Most organisations build their risk management and resilience frameworks around a straightforward premise: identify threats, assess them, and control them. They develop a business continuity plan in case key systems or processes fail. For many years, this approach has served its purpose.
But today’s operating environment is defined by interconnected risks, interrelated supply chains, integrated technology, and third-party dependencies, meaning disruptions rarely occur in isolation. They cascade across teams, partners, and systems, meaning single-event risk and resilience management is no longer enough. This volatile and complex environment has pushed organisations to strengthen how they prepare and respond.
Building a more integrated model where risk and resilience operate as a unified capability helps teams identify gaps, sustain performance under pressure, and adapt to change.
Managing risks through controls and continuity planning remains essential, but organisations must extend that foundation to include foresight, adaptability, and alignment with long-term strategy.
This shift moves organisations beyond siloed approaches toward a resilience-focused model that supports continued operation through disruption.
From Risk Prevention to Adaptation in a Crisis
While focusing on risk prevention remains important, not every risk can be predicted, quantified, or prevented.
Your organisation must be prepared to respond when controls fail, assumptions break, or unforeseen risk events occur. This reframes risk management from “How do we stop this from happening?” to “How do we respond, adapt, and continue to operate when it does?”
In practice, this introduces a different set of capabilities:
- Anticipating how risks cascade through the business
- Absorbing shocks without immediate failure
- Adapting in real time
- Prioritising under pressure while maintaining critical services
- Recognising and capitalising on opportunities in crises
These capabilities sit at the core of a resilient organisation.
Organisations Face Cascading Disruption in a Polycrisis Environment
Systemic disruption is increasingly reshaping how risk is managed. Supply chains, systems, and third-party dependencies are now tightly interconnected, meaning disruptions rarely stay contained. Instead, they cascade across functions and partners, often at the same time. This is commonly referred to as a polycrisis, where multiple overlapping disruptions compound rather than occur in isolation.
“A cyber incident is not just IT anymore. It can trigger operational shutdown, regulatory breaches, reputational damage, and talent loss. Similarly, climate events affect supply chain, insurance availability, and workforce safety.”
— Agnès de Calbiac, Head of Enterprise Risk and Assurance, Southern Cross Healthcare
Traditional risk frameworks were built for more contained, single events. Risk categories had clear owners, defined controls, and structured reporting lines. When a single disruption occurred, response pathways were clear. When multiple disruptions occur at once, those structures are disconnected, and impacts spread across business units.
This disconnection becomes more severe when risk, resilience, and operational teams respond independently, without a shared understanding of the situation. A geopolitical shock, for example, may trigger fuel shortages, disrupt supply chains, increase costs, decrease sales, and place pressure on workforce stability.
“Risk management is not just a question of: how do we stop things from going wrong? But rather, how do we ensure the organisation still functions when several things go wrong at the same time?”
— Agnès de Calbiac, Head of Enterprise Risk and Assurance, Southern Cross Healthcare
Leadership expectations have also shifted. Boards are focused on how quickly and effectively the organisation responds to disruptions, whether critical services can continue and adapt under pressure, and how much value the organisation preserves.
Regulations are Driving Organisations to Link Risk and Resilience
Regulatory requirements are increasingly focusing on organisations maintaining operations, managing third parties, and responding to disruptions as a connected and coordinated system.
Across jurisdictions, regulators expect you to connect operational risk, business continuity, and third-party oversight. In Australia, APRA CPS 230 sets expectations for end-to-end operational resilience, including service mapping, impact tolerances, and oversight of critical providers. In New Zealand, the Financial Markets Authority focuses on operational resilience and timely incident notification. In the EU, DORA establishes requirements for IT risk management, resilience testing, and third-party risk controls.
Even outside financial services, these directions matter. Organisations should integrate their risk management and resilience processes into a single operating model, which strengthens their ability to deliver products and services during disruptions, adapt as conditions change or impacts cascade, and build learning into their risk and resilience processes.
Drawing on cross-sector experience, David Turner, CEO at Risk New Zealand, highlights common practices among organisations strengthening resilience:
- Testing continuity plans more frequently, increasing frequency from annual or 18-month cycles to quarterly or semi-annual exercises
- Extending monitoring and assurance across the supply chain, including third- and fourth-party dependencies
- Formalising succession planning for critical roles and strengthening cross-training and knowledge sharing
- Planning for systemic disruptions through structured scenario testing and contingency planning
- Expanding education and training to increase awareness of risk and resilience across all levels
Resilience Standards Focus on an Integrated Approach
International standards now provide guidance for organisations on connecting risk management, business continuity, and organisational resilience into an effective strategic and operating model:
- ISO 31000 – Risk Management Guidelines: sets out how you identify, assess, and manage risk across the organisation
- ISO 22301 – Business Continuity Management Systems: defines how you plan for disruption, conduct business impact analysis, and recover critical services
- ISO 22316 – Organisational Resilience (Principles and Attributes): outlines how leadership, culture, and adaptability strengthen long-term resilience
- ISO 22332 – Organisational Resilience Framework: provides guidance on embedding resilience across strategy, operations, and decision-making
Importantly, these standards suggest a connected approach between organisational strategy and objectives, ensuring that integrated risk and resilience approaches align with the success of the business.
Operational Resilience vs Organisational Resilience
Resilience in the organisation has two distinct focuses: 1) Operational Resilience – maintaining critical services, operations, and infrastructure during disruptions, and 2) Organisational Resilience – the whole organisation’s ability to anticipate, adapt, and thrive to disruptions.
The elements of each can be summarised as:
| OPERATIONAL RESILIENCE | ORGANISATIONAL RESILIENCE |
|
|
Operational resilience elements need to be in place and operating effectively to support a successful approach to organisational resilience.
“Operational resilience protects today’s operations, whereas organisational resilience protects tomorrow’s relevance.”
— Agnès de Calbiac, Head of Enterprise Risk and Assurance, Southern Cross Healthcare
Leaders and managers need a clear strategy, processes, roles, and responsibilities for both operational and organisational resilience, to ensure they are making the right decisions and taking the necessary actions at the right time. This enables assumptions behind the strategy to be tested, identifying where disruptions could break them, and acting on opportunities to adapt or reposition.
The Human Side of Resilience
Technology, process, and governance form only part of the equation. Resilience depends on people who can make fast and informed decisions, change priorities, and shift resources when disruption hits.
That capability does not emerge by chance. It is shaped from the top down. Leadership sets the tone for how seriously resilience is taken, how and when decisions are made, and how much autonomy teams have when responding to disruption. When leaders prioritise resilience, communicate clear expectations, and model decisive behaviour, it cascades through the organisation, from executive teams to the front line.
“Risk management currently moves too slowly, and that slowness creates its own risks. We need faster thinkers and faster actions. We need to know our organisation’s operating environment well enough to enable that.”
— David Turner, CEO, Risk New Zealand
You cannot rely on structure alone. People determine how effectively your organisation responds when disruption hits.
Organisations that build resilience into daily operations equip their risk and resilience teams to go beyond maintaining controls and plans. These teams test how processes perform under stress, challenge assumptions, and communicate insights that support faster, better decisions.
This demands more than technical expertise in risk frameworks and business continuity plans. Ensure your teams can work across functions, participate in scenario testing, adapt quickly to changing circumstances, and align with business objectives. This enables them to influence decisions, build relationships across functions, and secure support for resilience initiatives.
Succession planning and knowledge management also demand attention. Key person dependency continues to expose organisations to unnecessary risk. Documentation alone falls short. Untested processes and static playbooks provide little protection when conditions change.
Resilience strengthens when knowledge and learning are disseminated across teams rather than sitting with individuals or locked in systems.
Building Resilience Through Foresight and Informative Signals
Resilience is not only about how your organisation responds to disruption, but how early you can see it emerging. The difference between disruption that is managed and disruption that escalates often comes down to the speed and quality of foresight and signals.
Traditional risk and resilience management processes focus heavily on periodic assessments and structured scenario analysis. While these remain important, they are often too static to capture fast-moving or interconnected risks.
Forward-looking risk and resilience management shifts attention from what has historically happened to what else could happen. This requires structured horizon scanning, not as a theoretical exercise but as a continuous process of monitoring external and internal signals and indicators.
Scenario analysis plays a critical role in turning insight into action. By testing how different types of disruptions could unfold, organisations can identify pressure points, challenge assumptions, and understand the potential business impact before events materialise.
Evolve your regular risk assessments to identify and assess emerging risks. This approach involves identifying dependencies, as well as signals and indicators, to improve the quality of insights and support early intervention.
The value of this approach is not simply better awareness. It reduces unexpected risks and improves the quality and speed of decision-making when disruptions occur. Organisations that invest in foresight minimise surprise, respond earlier, and limit the scale and impact of disruption on the business.
This shifts risk and resilience management from periodic analysis to continuous awareness, where signals are monitored and acted on in real time rather than relying solely on scheduled reviews and updates.
Evolving Your Risk Processes into a Resilience-Focused Capability
The shift from managing risk registers and business continuity plans in siloed functions to an integrated risk and resilience-focused capability requires several changes to be made in the organisation.
Agnès de Calbiac, Head of Enterprise Risk and Assurance at Southern Cross Healthcare, outlines four practical steps you can take:
- Use scenario planning to spot where your strategy could fail early. This helps you act sooner and make better investment decisions before risks escalate.
- Connect risk activities across your business. This improves alignment of teams, data, and priorities and clarifies decision-making authority during an incident.
- Map and stress test key dependencies. This helps you understand how disruptions spread across suppliers, partners, and your workforce, not just individual controls.
- Treat disruptions as learning opportunities. This enables continuous improvement through exercises, reviews, and adaptation for the future.
Strengthen Operational Resilience with Integrated Risk Management
A disconnected approach to risk and resilience leaves gaps and vulnerabilities during disruption events. Bringing them together provides more effective plans and processes underpinned by shared data and insights that can then be deployed to ensure rapid response and decision-making.
In Part One of the Resilience Reset webinar Series with Riskonnect, Agnès de Calbiac highlighted three common scenarios in which risk and resilience integration improve outcomes.
Cyberattack
Take a ransomware attack. A control-led risk approach emphasizes prevention through firewalls, access controls, and authentication, while resilience efforts focus on recovery after systems fail. When these efforts remain separate, gaps emerge during incidents, and response slows.
An integrated approach prepares you for both prevention and continuity. You design systems to fail safely, maintain critical services at a reduced but functional level, and establish clear decision authority in advance. Even if an attack gets through your controls, you can continue serving customers and limit operational disruption.
Supply Chain Disruption
Take a manufacturing operation that is highly fuel-dependent. A geopolitical event drives up fuel prices and restricts availability, placing pressure on both costs and delivery capacity. A traditional risk approach manages financial exposure through hedging, fixed pricing, or supplier changes, but leaves production vulnerable when transport capacity tightens.
A resilience-led response builds flexibility across sourcing, production, and logistics. You diversify supply options, adjust production planning, and prioritise critical outputs under constraint. Together, these actions help you sustain delivery while controlling cost impact.
Key Person Dependency
A lead engineer holds deep working knowledge of a critical system. A traditional risk response relies on documentation, yet written materials rarely capture how systems behave under pressure or how problems get resolved in practice.
An integrated approach spreads knowledge through structured cross-training, simulations, and hands-on exercises. You prepare multiple team members to operate and recover the system under stress, reducing reliance on any single individual and strengthening day-to-day performance.
What Changes with Integration?
Across these scenarios, integration improves your response. You maintain service during disruption, make faster decisions under pressure, and reduce financial and operational impact, while less prepared organisations face delays, lost revenue, and customer disruption.
Making the Case for Integrating Risk and Resilience in Your Organisation
Integration of risk and resilience takes time and strong leadership support, and the value becomes clear when you examine how disruption impacts operations and business outcomes. You can start by engaging senior executives and focusing the discussion on the risks posed by traditional, siloed approaches. These include a focus on single-event risks, overreliance on preventive controls, dependence on key individuals, and operational vulnerabilities during downtime that limit rapid response and recovery from disruption events.
Boards and Executives require assurance of the performance of critical operations under disruption, how quickly essential business services can recover, and how the organisation performs when controls fail or capacity becomes constrained.
Begin by mapping the integration points between the risk and resilience functions and processes within your organisation. Identify what data is required, how it is shared, where functional boundaries delay responses to emerging disruption, and where siloed or fragmented responsibilities and decision-making weaken resilience initiatives.
Bring stakeholders together early to establish a shared understanding of strategic and operational exposure. Link discussions to organisational objectives and business priorities already embedded in executive decision-making, including business continuity, organisational and financial stability, reputation protection, and sustained competitive position.
When organisations move closer to alignment between risk and resilience functions, interaction between teams steadily increases, processes improve, and shared data enhances visibility into emerging exposure and supports informed decision-making. This, in turn, enhances your ability to maintain business operations and performance under disruption.
Risk management and resilience as disciplines continue to evolve. Changes in regulations, international standards and guidelines, and leading organisations are driving a shift from simply managing risk registers and business continuity plans to building a business that anticipates and manages risk exposure, adapts, and thrives under stress. They are doing this by combining their risk with a resilience-focused capability.
For more information about strengthening resilience in your organisation, contact us or schedule a demo.
Get further insights on how you can integrate risk and continuity planning to boost resilience. Watch our on-demand webinar featuring David Turner, CEO, Risk New Zealand, and Agnès de Calbiac, Head of Enterprise Risk and Assurance, Southern Cross Healthcare.
