Building business resilience that works

1. Brand, trust, and credibility: A strong reputation helps maintain customer loyalty, attract talent, and secure partnerships, even in difficult times.
2. Operations: Resilient supply chain management, diversification, and contingency planning ensure seamless operations and fast recovery during disruptions.
3. Digital and technology enablement: Effective technology and strong cybersecurity help organisations respond faster and maintain stability when disruptions occur.
4. Resilient business models: A flexible business model allows the organisation to adapt quickly to market changes while safeguarding core operations and creating room for growth.
5. People, culture, and organisation: Strong leadership, effective crisis management, and a culture of adaptability guide the organisation through challenges and toward new opportunities.
6. Financial resilience: A strong balance sheet and diversified funding enable the organisation to sustain operations, invest in necessary changes, and seize opportunities during and after disruptions.

As these six business resilience dimensions indicate, building a resilient business can no longer be done through one-off initiatives. It calls for a cohesive end-to-end approach across functions and business areas, with impact dependent on collaboration across the dimensions. It requires coordinated initiatives across operational areas, as well as visible and strategic commitment from the executive team, with senior leaders actively championing and anchoring resilience efforts across the organisation.

A resilience programme – in four phases

To bring the six dimensions together in a way that strengthens overall business resilience, organisations need more than isolated initiatives. They need a structured, programme‑based approach that turns ambition into coordinated action across functions and geographies. Following a resilience programme provides the governance and execution discipline required to close gaps systematically and build resilience that lasts.

The four phases of a resilience programme:

1. Current state and ambition: Establish a clear resilience ambition grounded in your organisation’s risk appetite and form a credible ‘to be’ state that guides your effort. Ensure that you have made some strategic choices to your scope and ambition that can guide prioritisation.
   
   Tip: Identify and assess which assets and/or services are most critical. This will guide your efforts in balancing compliance requirements with fit-for-business desired resilience level to further support operational risk reduction.
   
   
2. Gap assessment: Translate ambition into actionable gap insights by comparing your current state resilience level/processes, and procedures against regulations, your fit-for-business desired state resilience, and align this to your risk appetite to prioritise where action is required.
   
   Tip: Based on our experience, key stakeholders are best positioned to provide a clear and informed assessment of the state of resilience within their respective domains. We often see companies become absorbed in extensive and highly detailed legislative mapping, causing the analysis phase to require more resources than the actual implementation and mitigation efforts. Our experience shows that integrating requirements mapping into the implementation process significantly shortens the time from analysis to execution and ultimately enables organisations to build resilience faster.
   
   
3. Remediation development & implementation: Mobilise remediation initiatives across functions and countries, backed by strong governance and cross-functional transparency.
   
   Tip: Ensure that roles and responsibilities between the programme and the remediation initiatives are crystal clear and that sufficient time is spent on scoping the initiative, including dependencies to deliverables in the programme and across other business initiatives. Consider setting up a reporting tool to track progress, risks, and mitigation across the remediation portfolio.
   
   
4. Post programme governance and monitoring: Make resilience stick by creating lasting ownership, monitoring performance, and integrating resilience into operations and decision-making.
   
   Tip: Resilience and security are becoming strategic priorities in many companies across Europe as geopolitical instability increases. On top of this, legislation requires companies to organise around resilience and security in a more structured manner. For most companies this means setting up resilience and security governance structures that are not in place today. The governance design should cater for the degree of centralisation/decentralisation that fits your business needs and current structure. No matter the design, it should enable structure, monitoring and perhaps more standardisation, as well as ensuring that accountability lies in the areas of the business that are actually accountable when a situation occurs.

The first two phases require a strong core programme team to design the development and implementation approach, set the ambition, ensure stakeholder buy-in and drive the execution of the gap assessment, together with the relevant parts of the organisation.

Phase three takes a different form from the previous two. The programme becomes a portfolio programme consisting of several initiatives across the organisation, filling the gaps to reach the desired resilience level.

In phase four, the programme transforms from programme mode to steady-state operations. The development and implementation are complete, and the new processes and procedures are now operational across the organisation.

Across all four phases, programme success depends on having the right governance model, accountability, and transparent reporting to maintain alignment with the resilience ambition.

Unfolding our resilience programme approach

Implement Consulting Group’s experience with setting up – and running – resilience programmes across industries shows that success is enabled by three equally important dimensions.

1. Steering the transformation

Resilience programmes require clear ambitions, explicit priorities, and well-structured scopes grounded in risk appetite. This breaks down complexity and ensures that the benefit owners, those ultimately accountable for the solution, are empowered to make the right decisions from the outset.

Tip: Your steering committee should be comprised of executives that are the ultimate benefit owners of the programme. In other words, the people who own the problem when a situation occurs. This may not be the same executives as the ones accountable for the solutions developed to fill the gap between current and future state resilience.

2. Directing execution

As resilience efforts move from analysis into remediation, complexity grows. A single integrated overview of progress, risks, and dependencies is essential to create transparency, reduce fragmentation, and enable leaders to make informed trade-offs while staying anchored in the original resilience ambition.

Tip: Set up a reporting structure for your programme that enables a transparent overview of progress. This is particularly important in phase 3, which focuses on the development and implementation of remediation activities in your programme.

3. Engaging the organisation to change

Embedding resilience measures demands more than communication. It requires new roles, shifted accountabilities, and leadership behaviours that help resilient ways of working become part of everyday operations rather than one-off initiatives. This capability is what ensures that resilience ‘sticks’ long after the programme ends.

Tip: Think about change management in waves. In the first two phases of the programme, broad communication initiatives focused on information about resilience, the programme ambition, and approach are key. Coupled with sharp stakeholder management of the vital stakeholders in the organisation, the programme is more likely to deliver broad engagement and buy-in.

Training and ensuring resilience awareness is a requirement in the CER and NIS2 Directives, making it relevant to plan for delivery of this in the early phases of the programme. Consider setting up a company‑wide internal website where broad communication can be shared. In the third phase, several parts of the organisation become involved, and training in new processes and procedures should be built into the plan. This will be a continuous requirement in phase 4, when the programme transitions into operations.

A part of everyone’s job

Resilience is no longer owned by a single function; it depends on coordinated action across teams and leadership levels. As one business leader put it, “This is only the first step. In today’s world, resilience and security can’t be treated as a one‑off programme. Increased resilience means it becomes part of everyone’s job.” This statement serves as a reminder that lasting resilience requires a cultural shift, continuous capability building, and clear alignment between benefit owners, business units and governance structures.

Ultimately, the organisations that will thrive during disruption are those that treat resilience not as a one-time project, but as a strategic and ongoing capability that is executed systematically and owned broadly across the business. Implement Consulting Group continues to support organisations in designing and executing resilience programmes that create clarity, drive impact, and build confidence in an uncertain world.

Executing resilience

To deliver on the resilience agenda, organisations need a structured approach to filling the gap between current state and desired state resilience that turns ambition into execution. The four programme phases illustrate how we operationalise this in practice, moving from intention to concrete and coordinated action.

To put these resilience insights and programme phases into context, this article concludes with a case example of how a leading energy company has applied this approach in practice.