From Reaction to Readiness: The Shift Toward Organizational Resilience

Organizations are undergoing a shift in how they address potential risk, according to Jim Enstrom, senior vice president and CAE at Cboe Global Markets, one of the world’s leading derivatives and securities exchange networks. In the past, the goal of risk functions was primarily business continuity, often responding to events after they happened and working to restore business operations as quickly as possible. More recently, there has been a growing emphasis on organizational resilience — a more comprehensive, proactive, and strategic approach that positions the organization to be more adaptable in changing environments. It looks at building resilience into day-to-day operations so companies are prepared well in advance to face and minimize new threats.

Organizational resilience looks more holistically not only at internal concerns such as technology, but also at external areas, including cloud solutions and critical third-party vendors. “You’re not just waiting for risk to happen, but taking a holistic, forward-thinking approach,” Enstrom says.

Adapting to new regulations is one development that requires enhanced organizational resilience, and resilience, itself, is the focus of some recent rules. This issue of Global Best Practices will review the new regulations in this area, share insights into one company’s experience with them, and discuss internal audit’s role in addressing the need for greater resilience.

A growing concern for regulators

The COVID pandemic — and the way it upended business routines — was a factor in driving a greater focus on resilience. According to Enstrom, businesses recognized the need to change their thinking on the topic, while regulators became determined to challenge businesses to enhance their approaches.

For example, the EU’s Digital Operational Resilience Act (DORA), which became enforceable in January 2025, is a significant new law that affects financial services firms in the EU and their third-party service providers. It can affect subsidiaries and service providers outside the EU, as well, and is aimed at boosting the technology security of a range of financial institutions.

“Right now, DORA is a very important example of operational resilience legislation out there,” Enstrom says. DORA addresses risk assessment concerns in addition to discussing third-party considerations and the importance of assurance in the current environment.

Rather than focusing purely on compliance, DORA provides an opportunity to gain genuine risk management and operational value from implementing and adopting a more robust approach, Enstrom explains. Just as companies educated their people about cybersecurity concerns and the importance of being aware of phishing attempts and other potential risks, today they should be proactive in educating their entire workforce about resilience and its value.

DORA, at its core, is principle-based and not a highly prescriptive regulation, but it does ask companies to implement best practice frameworks around risk and operational resiliency, says London-based Felix Almgren, Cboe Global Markets’ global head of operational risk and head of risk for Europe. In building its own approach to compliance, he says his organization gained ideas and inspiration from:

• COSO Enterprise Risk Management–Integrated Framework.
• ISO 31000-2018: Risk Management–Guidelines.
• ISO 22316-2017: Security and Resilience–Organizational Resilience–Principles and Attributes.
• ISO 22301-2019: Security and Resilience–Business Continuity Management Systems–Requirements.

To prepare for DORA compliance, “We had to review both our enterprise risk management framework and the operational resilience framework, which also included our governance, risk management, and compliance (GRC) solution,” he explains. The implementation and readiness for DORA was a key focus of the ERM and IT risk teams for 2024.

Based on Almgren’s experience, best practices that enhanced the process include:

• Having a flexible GRC solution. It was a key advantage because it facilitated implementation of the framework without overburdening the business with new processes.
• Being prepared to create suitable data structures and workflows to meet the new regulations, including mandatory methodologies and operational resilience activities.

Among other notable regulatory efforts are:

• PS21/3 Building Operational Resilience, which was developed by the UK Financial Conduct Authority and the Bank of England and became fully effective in March 2022. Aimed at the financial market sector, its main proposed purpose is to identify business services subject to threats, set impact tolerance, map out dependencies, and require stress testing.
• Australia’s Prudential Standard CPS 230 Operational Risk Management, which will become effective July 1, 2025. It sets requirements for specific regulated financial institutions to identify, assess, and manage operational risks, maintain critical operations during severe disruptions, and effectively manage risks associated with service providers.

“We’ve learned that when organizations have significant operational incidents, the impact is very rarely on a single firm,” Almgren adds. “It can potentially lead to a market issue or an industrywide issue.” For example, he points to the outage last year caused by a failed software update performed by security software vendor CrowdStrike. It disrupted numerous organizations and industries, including airlines, financial services, and health care.

Empowering resilience

Important steps include determining whether it is necessary to enforce more rigor in risk areas such as third-party vendor management and possible critical dependencies, according to Enstrom. Establishing roles and responsibilities is also important during early adoption of new regulations to enable appropriate implementation and compliance. Defining performance metrics and testing incident management make it possible to monitor the program’s health and readiness, as well as consider potential enhancements to technology infrastructure.

• Providing testing services around compliance. DORA, for example, defines independent reviews and assurance and calls for audits of the information and communications technology (ICT) risk management framework. It also emphasizes internal audit’s role in assessing ICT governance, the accountability for ICT third-party management, and the related reporting and follow-up process to monitor and confirm remediation of critical ICT audit findings.
• Using its background in risk and internal controls to advise management of appropriate policies and procedures and readiness reviews.
• Evaluating the company’s risk profile and its watch list of threats.
• Providing advice or assurance on incident response planning.
• Performing post-implementation reviews to provide assurance on changes the company has made to reasonably ensure
• Championing the need for change to enhance resilience and challenging management and the board to strengthen the company’s operational resilience.

The comments included herein are made by Jim Enstrom and Felix Almgren in their personal capacities; the views and opinions expressed herein, by Enstrom and Almgren, are theirs alone, and do not reflect the views and opinions of Cboe Global Markets, Inc. and its subsidiaries.