Discussion financial portfolio or business people in meeting for teamwork

How boards can reframe strategic resiliency in a time of uncertainty

Authors

14 minute read 23 Apr 2025
Related topics
Consulting
Risk

Explore how boards can reframe strategic resiliency, focusing on agility and governance for long-term organizational success.

In brief
  • Boards must shift from reactive resilience to strategic resiliency, integrating it into core business processes for long-term adaptability and growth.
  • Emphasizing collaboration and robust governance, organizations can enhance their resilience by aligning strategies across functional areas and stakeholders.
  • Continuous learning and scenario planning are essential for boards to anticipate disruptions, enabling proactive responses and informed decision-making.

Resilience on the board agenda

Today’s business environment is characterized by rapid changes, including economic fluctuations, geopolitical tensions, technological disruptions and regulatory shifts. Some of these may rise to the level of a crisis, while others will impact company activities in foreseen and unforeseen ways to reshape future outcomes.

Corporate board members recognize the challenges inherent in this environment. In Ernst & Young LLP’s Center for Board Matters report on board priorities for 2025, directors pointed to economic conditions, capital strategy, innovation and evolving technologies, cybersecurity and data privacy, and regulatory developments as the top five areas for their boards to prioritize.

You have power over your mind — not outside events. Realize this, and you will find strength.

Marcus Aurelius

Roman emperor

How EY can help

  •  Enterprise Resilience

    Discover how EY can help transform your business to navigate disruption with agility, stay competitive in the market and help generate long-term value.

    Read more

With so much that is unpredictable, it is not surprising that the concept of resilience has been coming up more in boardroom discussions. Resilience is often defined as the ability to respond to disruptive events while maintaining core functions. In January 2025, the World Economic Forum noted that “mentions of the term ‘resilience’ in quarterly earnings calls by Fortune 500 executives surged by more than 200% compared to 2019, reflecting its growing prominence in corporate strategy.” These discussions focus on incident response and recovery, particularly in the aftermath of the COVID-19 pandemic. However, in an environment where the next crisis or disruption is just around the corner, the typical ad hoc, siloed approach to resilience will underserve longer-term growth by keeping the organization trapped in reactive mode and making short-term decisions. What is essential now — and being embraced by leaders — is a more holistic, strategic approach to resilience with the right elements to enable the organization to sense and adapt in order to thrive longer term.

 

Looking through the lens of strategic resiliency

The move from traditional resilience practices to enterprise-level strategic resiliency may sound like a minor update but in reality represents a true shift in mindset that requires realignment of processes, resources, governance and culture. Companies that still operate at the lower end of the resiliency maturity spectrum have siloed business continuity capabilities and fragmented practices. Resiliency efforts are limited to IT and disaster recovery, and dependencies are poorly understood. Further along the maturity spectrum are those with a slightly more structured approach with occasional assessments of readiness and inconsistent technology solutions. These companies can respond to, recover from and resume operations at acceptable levels of service to stakeholders in the face of significant disruptions. Their capabilities and processes may even cover continuity and recovery across multiple domains. However, the overarching goal and mindset for these organizations and their leaders are to simply be able to regain footing in the face of immediate disruptions. This naturally limits the ability to take advantage of challenges and also guarantees inefficient constant crisis mode in today’s environment. In contrast, companies at the far end of the maturity spectrum embrace enterprise-level strategic resiliency by taking a holistic approach integrating resilience in key business processes and operations. Technology solutions are deployed to enhance resilience capabilities across functional areas.

Resilience is as much about enabling the upside as protecting against the downside risk.

Harvard Business Review ¹

Within financial services, the sound practices to strengthen resilience have specific business, operational and regulatory elements as the industry focus is on ensuring that financial institutions can withstand and recover from disruptions to operations and protect customers while maintaining market and financial system stability. The concept of strategic resiliency discussed in this article includes some commonality at the operational level but focuses on a broader vision that incorporates all aspects of the organization, including strategy and competitive advantage.

As illustrated in our framework below, functional areas, including supply chain, operations, finance, IT and cyber, have specific resilience strategies that align with one another and the overall strategic framework. For example, a company concerned about overreliance on specific providers in its supply chain may choose to incorporate a level of redundancy that ensures they can adapt as needed. Finance can provide the planning to support the optionality and integrate the analysis into annual planning and budgeting. Naturally, all this requires ongoing collaboration among functional leaders and talent adaptability — perhaps through a management committee focused on resiliency. For those with existing management enterprise risk committees, a shift in focus to enterprise resiliency can be highly effective in realignment. This model of strategic enterprise resilience also calls for integrated risk management with coordination across compliance, finance and internal audit for a unified approach to risk assessment and management. This creates a common language and understanding that enable the right decisions and actions across businesses and functions. Given the complexities and interdependencies, establishing governance structures that facilitate the collaboration and communication is also essential. By adopting this comprehensive approach to strategic resilience, organizations equip themselves with the agility and adaptability to navigate uncertainties and capitalize on opportunities while their competitors, mired in reactive mode, struggle.

Key elements for longer-term success 

As has become clear, enterprise resilience is necessary to achieve long-term sustainability and the success of the organization. The activities and processes of strategic resiliency are critical elements (some might say disciplines) that are part of the context of an organization. The ones we highlight for leadership (adapted from ISO 22316²) include:

  • Adaptability: The capacity to adjust strategies and operations in response to changing circumstances, market dynamics and unforeseen challenges without being rigidly constrained by annual or multiyear processes. In today’s uncertain environment where disruptions do not follow annual cycles, organizations should be willing to revisit their plans and activities when needed; for example, understanding the critical assumptions underlying an organization’s strategy and being prepared to shift when those assumptions play out differently than anticipated.

  • Agility: The ability to sense impactful changes in a timely manner and make decisions to implement responses without the barriers of internal friction. Managing internal friction allows organizations to seize opportunities and mitigate risks rapidly to avoid risks or take advantage of opportunities; for example, having mechanisms to revisit leadership incentives so that if changes are required, leaders are not penalized for doing what is best for the company.

  • Robust governance: The establishment of a holistic governance structure to support resilience initiatives across the organization, creating the right oversight structure as well as collaboration and communication; for example, having a resiliency committee at the executive level that periodically reports to the board or audit/risk committee.

  • Continuous learning: The commitment to ongoing learning from experiences, both successes and failures, to improve future responses and strategies and to understand what does and does not work well; for example, conducting pre-mortems or postmortems to anticipate or analyze failures without penalizing those who point out the issues,

  • Stakeholder engagement: The involvement of relevant parties — employees, customers, suppliers and investors — in planning and perhaps even decision-making to ensure diverse perspectives and support in anticipating and responding to changes; for example, surveying third-party suppliers to solicit risks they anticipate.

Underlying all of these is a long-term focus so short-term operational needs and quarterly results do not distort discussions or decisions that ultimately set up the organization for sustained multiyear growth.

We do not think in quarters. We think in generations.

Carl Elsener

CEO of Victorinox³

Considerations for boards overseeing strategic resiliency

With the board’s view naturally oriented to the longer-term growth and strategy of the company, it is well placed to provide oversight and support to management on building and maintaining strategic resilience. The following areas provide opportunities to guide and oversee management of these complex endeavors.

  • Aligning resiliency to organization priorities: Defining and understanding the organization’s key priorities and the dependencies that enable or threaten them allow for the alignment of the most critical elements that create resiliency. This starts with the value chain of the business — what drives revenue and what services are most critical to customers and stakeholders — as the foundation. In turn, the business processes that support critical services and business functions become part of the resiliency review and conversation. This also means the end-to-end digital and physical ecosystems required to deliver these services need to be part of the conversation, along with critical third parties in service delivery. In the face of mission-critical risks that jeopardize the value chain of the business, it is essential to adopt a strategy of resilience so the company is not merely remediating defensively but building resiliency in alignment with its strategy for growth.

  • Delving into lurking issues in technology and supply chain: Recent events that have disrupted companies and made headlines demonstrate the need for greater scrutiny from boards on critical vulnerabilities that may not have been reported to them in the past. Examples of aspects that boards may need to consider include essential suppliers, along with backup plans for the most critical ones. In addition, assessments of the risk from these suppliers based on reliance and their access to the company environment would inform the board. Other examples include technology providers who directly impact the company’s systems without independent testing and approval, and business continuity plans and their robustness for critical business processes. To keep discussions at the appropriate board level, reporting measurements and escalation criteria will likely need to be reviewed and revised for many organizations. 

  • Viewing risk dynamically to keep pace with disruption: While many organizations still report enterprise risk assessments annually to the audit/risk committees and/or boards, today’s volatile environment calls for more dynamic reporting that balances risk exposure and management preparedness. In the same way that risk and opportunity are thought of as two sides of the same coin, so are risk and resilience, since resilience ultimately represents the potential for growth. Reassessing strategic risks and updating the board periodically sustain a forward-looking posture in identifying new/emerging risks and are essential to enterprise resiliency. Many audit committees and boards continue to be concerned that enterprise risk management has become more of a compliance exercise. Doing periodic active refreshment ensures that risk management becomes a tool for resiliency, particularly when risk mitigation plans are refreshed with current analysis of external risk events and root causes appropriate to the board-level conversation. Having resources and processes for continuous scanning of the horizon or risks also enables a more dynamic view of emerging risks. 

  • Guiding management to appropriate trade-offs: All too often, management teams make decisions about resources and redundancies that may be critical but get subsumed in cost-cutting and profit margin reporting and are not surfaced at the board level. Resiliency comes with costs and benefits that need to be more explicitly understood so the board can provide guidance to management on trade-offs that are in line with strategy and risk appetite. Pressure-testing management’s assumptions is an important part of the board’s role, and areas involving strategic trade-offs need to be well understood. In addition, boards must make sure they understand how incentives and KPIs that focus on cost minimization can inadvertently work against resiliency by penalizing leaders who take actions that bolster it (e.g., building in redundancies and additional resources such as crisis management centers). Having the right governance model that elevates these discussions is critical to enabling the board’s oversight role.
Resilience is like an athlete training for a triathlon: You can’t focus solely on cardio. It requires different muscle groups working together to stay competitive, adapt and thrive in a variety of conditions.

Shawn Mattar

EY Americas Resiliency Solution Leader

How to measure success 

“What does success look like?” and “How can progress be measured when it comes to strategic resilience?” are questions on the minds of directors. The answers lie less in a single measure and more in multiple indicators, ensuring the right processes, alignment of incentives and resources, and gauging progress in adaptability and resilience. The resiliency innovation model below provides a framework for identifying where the organization is and wants to be. Every company will have its own considerations, and not everyone may aim for the advanced state of dynamic adaptability. For those in the upper-right quadrant, resiliency goes beyond defenses to limit downsides of risks and moves to the strategic realm where upside growth is enabled by exploiting potential opportunities from disruption. In terms of operational practices, dynamic adaptors have flexibility in processes and technology and can adapt as needed without being overly hampered with internal friction.

Quadrant chart

In addition to this framework to shape discussions about the organization’s resilience journey, boards and management can consider a variety of practices and measures that can provide indications of progress and surface issues to address. Below are examples for consideration.

Scenarios and what-if analysis:

One of the best ways to prepare for a crisis is to simulate it and allow for learning in advance of the events themselves. Comprehensive, multi-crisis scenario planning that encompasses a wide range of potential disruptions can provide important educational opportunities. Also, conducting pre-mortems or postmortems allows for deeper analysis of what can and did go wrong in specific situations. Providing report-outs to the board gives directors the opportunity to weigh in and share their perspectives and lessons learned while also enabling robust governance. 

Process and operational metrics:

Assessing the effectiveness of enterprise resilience means reviewing both process and outcome measures. Boards can support management teams on a learning curve for strategic resilience by focusing on progress rather than moment-in-time snapshots and by seeing the overall picture of systems and processes and their connections and collaboration. KPIs with operational metrics for response times and recovery rates can be bolstered by additional information on areas such as supplier and third-party communications and dashboards with real-time insights into potential disruptions being tracked. For some, the establishment of permanent crisis and change management resources — to continuously scan the horizon and work across functions to drive implementation — will be part of the overall process. 

Culture and leadership markers:

While more nebulous in nature, identifying how the organization’s culture and talent are (or are not) advocating for resilience will help to determine change management needs. Encouraging leaders to learn from missteps and near misses — and apply lessons learned — marks a stark difference between those who are truly adaptive innovators in resilience and those who merely react and comply. Continuous learning and employee empowerment can be enabled through both incentives and good governance structures.

In a world where organizations face the variability and velocity of change and disruption from multiple vectors, the tried-and-true approaches of the past are proving to be insufficient. Resiliency is no longer about merely recovering operations and services in the face of a crisis or misstep — an approach and mindset keeping organizations trapped in constant crisis mode and fighting the last fire. Instead, leaders are embracing the mindset shift to enterprise-level strategic resiliency. This will enable them to not only meet the challenges of disruption effectively and efficiently, but move beyond to take advantage of opportunities presented with timely realignment of the organization’s activities and people.

Questions for board consideration 

Below are questions that boards may find helpful to consider in their discussions. Asking questions like these consistently over time can help provide a holistic picture of management’s capabilities and progress:

  • What are the key assumptions and factors critical to our strategy? How vulnerable are they to disruption? 
  • Are we as a board asking for resiliency reviews that go beyond typical compliance and controls testing? 
  • How does management anticipate what is on the horizon and how it may impact the organization?
  • How does management prepare for and withstand waves of disruption? 
  • How are business and functional leaders working across organizational silos in advance of disruption to build resiliency? 
  • Where does the board see the influence of implicit bias and circumstantial context that prevents management from anticipating issues? 
  • Do scenario analyses consider an appropriate range of extreme and even improbable scenarios, such as “single point of failure”? 
  • Do analyses shared with the board incorporate the potential compounding effects of various risks? 
  • Are contingency and response plans related to material and high-impact risks periodically simulated and reviewed with the board? 

Summary 

Reframing strategic resiliency is crucial for corporate boards navigating an uncertain business landscape. A shift from reactive to holistic approaches is necessary, integrating resilience into core business processes. Key elements include adaptability, agility, robust governance and continuous learning. By promoting collaboration across functional areas and engaging stakeholders, organizations can enhance their ability to manage disruptions. Emphasizing scenario planning and proactive decision-making will facilitate long-term growth and success amid ongoing challenges, so companies can thrive in a volatile environment.

About this article

Authors

Related topics
Consulting
Risk

Related articles

From risk to resilience: Reimagine enterprise risk management

Strengthening businesses and mitigating risk in an era of continual disruption requires innovating thinking. Learn how.

Prakash Vanguri + 2

5 ways ERM and resiliency can create a robust enterprise together

Integrate ERM and resiliency to thrive in a volatile business environment. Discover 5 key strategies to build a robust enterprise. Learn more now!

Prakash Vanguri + 1

How a consumer giant bridged the gap between cyber and business operations

Case study: how a conglomerate fortified its manufacturing operations against cyber threats through a comprehensive approach.

Navigating a tech crisis: strategies for enterprise resilience

In this webcast, we’ll discuss how financial institutions can bolster their capabilities to withstand a disruption.

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.