Skip to main content
Perspective:
Perspective
5 minute read

Operational Resilience: The role of the Board

Why operational resilience should be on the agenda of the board

In an era where the threat landscape has become increasingly complex, organizations face an array of challenges that can have significant consequences. From cyber attacks and natural disasters to geopolitical conflicts and supply chain disruptions, the risks are multifaceted and often interconnected. As businesses become more digitally and globally interconnected, the potential for disruption grows, making the need for robust operational resilience more critical than ever. 

As a result of many recent disruptions and major data breaches, a new regulatory push for resilience has already begun, including the Critical Entities Resilience (CER) Directive, the Network and Information Systems NIS2) Directive, the Digital Operational Resilience Act (DORA), and the EU Cybersecurity Act. These new regulations include new requirements as well as leadership and board accountability on operational resilience. 

What is operational resilience and why is it the board’s responsibility? 

As previously explained, operational resilience refers to an organization's ability to anticipate, prepare for, respond to, and adapt to and sudden disruptions and changing environments. It enables organizations to not only survive but also to thrive in the aftermath. By embedding resilience into their operations, organizations protect their reputation and maintain stakeholder trust. 

Operational resilience is an intrinsic component of risk mitigation; without it, the organization may be unable to survive a crisis, even one that the organization has anticipated and planned for. Operational resilience is often needed to address a broad range of risks, such as disruption in the capital markets, damage to (critical) facilities, cyber incidents, and the sudden departure of a CEO. 

Risk oversight is one of the board’s key responsibilities, and boards are increasingly being held accountable for an organization’s failure to anticipate and avoid crises and for the organization’s inability to bounce back from a crisis (i.e., for not being resilient). As such, and as expectations for board risk oversight continue to grow, so does the board’s role in operational resilience.  

How can the board support operational resiliency? 

While management is responsible for implementing resilience capabilities, the board plays a distinct and essential role in setting the tone, direction, and oversight. Here’s how.  

The board is ultimately responsible for ensuring that operational resilience is aligned with the organization’s overall strategy and risk appetite. This includes: 

  • Approving tolerance levels for disruption. 
  • Ensuring resilience is integrated into business objectives and not treated as a standalone compliance function. 
  • Championing a forward-looking view of emerging risks and strategic vulnerabilities.  

Strong governance is critical to resilience. Boards must: 

  • Establish clear lines of accountability at the executive level for resilience. 
  • Review and challenge reporting on resilience metrics, including key risk indicators (KRIs) and key performance indicators (KPIs). 
  • Ensure critical business services are properly identified and protected. 

By providing consistent and informed oversight, the board supports management in maintaining a robust resilience framework.  

To effectively govern operational resilience, board members should actively participate in scenario-based exercises, including tabletop simulations of high-impact events. These exercises test:

  •  The organization’s response capabilities. 
  • Decision-making under pressure. 
  • Escalation paths and board-level governance during crises. 

Board participation helps identify weaknesses and build confidence in the organization’s response strategy.  

Operational resilience requires investment. The board should: 

  • Oversee budget allocation to resilience capabilities, including technology, personnel, and third-party risk management. 
  • Support investments that improve agility and continuity of critical business services, not just regulatory compliance. 

This ensures that resilience is viewed as a business enabler rather than a cost center.  

Following real incidents or exercises, the board should: 

  • Review lessons learned reports and track the implementation of corrective actions. 
  • Encourage a culture of continuous improvement and organizational learning.

This reinforces accountability and strengthens the resilience posture over time.  

Boards have a duty to ensure that the organization meets its external obligations. This includes: 

  • Demonstrating compliance with relevant regulations. 
  • Communicating the organization’s resilience posture to regulators, investors, and customers where appropriate. 

In this way, the board supports transparency and trust with key stakeholders. 

Finally, the board plays a crucial role in shaping a culture of resilience. This includes: 

  • Promoting cross-functional collaboration and proactive risk management. 
  • Encouraging a mindset of preparedness, adaptability, and learning. 
  • Ensuring that resilience is not merely a checklist activity, but a core part of how the organization operates.  

Conclusion

Operational resilience is no longer just an operational or IT issue—it is a board-level concern with strategic implications. Boards that actively engage in resilience governance not only strengthen their organization’s ability to withstand disruption but also enhance long-term value and trust. 

As expectations from regulators, customers, and society continue to evolve, the board’s leadership in this area will be a defining factor in organizational success. 

Sources:  

Gelles, M., Turgal, J., & Overton, W. (2019, March 28). Crisis resilience and the board: Taking risk oversight to the next level. Harvard Law School Forum on Corporate Governance. Retrieved from https://corpgov.law.harvard.edu/2019/03/28/crisis-resilience-and-the-board-taking-risk-oversight-to-the-next-level/ 

Ruys, S., & Parviainen, A. (2024, June 20). The role of the board in creating organisational resilience. Directors' Institute Finland. Retrieved from https://dif.fi/ajankohtaista/teema-artikkelit/the-role-of-the-board-in-creating-organisational-resilience/  

Key contacts

Koen Magnus

Koen Magnus

Enterprise Risk Leader, Deloitte Belgium
+ 32 2 800 24 43
Raf Geuns

Raf Geuns

Senior Manager, Enterprise Risk
+32 471 40 39 09