The Tribune

By DEREK SMITH

In the 2025 Hiscox Cyber Readiness Report, 33 percent of companies faced fines that damaged their financial health, while 30 percent reported reduced business performance and 29 percent experienced higher costs due to customer notifications resulting from cyber-related risk exposures.

This illustrates the reality that too many executives use “resilience” as a buzzword rather than a daily practice. Real resilience shows up in decisions about strategy, risk tolerance and governance. If you do not put risk at the centre of how work gets done, you weaken our capacity to sustain operations and protect stakeholders during disruptions.

An analysis by McKinsey defines ‘resilience’ as understanding the importance of business processes, the capability of underlying systems and how much risk a company can tolerate. Risk-informed behaviour goes beyond continuity checklists. Simply put, resilience has a clearer practical meaning now than ever before.

This article examines business resilience through a risk management lens, going beyond continuity plans and regulatory checklists. It focuses on six areas that shape real outcomes: Risk framework design, Board oversight, organisational structure, risk ownership, quality decision-making information and culture.

Frameworks provide structure

Using ISO 31000 and similar risk management approaches can help companies assess risk during planning and execution. Frameworks link risk to objectives and actions. Using it, resilience becomes an everyday governance outcome versus an after-thought.

Boards play a crucial role

Their oversight sets expectations for how risk is integrated into strategy discussions. Risk tolerance should appear alongside revenue and growth targets. It should shape how you weigh investment choices and resource allocation. By including risk in a strategic dialogue, Boards signal that resilience is a priority.

Companies often leave resilience to separate functions, such as business continuity or information technology (IT). This creates silos. Risk functions sometimes produce dashboards that describe exposures without connecting them to business performance and decision thresholds. Leaders need information that highlights areas of uncertainty and pressure, not just static lists of risks. Good risk reporting identifies where assumptions are weak, and early action can make a difference.

Ownership clarifies delivery

Executives closest to operations must explain their exposures and how they manage them. Compliance and risk teams should support this by translating risk language into a concrete business context. Clear responsibility drives sharper thinking and consistent execution.

Culture is part of everyday resilience

People must feel able to raise concerns early and without fear. That means risk conversations are common and factual, not exceptional. Silence around emerging issues hides pressures until they look like crises.

This matters because regulators and investors increasingly expect integrated risk governance. Boards that focus on risk strategy and oversight are better positioned to manage stakeholder expectations that value transparency and preparedness.

Here is what each group can do now.

* Boards should ask how risk tolerance has influenced recent strategic decisions, and what signals have shifted since the last plan.

* Companies should incorporate risk considerations into planning, budgeting and change initiatives - not only in compliance reports.

* Risk and compliance professionals should translate risk into impact, exposure and options, so that executives and Boards act with clarity.

In short, resilience reflects an operating stance. Managing risk becomes actionable when it is incorporated into a management discipline. If risk remains a compliance exercise, resilience remains an aspiration.

• NB: About Derek Smith Jr

Derek Smith Jr has been a governance, risk and compliance professional for more than 20 years with a leadership, innovation and mentorship record. He is the author of ‘The Compliance Blueprint’. Mr Smith is a certified anti-money laundering specialist (CAMS) and holds multiple governance credentials. He can be contacted at hello@pineapplebusinessconsultancy.com