Proving resilience: Assumption to evidence in an uncertain world

Can your organisation continue functioning under real conditions of stress

 

For years, resilience occupied an awkward space within enterprise strategy: universally acknowledged as important, but often treated as an abstract capability rather than an operational discipline. Most organisations had plans. Many others had frameworks. Some had invested heavily in recovery tooling, governance structures, and cyber defence. Yet beneath the surface, a more uncomfortable reality persisted. 

 

When leaders are asked whether their organisation could continue functioning under real conditions of stress—not in theory, not in tabletop simulations, but during an actual disruptive event—certainty quickly begins to erode.

 

That distinction between assumed resilience and evidenced resilience is becoming one of the defining governance questions of the AI era.

 

A growing body of regulation is beginning to force the issue. In the UK, the forthcoming Cyber Security and Resilience Bill is expected to place far greater obligations on organisations to prove, within strict timeframes, what happened during an incident, which data was affected, whether recovery was clean, and whether resilience measures were genuinely operational rather than merely documented. Similar pressures are emerging globally through financial stress-testing regimes, AI governance frameworks, and data sovereignty requirements.

 

This marks an important shift in executive accountability. 

 

Historically, many organisations approached resilience as a compliance exercise. But several leaders during the debate observed that plans are often assumed to work simply because they have been documented.

 

“People don’t test them,” one CISO noted. “They assume they’re going to work because they wrote them down.”

 

The problem is compounded by what might be called the resilience confidence gap. Executives frequently believe their organisations are significantly more prepared than operational teams believe them to be. . Veeam report facts One attendee described exercises in which senior leaders insisted recovery testing occurred quarterly, while the technical teams responsible for execution admitted it happened annually at best. 

 

This divergence matters because resilience is increasingly moving beyond technical recovery into questions of legal defensibility, fiduciary responsibility, and organisational credibility.

 

Systems can largely be restored—but that it isn’t what resilience is now testing. It is whether organisations can evidence resilience live, under pressure.

 

That subtle distinction surfaced repeatedly throughout the discussion. 

 

Several participants questioned whether resilience can ever truly be proven in advance at all. One contributor framed resilience as “the ability to maintain key performances within tolerance after a certain hazard within a given time”, arguing that certain shocks permanently alter organisations rather than temporarily interrupting them. Covid-19 was raised as an obvious example: a crisis that did not merely test systems but fundamentally changed operating assumptions.

 

In that sense, resilience is less about returning to a previous state than preserving enough operational continuity to survive adaptation.
This has led some organisations to rethink recovery through the lens of “minimum viable business” rather than full restoration. Instead of asking whether every system can be recovered immediately, the more important question becomes: what must continue functioning for the organisation to remain viable during disruption?

 

The implications are significant. Recovery was formerly a technical process; now it is an exercise in prioritisation involving business model dependencies, customer obligations, supply chains, communications, and reputational risk.

 

AI is accelerating these tensions. 

Much of the discussion centred on the way generative and agentic AI systems are reshaping traditional assumptions around security architecture and governance. Legacy protection models were designed around relatively bounded systems and structured access controls. AI systems, by contrast, traverse datasets, workflows, applications, and knowledge repositories horizontally across the enterprise.

 

“The traditional protection models do not work,” one attendee remarked bluntly. 

 

Several organisations described internal AI deployments already exposing latent governance weaknesses. Open internal data structures that functioned adequately under human-led workflows suddenly appeared dangerously permissive once connected to copilots and retrieval systems capable of surfacing information contextually at speed.

 

This creates an unusual paradox. AI simultaneously increases resilience risk while also becoming a potential resilience instrument.

 

Participants discussed using AI to improve posture awareness, automate variance analysis, identify anomalous behaviour, and accelerate operational insight. Yet many acknowledged that the same systems introduce entirely new attack surfaces, governance burdens, and recovery questions. If an AI-enabled workflow corrupts outputs, exposes sensitive information, or autonomously triggers destructive actions, where exactly does resilience responsibility sit?

 

That uncertainty is beginning to reshape organisational structures themselves.

 

Several leaders noted the emergence of resilience and risk functions with growing authority across enterprise operations. The discussion repeatedly returned to the idea that resilience can no longer remain siloed inside infrastructure or security teams. Data governance, operational continuity, cyber defence, compliance, and AI oversight are increasingly converging into a single strategic capability. 

 

Importantly, this is also exposing cultural problems rather than purely technical ones.

 

One recurring frustration concerned the gap between executive urgency during crises and organisational complacency outside them. As one participant observed, immediately after a major breach, “you have unlimited budget”. Two weeks later, priorities shift and momentum dissipates.

 

That behavioural cycle may become harder to sustain under the emerging regulatory environment. If resilience must now be demonstrated, audited, and evidenced within legally enforceable reporting windows, organisations may need to institutionalise preparedness rather than episodically react to failure. 

 

Closing thoughts

The most striking aspect of the discussion, however, was not technological. It was philosophical.

 

For decades, resilience strategies were built around relatively knowable threats and predictable operating models. Today, organisations face overlapping uncertainties: geopolitical fragmentation, AI acceleration, regulatory divergence, supply chain instability, data sovereignty conflicts, and increasingly sophisticated cyber threats.

 

In such an environment, absolute certainty is impossible.

 

But perhaps that is precisely the point. Resilience lies not in proving organisations are unbreakable, even if that mentality remains sticky in boardrooms. Increasingly—structurally and now legally—it lies in proving leaders have remediated structural assumptions well enough to respond when (not if) disruption arrives.


 

In partnership with

Mask group-2

SUBMIT A COMMENT

We love getting input from our communities, please feel free to share your thoughts on this article. Simply leave a comment below and one of our moderators will review
Mask group

Join the community

To join the HotTopics Community and gain access to our exclusive content, events and networking opportunities simply fill in the form below.

Mask group