operational Resilience Act in the EU, the Operational Resilience Act in the UK, and the Critical Entity Resilience Directive (CERD).

They are all aiming for a similar outcome with different angles and levels of depth. Some cater more to financial services and some more to critical infrastructure sectors such as utilities, telecommunications and so on. But, in the end, their intentions are similar: to push organisations to anticipate, prepare for, respond to, and learn from disruptions.

Some exam questions include how do organisations prepare for an outage? Do they know what to do when a severe disruption hits? Do they know how to calm down the market and how to communicate with key stakeholders and maintain trust, and do they have a system and a mindset in place to learn from each disruption?

The products and the services that financial services firms provide are very specific, and therefore, FS resilience regulation tends to be more prescriptive, but the end goals across regulators are the same. They’re requiring organisations to understand and map out what their Critical Business Services (CBS) are, what matters the most, and their dependencies on people, processes, systems, data, and service providers. Understand what their risk appetite is for disruption to new services, where single points of failures could be, and whether they’re prepared for severe disruptions to where it matters the most.

Sandrine Mottin: Absolutely Jane, and what we’re seeing now is a much stronger focus on interdependencies between firms, technologies, third parties. These create new kinds of risk profiles really, and technology has evolved so quickly that regulation is playing a bit of a catch up, especially when it comes to cyber resilience, technology changes and third-party integration. Disruptions rarely happen in isolation anymore due to all these interconnections. In the UK, for example, the regulators have introduced a framework for critical third-party providers. So, this is for suppliers whose failure could impact the financial system. Some will fall under direct oversight, but for most, that responsibility still sits with the regulated firm themselves. So, managing supplier resilience is very much in their hands.

In the US, the approach is a little different and is more principle-based. The regulators are issuing guidance and sound practice papers, for instance, rather than strict rules. So instead of treating those as a compliance checklist, organisations can use them as a way to assess readiness and identify where to strengthen.

So really, ultimately, it’s about going beyond compliance and using these expectations to truly build the capacity to anticipate, withstand, and recover from disruption. So that’s the real sense of resilience.

Jane He: Exactly, Sandrine. Organisations should think about using resilience as a competitive advantage.

Disruptions will happen as we know, but the more prepared you are, the better your ability to anticipate where disruptions could come from. And if you have a resilient mindset and a culture, you will absorb shock from disruptions better and quicker. This will put you in a stronger position compared to your competitors.

It’s almost like if you’re running a marathon, if you have a healthier body, you’ve got a better immune system, you are going to be a better runner.

David Stainback: Yeah, that’s a great analogy there, Jane. And honestly, in our most recent Global Crisis and Resilience Survey, it showed that executives are understanding the importance of making resilience really that strategic priority and imperative as opposed to just a compliance exercise. Most - 70% - of those business leaders told us that they’re confident in their organisation’s ability to respond to various disruptions. But our underlying questions beyond that in the survey found that many of them actually lacked the foundational elements to be successful in practicality. So, I’d love to talk about some of those elements. Do you mind sharing what are some of the fundamental components and concepts that organisations need to have in place, both to build resilience in a way that’s actually going to work for them and also stay compliant with the regulatory environment?

Jane He: As you know, Dave, PwC GCCR has done a lot of research, analysis and the detail mapping of regulations globally to understand what good looks like for building a resilient organisation, and we found some common pillars and elements to building resilience program for organisations operating in any sector.

The first one I’ll talk about is really to establish proper governance. Who on the executive team is going to drive the resilience initiative? Who has the accountability, therefore the investment to actually drive and to sustain the program? The second is to really understand what Critical Business Services are, what products and services are fundamental to the survival of what an organisation does, because you don’t need to be resilient in everything, right? That’s what the regulators are aiming at. For example, if you are an airline, the most critical service that you are providing is to fly passengers from point A to B. So that service needs to have the minimum disruption. You want to double down on the resilience effort in delivering that service because that is imperative to what you do.

Sandrine Mottin: Exactly. And to add to that, we can take another example from financial services. A Critical Business Service might be processing client payments or clearing transactions, sometimes at very high volume. So, if that capability goes down even for a few minutes, the ripple effects across customers, partners, and markets are immediate. So that’s where you want to double down on resilience with redundancy, tested recovery plans, and contingency arrangements with third parties to keep those services running with minimal disruption.

Jane He: Great example, Sandrine. So, understanding your Critical Business Services sets the scope of your resilience program.

The third pillar is to build resilience capabilities into those business services that matter the most. If flying is the most important service, we want to make sure the end-to-end business mapping of that service is well understood. What does that service depend on? The critical people, data, technology, third parties, and so on.

Sandrine Mottin: Exactly as you described, Jane, at its core, building resilience and staying compliant really comes down to understanding what’s critical and what those services depend on. So that means knowing which technologies, third-party services, are essential to keeping these services running. We’ve seen recently events such as cloud outages, which really drive this topic home.

I would also add that cybersecurity, incident response and data recovery need to be tightly connected and tested regularly. So measured against clear tolerances. Resiliency isn’t a compliance checkbox anymore, like we mentioned before. It’s about really embedding that ability to anticipate and recover as part of the business DNA.

Jane He: So true. So, building resilience capabilities, your business continuity crisis management technology in where it matters the most is the third pillar. The fourth pillar is testing and exercising. Often organisations build business continuity plans and they say, well, if that process breaks down, we’ve got a backup plan, so we’re good. Let’s move on. But there’s so many lessons learned in real life stories. If you have not tested what that backup actually does and how much coverage that backup actually provides you with, you have not really understood your resilience measures.

Sandrine Mottin: Exactly. And another reason for testing is the psychological confidence that it builds. And when teams exercise difficult scenarios in a safe environment, they can really see where the weak spots are and they fix them before a real crisis hits. We’ve run recovery tabletops, for instance, where, by step three or four, you already identify a major disconnect between, let’s say, the technology and the operations team, such as requiring to change IP addresses on a large scale in case of an event. So, these tabletop exercises are very helpful to help identify that before it’s too late.

David Stainback: These are great points, Jane and Sandrine, and those pillars I think are spot on with what I know each of us is helping companies focus on as priority, strategic actions to build resilience that actually works, right?

So governance, identification, and mapping of those Critical Business Services, building the resilience capabilities to support them, and then testing and exercising. However, given all the different regulations that are out there, how can companies begin to gain comfort that these pillars will also enable them to meet any existing or emerging regulations?

So, more from a practical perspective, what should organisations do first? Do you guys have any tips there?

Sandrine Mottin: I’d say the first step is having a clear, actionable view of the regulatory landscape. Jane mentioned earlier, but at PwC we’ve spent a lot of time mapping global regulations and industries, and that clarity helps organisations see not just what they must comply with, but how those requirements connect to building true enterprise resilience.

From there, I would say it’s about governance, making sure that you have the right people leading, and treating compliance as a multidisciplinary effort rather than a checklist exercise. I would also encourage organisations to get engaged, join industry forums, participate in joint exercises, share lessons learned at the same time, build the right expertise internally.

Make sure your teams are upskilling leadership and boards, not just meeting requirements. So, when you do those two things, engage externally and educate internally, you turn compliance from a burden into a capability.

Jane He: I think it’s also important to recognise that regulations may not necessarily guide you in terms of how mature your resilience program needs to be.

As we know, the resilience goalpost is constantly evolving with changing expectations from customers, investors, and society, whereas regulations are often static, so organisations should be able to answer the question: Now that we’ve spent a year, two or three setting up and maturing our resilience programs, are we more resilient as an organisation?

What are key measurable indicators to use as a sense check? Have we spent less time in responding to disruptions, as an example? Have we consistently learned from each of the incidents that we’ve dealt with? Are people more comfortable, active, and involved now in a crisis exercise? These are some healthy KPIs to keep in mind when going through what could feel like a lengthy regulation compliance effort.

Going back to my previous analogy, if we continue investing in our health, do we get out of bed feeling more energetic? Do we sleep better? We’ve heard from so many organisations who say they’ve spent millions of dollars complying with specific resilience regulations, but when the outage actually hits, they did not see it coming, and then they were no better in terms of responding. That is a red flag that they have not kept the end goal in mind in their approach to regulatory compliance.

David Stainback: Thank you both. That was a great discussion and everything that we’ve talked about really highlights the importance of building resilience for the strategic purpose of truly being resilient. And if you do that, then you can typically translate success into whatever formats are required to meet that tactical requirements of any particular old or new regulation that may still come. It also feels like there’s a huge opportunity here for organisations that will be facing new resilience regulations soon. That can actually be an opportunity to capture executive attention on resilience and then use that opportunity and funding to build actual resilience as opposed to just focusing on meeting the compliance requirements.

So, I think that’s a great place to wrap this up. I want to thank you both again for being here and to our listeners, thank you for joining our GCCR Summit Series designed to provide practical advice and strategies for building resilience and emerging stronger through disruption.

This concludes our GCCR Summit series, and I really hope you enjoyed it. We’ve covered the convergence of cyber and technology resilience, did a deep dive on operational resilience, explored the role of technology and AI in resilience in addition to this episode as well on regulation. So, if any of those other topics interest you, please go ahead and listen and you can find more insights and resources on our PwC GCCR website.

And be sure to connect with me, Jane, and Sandrine on LinkedIn and subscribe to Emerge Stronger through Disruption wherever you get your podcasts. Until next time, stay resilient and prepared for whatever challenges come your way.

VO: Copyright 2026 PwC. All rights reserved. PwC refers to the PwC network and or one or more of its member firms, each of which is a separate legal entity. Please see www.PwC.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

© 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.