How to achieve operational resilience in 2025

An uncomfortable truth haunts even the most forward-thinking boardrooms: resilience is not just about systems, process maps or server uptime. It is a leadership issue; it is a people issue. Increasingly, it is also becoming an existential issue.

The C-suite are well versed in business continuity, however. Preparations on failovers, cloud backups, and recovery point objectives, are common. Yet resilience today now includes far more abstract conditions, such as team mental wellbeing and collaboration, and far more macro-political factors—think a changeable geoeconomic 21st Century. It makes operational resilience a boardroom priority, a leadership team responsibility, and a wider team reality.

In a recent Food for Thought debate, in partnership with Tanium, executives from financial services, healthcare, higher education and global technology came together to wrestle with the reality of resilience in 2025. What emerged was sobering: while we may be overengineering systems, and bullishly investing in new AI capabilities, the industry has been less focused on people and culture. As a collective it is beginning to feel the effects of that oversight.

Operational resilience: Overview

• The fallacy of "process over people"
• Cultural realities and organisational blind spots
• Breaking the myth of universal agility
• A new agenda for resilience

The fallacy of “process over people”

A senior leader in financial services noted that while most organisations have meticulously documented technical and procedural steps, very few account for the human dimension of continuity. “Processes are easy,” she said. “The people part is where organisations always fail. They just don’t care—until it’s too late.”

This oversight is costly. Research by Deloitte indicates that 61 percent of executives say they lack full confidence in their organisation’s ability to handle a crisis. And that is not due to a lack of technology. It is because team-level decision-making, leadership cohesion, and cross-functional trust are rarely stress-tested.

In one exercise, participants discussed a hypothetical scenario where key team members were barred from participating in a crisis response drill (no calls, no emails, no coaching from the sidelines). “I've never seen that test run,” admitted one executive. “And yet, that is the one we should be running.”

Cultural realities and organisational blind spots

Different sectors bring different challenges. In higher education, where openness and decentralised control are cultural norms, enforcing cybersecurity mandates feels foreign, even antagonistic. One university CIO described how their Vice-Chancellor (effectively the CEO) is now introducing “actual consequences” for non-compliance. That is a sea change in academia, but one increasingly mirrored across other public and private sector organisations under growing pressure from regulators and Boards alike.

Elsewhere, global operations add another layer of complexity. Leaders from Barclays and Societe Generale highlighted how geopolitical risks—from wars to union regulations—directly impact their ability to shift workloads, secure data, and safeguard talent. When India and Pakistan entered a period of high tension, Barclays was forced to consider how to relocate critical functions from its Indian offices to the UK overnight. That is an extrapolation of business continuity; think high-stakes geopolitical chess.

This is not an isolated case. According to PwC’s 2024 Global Crisis and Resilience Survey, nearly 75 percent of executives said their organisations experienced at least one crisis event in the past two years, and more than 20 percent faced five or more.  The majority involved human factors: internal fraud, staff attrition, burnout, or public trust issues.

Breaking the myth of universal agility

One myth that received significant pushback was the idea that continuous integration and fast iteration are common in modern software delivery. “We look at the Amazons and Googles and assume everyone’s shipping code every 10 minutes,” one healthcare leader quipped. “Back in the real world, that’s just not true.”

Most organisations operate in complex regulatory environments, where agility must be balanced with safety, compliance and customer impact. It is not about going fast, it is about going fast enough, with foresight and confidence. This, again, depends on leadership, alignment, and an honest understanding of risk tolerance. 

This segued neatly to one of the most critical—and underdiscussed—elements: the gap between an organisation’s stated risk appetite and the actual tolerance levels of its leadership team.

Boards often express comfort with bold moves, aggressive innovation, or operating in uncertain terrain. But when the pressure mounts, how many executives freeze or default to caution? How many C-suites have rehearsed acting in chaos, without the benefit of hindsight or Slack channels? CISOs in particular can feel the pain of this misalignment. A marked difference in risk register between themselves, their function, and their business’ place in the market is a cause of this role’s very high churn rate, at barely 24 months in a role.

McKinsey also notes that organisations which actively prepare for disruption outperform peers during crises by 20 percent or more in shareholder value. But preparation cannot just live on a risk register. It has to live in muscle memory, which is built through rehearsal, scenario planning, and uncomfortable conversations, we heard. 

A new agenda for resilience

As we look toward 2026 and beyond, resilience must be redefined not as a function of IT or compliance, but as a strategic capability owned by the leadership team. It requires investment in:

• People continuity, not just process continuity
• Cross-sector and cross-geography understanding, particularly in globally dispersed teams
• Cultural readiness, including accountability in traditionally decentralised environments
• Leadership alignment, especially in moments where split-second decisions count
  
  

For leaders it is time to test the team, not just the technology.