Operational resilience is a benchmark for executive success

Growing demands for measurable operational resilience

The ability to recover quickly from disruptions -- such as cyberattacks or natural disasters that bring down critical infrastructure -- has long been a business objective. It is now a compliance imperative across many industries.

This shift stems largely from regulations that make resilience planning, testing and reporting explicit requirements, including the following:

• The Digital Operational Resilience Act (DORA). An EU regulation that requires organizations operating critical communications infrastructure to regularly assess and test for risk. DORA also mandates incident reporting and disclosure.
• The Network and Information Security Directive (NIS2). An EU directive that requires incident response planning, business continuity testing and incident reporting.
• ISO 22301:2019 An international standard that requires organizations to establish, maintain and continuously improve business continuity management systems.

Expectations related to environmental, social and governance (ESG) reporting have increased pressure on organizations to strengthen business continuity and resilience. This is because ESG frameworks emphasize the ability to adapt to the risks posed by climate-related disruptions, including natural disasters, severe weather events and electrical grid failure. The Task Force on Climate-Related Disclosures, for example, includes resilience planning among its recommendations.

Executive liability and accountability for resilience

Increased planning, testing and disclosure requirements affect not only organizations but also individual executives. In some cases, they create direct personal liabilities.

Some compliance frameworks give regulators the option to impose personal fines on business leaders deemed responsible for compliance failures. For example, DORA permits fines of up to €1 million against executives and, in extreme cases, criminal penalties.

Beyond regulatory penalties, executives also face corporate board scrutiny if they fall short on resilience efforts. CXOs at companies including Equifax, Target and Optus lost their positions following major cyberattacks or outages. Qantas's CEO saw their bonus reduced significantly after a cybersecurity breach.

Business continuity failures can also affect valuations and stock prices, directly impacting executives and shareholders. For example, CrowdStrike's stock price declined by about 11% following a major service outage in 2024, and Meta lost $50 billion in market value after a 2021 outage that affected its Facebook, Instagram and WhatsApp platforms.

These incidents demonstrate that resilience failures carry consequences beyond paying a fine and writing it off. They can derail the careers of CEOs, CIOs, CISOs and other leaders perceived as responsible for inadequate business continuity planning and testing.

Resilience metrics and KPIs that define performance

Meeting regulatory and board expectations requires more than general posturing toward resilience strategies; it requires measurable metrics and KPIs. Demonstrating investment in operational resilience through data reduces incident risk and strengthens defensibility in the event of disruptions.

Most compliance frameworks don’t prescribe specific resilience metrics for businesses. Organizations must determine which data to quantify and report, and appropriate KPIs vary across sectors.

As a general guideline, consider the following operational resilience and business continuity metrics and KPIs:

• Service availability. Measures overall system and service uptime to quantify outage frequency and duration.
• Critical service availability. Measures uptime for essential services whose failure would disrupt core business operations.
• Mean time to recover (MTTR). Measures how quickly operations are restored following a disruption and reflects the effectiveness of business continuity plans.
• Business continuity plan update frequency. Tracks how often continuity plans are reviewed and revised to demonstrate ongoing oversight.
• BCP testing rate. Measures how frequently recovery plans are tested to validate readiness.
• Resilience maturity assessments. Uses established frameworks, such as the NIST Cybersecurity Framework, to evaluate overall resilience and security posture.

Resilience planning and reporting best practices

Collecting operational resilience metrics is the first step toward strengthening oversight and accountability.

To do so efficiently and at scale, organizations should consider best practices such as the following:

• Automate compliance monitoring. Use software tools to automatically track resilience activities and compare them to organizational requirements or commitments.
• Proactive resilience reporting. Incorporate resilience metrics into regular presentations to corporate boards, shareholder communications and regulatory disclosures rather than waiting for incidents to occur.
• Employee education and communication. Communicate resilience priorities across the organization to reinforce accountability and embed continuity as a cultural value.
• Transparent post-incident reviews. Conduct and communicate clear post-incident analyses that identify root causes and define measurable improvements to resilience plans.

Chris Tozzi is a freelance writer, research adviser, and professor of IT and society who has previously worked as a journalist and Linux systems administrator.