More compliance, more problems?
The increased need to comply with regulations causes a loss of focus on underlying risks – which can ultimately jeopardize a company's continuity, IT company Schuberg Philis argues in a new report.
A fragmented perspective
In today’s day and age, cyber risks go beyond ransomware and sophisticated hacks: companies’ vulnerabilities also include major operational disruptions caused by human or technical errors, Schuberg Philis states in its report on the operational resilience of organizations. However, a fragmented perspective remains: many organizations continue to view cybersecurity through a narrow, technology focused lens. Because of this, companies often fail to address the systemic risks posed by today’s complex and evolving threat environment.
Risks of the tick-box culture
At the same time, many organizations face increasing regulatory demands relating to digital resilience. Although compliance is important and beneficial, focusing solely on compliance can distract organizations from addressing the underlying risks effectively, Schuberg Philis notes.
There seems to be a critical gap between perception and reality in how organizations approach operational resilience. This might be due to the fact that uncertainty about the likelihood and impact of risks often drives counterproductive behavior, the report highlights. Many executives, unsure about the scale of potential threats, sought reassurance by focusing on compliance activities essentially 'ticking boxes', the research found.
The approach reflects a deeper issue, the report adds, that there is a tendency to see compliance as a key indicator for resilience. However, this compliance-first focus often creates a systemic blind spot for the dynamic and evolving cyber risks.
These risks are exacerbated by the fact that business continuity plans are rarely tested against realistic, large-scale scenarios, leaving organizations vulnerable to a gap between theoretical planning and actionable recovery.
Building operational resilience
Taking a “whole system in the room” approach should be an essential principle for building true operational resilience, the report says. It is crucial to approach the process with a comprehensive, system-wide perspective. By involving the whole system, organizations can gain a holistic understanding of their critical processes and crown jewels.
Additionally, companies should build multidisciplinary teams across the value chain to build a holistic view of risk, assess risks from a business continuity perspective, emphasize cross-functional collaboration to gain a full picture of vulnerabilities, and define risk tolerance: resilience starts with understanding which processes are critical to the organization’s survival during a crisis.
Most importantly, companies should start testing for continuity and recovery. The critical question is no longer if an incident will occur, but when. By testing NO-IT disruptions, organizations can identify gaps, enhance preparedness, and build confidence in their capacity to recover effectively when faced with severe incidents, the report says. This means that testing is no longer just a technical necessity: it is a strategic priority for long-term resilience.
