Connecting Risk and Resilience to Protect What Matters Most

By PwC

The resilience lens: a fresh perspective on risk management in industries beyond Financial Services

Reframe:
Change the Way We See Risk and Resilience

We live in a world where disruption is commonplace. Resilience is no longer a ‘nice-to-have’; it is a strategic imperative. This landscape, coupled with a number of resilience-focused regulatory initiatives ‒ such as the EU Digital Operational Resilience Act, Telecommunications Security Act, Critical Third Parties regime, and the EU Critical Entities Resilience Directive ‒ has led organisations across sectors to strengthen their resilience.

There has also been renewed focus on risk and resilience in the Financial Reporting Council’s (FRC) UK Corporate Governance Code, including a requirement for organisations to declare the effectiveness of material controls ‒ potentially covering those that support resilience to risks threatening the business model, solvency, or liquidity.

The growing focus on disruption has shifted attention away from business-as-usual (BAU) risk management, despite the close connection between risk and resilience. Now is the time to identify overlaps and use them to strengthen the resilience of critical services and/or products.

The rapid development of resilience strategies offers a chance to align risk and resilience with broader business goals.

Developing an Integrated View of Risk and Resilience

Achieving integration means establishing both preventative controls, to minimise the likelihood of severe but plausible scenarios from materialising, and the building of ‘resilience by design’. This will enable firms to better anticipate and mitigate cascading contagion events in their environment.

Firms must assess how disruptions impact risks and controls, identifying where BAU controls may need to be substituted to maintain critical services. This requires close collaboration between resilience and risk teams to agree on substitutions and monitor associated risks.

Now more than ever, resilience and risk leaders ‒ backed by executive support ‒ must focus on a strategic vision for operational resilience. This involves not only meeting regulatory requirements but also implementing the necessary changes to sustain resilience in the long term.

Reassessing first and second line expectations is essential to fully integrate risk and resilience, turning them from compliance tasks into strategic enablers.

This paper explores these connections and outlines strategies for embedding risk and resilience into the broader business framework.

It addresses two key questions:

How does risk and resilience work in tandem within an organisation to prevent disruptions and enhance response and recovery strategies?
Just as importantly, how can both perspectives be embedded into decision-making processes, rather than viewing them in isolation?

Integrate:
Realise the Benefits of Unified Risk and Resilience

Operational resilience and risk management share the underlying objective of understanding potential vulnerabilities and strengthening the control environment to effectively manage risks and mitigate impacts to a firm’s operations within acceptable levels.

&nbsp

Benefits of Risk and Resilience Integration

Streamlined identification and assessment activities

Feedback loops between risk and control assessments and operational resilience scenario testing improves identification of early warning signals, vulnerabilities and critical controls.

Monitoring and reporting synergies

Subject to existing system integration capability, combined risk and resilience dashboards improve data quality, with traceability through critical services and products, processes, risks and controls.

Improved confidence and assurance

Targeting resources towards activities that provide the best return on assurance (e.g. assurance over controls that support key risk and resilience outcomes).

Cultural reinforcement and cross skilling

Improves cross-pollination of risk and resilience resources to enhance capability and reduce duplication of effort across the first and second lines of defence.

The first step to realising these benefits is through building a resilient ‘bowtie’.

The intersection of risk and resilience can be considered through the concept of the ‘bowtie’ model. Most practitioners are familiar with the bowtie concept of risk and control – but understanding how resilience intersects with the model can help firms to tie the bow together.

Consider the risks and controls mapped to deliver an organisation’s critical services and products, and how they are managed to: a) not only prevent disruptions (left side of the bow tie)that challenge an organisation’s resilience posture; but b) also mitigate impacts of consequences from disruptive events (right side of the bow tie).

Elevate:
Optimise Risk and Resilience Integration

Connecting Risk and Resilience

Integrating risk and resilience means aligning frameworks, operating models, technology, and resources to enable a joined-up approach. Building a future-ready capability requires a long-term strategy that embeds resilience into broader strategic, risk, and control objectives and rethinks how the programme connects with wider risk functions. With senior leadership support, the second line may need to play a more hands-on role in helping the first line strengthen controls aligned to the delivery of critical services and/or products.

Screenshot 2026 06 22 at 11.05.42 AM scaled

Underpinned by a Integrated Technology View

Technology platforms across risk and resilience disciplines help organisations anticipate, manage, and recover from threats. When integrated, these tools can unify risk and resilience functions around what matters most.

Take an integrated approach

Take an integrated approach by connecting risk systems (e.g. GRC platforms) with resilience tools to create a unified view across critical services and/or products.

Review supporting system architecture

Review supporting system architecture to improve data quality and facilitate traceability through critical services and/or products, processes, risks, controls, and vulnerabilities

Use technology to enable end-to-end

Use technology to enable end-to-end visibility – from horizon scanning to recovery – supporting proactive prevention and informed response during disruptions.

Respond:
Adopt a Substitution Approach During Disruption

Organisations must also assess how substituting controls during disruption affects risk and resilience. A flexible, informed strategy is needed to adapt the BAU control environment while continuing to manage risk through disruption. The impact of substitutions on control effectiveness and resilience outcomes should be considered in advance ‒ built into response plans and scenario testing, not left to be decided in a crisis.

Substitution Approach – A Case Study

A substitution approach during disruption might involve switching to an alternative supplier if a primary one fails. For example, if a manufacturing firm’s key transport provider experiences a system outage, it could activate a pre-identified secondary provider or in-house contingency to maintain service. This helps to establish continuity, reduce single points of failure, and strengthen resilience.. However, such substitutions may impact the BAU risk and control environment ‒ so the cost-benefit of each option should be carefully assessed.

01

Third-party risk management – Increased reliance on multiple suppliers requires enhanced due diligence, ongoing monitoring, and contractual arrangements to facilitate alternative providers meeting the same risk and resilience standards as the primary supplier.

02

Operational complexity – Managing multiple suppliers introduces additional complexities in procurement, logistics, and integration, which may create new risks related to consistency, data security, and service quality.

03

Testing and assurance – The effectiveness of the substitution strategy must be regularly tested through scenario planning and operational resilience exercises to enable seamless transitions in real-time disruptions.

04

Cost and resource allocation – Maintaining secondary suppliers may introduce additional costs, requiring firms to balance resilience investments against efficiency considerations within their risk appetite.

05

Data and technology integration – The business must ensure that alternative suppliers can seamlessly integrate with existing systems without compromising data integrity, cybersecurity, or service continuity

06

Control environment adjustments – Controls must be updated to reflect changes in workflows, enabling governance frameworks, risk assessments, and incident response plans account for substitution strategies.

Questions for Risk and Resilience Practitioners to Consider When Flexing the BAU Enviroment During Disruption

Within risk environment:

How does a substitution approach impact existing risk exposures?
Are we operating within our risk appetite?
Are our controls adequate and effective?
How do we monitor exposure and control? Is this covered by existing indicators (e.g. KRIs, KCIs)?

Within the resilience environment:

How does the adoption of a substitution method affect the efficiency and effectiveness of service delivery?
How resilient are controls under stress?
Have response plans been updated to include scenarios where substitution approaches are required?

Download the report

The article was first published by PwC.

Photo by Kamil Pietrzak on Unsplash.