Transformation Risk insights series

Responding with resilience: Three questions about operational disruption transformation risks

6 minute read
April 01, 2026

This series explores how taking a portfolio-wide approach can help organizations align transformation efforts, reduce risk, and drive meaningful outcomes across business, tech, and controls.

Business transformations can offer significant benefits, from enhanced efficiency to improved customer experience. While many companies manage multiple risks during a transformation program, resiliency risk is often overlooked. If your organization isn’t adequately prepared and equipped to recover your critical services and reduce operational disruption, that can open you to more risk and damage downstream.

During operational and technological transformation, your business still needs to perform well and meet its obligations. Without careful management, disruption can become the hidden cost of change, eroding revenue and performance, increasing transformation risk, and jeopardizing the value of the transformation itself. Operational disruption—like system outages, process delays, quality failures, control breakdowns, and vendor issues—are risks you should be prepared to handle quickly, as they can severely impact your customers, your employees, your costs, and overall business.

While you want to reduce the likelihood of disruptions as much as possible, avoiding 100% of hiccups just isn’t possible, so you should be prepared with a swift, effective immune response when a disruption occurs.

Resiliency—the ability to withstand, adapt, and quickly recover while maintaining your core functions within acceptable performance levels—is imperative.

“Poorly managed cutovers and process changes can interrupt daily service delivery, causing revenue loss and client dissatisfaction.”

—Gena Sullivan, Partner,Digital Assurance & Transparency, PwC US

What are some of the most pressing operational disruption transformation risks today?

The operational disruptions you’re likely to encounter depend heavily on your industry and types of service, but there are a few common root causes.

Many companies lack a current, holistic view of dependencies across their people, processes, technology, data, facilities, and third-party vendors. Even small, overlooked points of failure can quickly escalate into major operational issues.

Example: Let’s say an update to your core online banking and trading platform was deployed in a single region. If your cloud service provider experiences a regional outage, your application and database services might become unavailable, stranding your customers who can’t access their accounts or execute trades.

When architectures, operating models, or provider and vendor relationships evolve, recovery time objectives and impact tolerances often remain anchored to outdated baselines. This can result in readiness gaps when it’s time to go live.

Example: Imagine you’re a transformation leader at a major healthcare provider. You successfully update your company’s IT infrastructure, but forget to refresh your recovery time objectives to match the new tech. If a systems failure occurs post-migration, your teams can face outdated recovery targets that can lead to further regulatory and reputational risks.

Backups, restores, incident recovery, and crisis communication plans aren’t always tested or validated adequately. Conversely, lessons or remediation tactics learned from past incidents may not be consistently implemented before new releases.

Example: If, during a software upgrade, your organization fails to run thorough backup and restore tests, a data corruption incident could mean prolonged service interruptions and costly data reentry efforts.

New platforms and tools often need rigorous testing and validation so they can avoid downtime issues. If security oversight isn’t proactively strengthened during these rollouts, these new systems can also introduce downstream vulnerabilities, like opportunities for privileged access abuses, compromised systems, or data exfiltration risks.

Example: Suppose your company rolls out a new cloud platform with weak controls around privileged access, allowing unauthorized internal and external users to extract sensitive data. This breach wouldn’t just disrupt your operations—it might bring reputational damage and heightened regulatory scrutiny.

What can I do to help reduce operational risks right now?

Anticipating disruption means accepting the idea that you can’t preempt every risk from turning into an issue. It also means developing the operational muscle and agility to maintain core business throughout those disruptions and limit their impact.

Here are a few practical steps you can take to help reduce exposure and enhance resiliency during transformations.

Throughout your transformation, continue to rebalance your baseline critical recovery targets to align with your new operational realities. This can include metrics like maximum tolerable downtime (MTD), recovery time objective (RTO), and recovery point objective (RPO).

You should also continuously update your holistic view of dependencies across both your internal functions and your third-party relationships. This can help you proactively identify—and reduce—single points of failure as you implement your transformation.

Conduct joint testing with important suppliers using shared playbooks. Align key performance and key risk indicators for changes in service level.

Conduct rigorous backup and restore tests, incident recovery rehearsals, and crisis notification drills. Assess closure of post-mortem action items to confirm operational readiness.

Establish stabilization metrics and reinforce risk-based vulnerability monitoring as changes are made. Enforce tighter controls on privileged access and enhance detection of unusual data movements to protect against threats that can rear up at these moments.

Where can I get help?

Addressing operational disruption transformation risks requires foresight, insight, discipline, and coordination. At PwC, our transformation risk assessments offer an outside-in perspective that can help your company understand where design decisions, program dependencies, and transition activities may inadvertently increase operational or execution risk. These assessments can do more than identify risk points—they can help pinpoint the more impactful risks and interdependencies early in your transformation and deliver clear, actionable recommendations to address them.

When deployed at key milestones, these assessments can inform stronger decision-making, enable more confident go/no-go readiness determinations, reduce the likelihood of costly downstream remediation, and help protect transformation value by lowering both the likelihood and the impact of operational disruption. With the right approach to operational monitoring, your organization can move faster with confidence—withstanding and learning from shocks, meeting customer and regulatory commitments, and safeguarding return on investment.

Digital Assurance and Transparency

Powering digital progress through trust

Contact us

Gena Sullivan

Partner, PwC US

Jim Willis

Managing Director, PwC US

Ian McEmber

Director, PwC US

© 2017 - 2026 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.