Resilience instead of reaction – how companies must learn to manage crises as a permanent condition

Many companies talk about resilience, but few act on it. According to a new Gartner analysis, managers focus too much on definitions and too little on concrete strategies for surviving crises, limiting outages and quickly restoring business operations.

Resilience is no longer a marginal topic, but is on the agenda of CEOs. Today, security and risk managers should not only manage risks, but also ensure that companies can achieve their goals even in times of crisis. Pandemics, geopolitical conflicts, cyberattacks, supply chain problems and economic uncertainties have shown how vulnerable organizations are.

But instead of developing resilience, many companies merely define it. According to Gartner, around 60 percent of organizations will not sufficiently embed the principles of organizational resilience by 2027, leaving them vulnerable to global technology threats.

Artificial intelligence is changing crisis management

The introduction of AI into business processes creates new opportunities, but also new risks. According to Gartner, 85% of business continuity management platforms will use AI in planning, analysis and reaction by 2028 (today it is only around 10%).

AI can support decisions in crisis situations, for example through scenario analyses or the identification of previously unknown risks. However, the dependence on data quality and algorithmic integrity remains critical. Gartner warns that without transparency, data protection and clear responsibilities, AI itself can become a weak point.

Cyber resilience becomes mandatory

The digital space is increasingly becoming a trouble spot. Regulatory authorities around the world are increasing the pressure: laws such as the European Digital Operational Resilience Act (DORA) and the NIS 2 Directive are intended to ensure that companies can not only fend off cyber attacks, but also survive them.

According to Gartner, 60% of companies will be forced to include cyber resilience in their plans by 2028. Cybersecurity is therefore no longer an isolated issue, but an integral part of operational risk management from IT to the supply chain.

The new vulnerability: dependence on third parties

A large proportion of today’s business processes depend on external IT service providers and cloud providers. Gartner predicts that around 80 percent of all dependency risks will lie in external infrastructures by 2026. This is a massive increase compared to 53% in 2024.

Many companies underestimate the concentration risks posed by shared cloud providers: If several critical partners use the same provider, a single failure can paralyze entire value chains. Gartner warns: outsourcing transfers responsibility, but not the risk.

From the definition to the culture of resilience

Resilience cannot be written down in a manual, it comes from attitude and cooperation. Gartner recommends SRM leaders,

• Actively promote resilience characteristics instead of just defining processes,
• departments in order to overcome silos,
• Establish long-term programs that combine crisis exercises, third-party transparency and management commitment,
• and AI to improve decisions, not replace them.

Organizations that establish a resilient culture will not only return to normal operations faster, but will often gain market share and trust when others are still busy recovering.

Resilience is not a defensive discipline, but strategic future management. If you only react, you lose. Those who understand resilience as a culture can grow even in uncertain times with people, processes and technologies that do not fear crises, but master them.

Binci Heeb

Read also: Smarter risks, stronger business: 5 data-driven strategies for the next era of risk management