Building Resilience Through Risk Management in Strategy

Red Sea Cable Cuts: A Wake-Up Call for Geo-Resilience The recent subsea cable cuts in the Red Sea disrupted a significant share of Europe-Asia traffic, slowing transactions and e-commerce worth billions. Rerouting kept the internet alive, while naturally comes at the cost of higher latency and congestion. This is a reminder that critical infrastructure is now a frontline of geopolitical risk. Resilience is not just a technical checklist, it is a core business design principle. Three Critical Moves Mitigate Now: Diversify cable routes, adopt strategic multi-cloud, explore LEO satellites as complementary pilots (proven useful in crises, but not a silver bullet). Redesign the Future: Build modular IT stacks, embed compliance-by-design, strengthen supply chains with near-/friendshoring. Accept & Manage Risk: Stockpile chips, define exit thresholds, and plan failovers: ATMs dispensing capped cash offline, hospitals reverting to manual protocols, retailers shifting to local stock, manufacturers holding critical spares, or energy operators switching to manual controls.   Beyond Infrastructure Board Accountability: Regulators and investors increasingly hold directors liable for resilience failures. Fiduciary duty now extends to digital and supply chain continuity. Regulatory Foresight: EU DORA, US supply chain mandates, and AI regulation are raising the bar for operational resilience. Competitive Advantage: Firms with robust failovers do not just survive shocks, they win share while others falter. Scenario Planning: Boards must war-game chokepoint disruptions (suppliers, technologies, sanctions,…) like they stress test finances. Hybrid Threats: Physical cuts often intersect with cyber campaigns, boards must plan for compounded risks. Culture & Talent: Teams drilled for crisis response are as critical as cables and servers. Training and Knowledge Sharing: Training to cover advanced resilience techniques and knowledge-sharing communities, incl. with relevant 3rd parties, are key.   At BCG, we help boards and executives Identify critical business services and prioritize resilience measures accordingly, conduct resilience scenario testing and war-games, build adaptive stacks, and design operating models that thrive under disruption. The question is not if you will be tested, it is when. When did your Board last pressure-test the resilience of its most critical business services, vendor or route? #Resilience #Geopolitics #Cloud #RiskManagement #BoardGovernance #BCG Vladimir Lukic / Or Klier / Filippo Scognamiglio / Dr. Amir Alsbih / Miri M.

Banks today must operate in an environment of ever‐increasing uncertainty, where extreme events—from cyberattacks and natural disasters to geopolitical shocks—can abruptly disrupt critical supply chains. In the digital age, resilient supply chain risk management is essential not only for maintaining operational continuity but also for protecting the financial ecosystem that supports banks’ services. 1). A comprehensive approach begins with a holistic risk assessment that extends beyond internal systems to encompass all third‐party vendors, technology providers, data centers, and logistics partners. 2). By deploying advanced analytics and artificial intelligence, banks can map their entire supply chain in real time, identify vulnerabilities early, and trigger mitigation strategies to prevent interruptions before they escalate. 3). Diversification is fundamental. Banks are increasingly reducing dependence on any single supplier or geographic region by establishing multiple sources for key products and services. This multi-layered diversification minimizes the risk of disruption if one source fails, ensuring continuity of operations. 4). Equally critical is digital integration: modern technologies such as the Internet of Things, blockchain, and cloud-based platforms provide end-to-end visibility across the supply chain. 5). Continuous monitoring and automated alerts enable banks to rapidly respond to potential problems with flexibility and precision. 6). Robust cybersecurity is also imperative, as digital supply chains are prime targets for increasingly sophisticated cyberattacks. Banks must enforce stringent cybersecurity protocols not only within their own systems but also throughout their vendor networks. 7). Regular audits, compliance with standards like ISO 27001 and the NIST framework, and information sharing with trusted partners help fortify the entire ecosystem against intrusions. 8). Strategic partnerships further strengthen resilience. Collaborative relationships with vendors and technology providers allow banks to jointly develop risk management frameworks, share best practices, and coordinate emergency response plans. 9). Regular scenario planning and stress testing—simulating extreme events like coordinated cyberattacks or supply chain disruptions—ensure that contingency measures are current and actionable. 10). A culture of continuous improvement is vital: post-event reviews, feedback loops, and iterative updates to risk management strategies enable banks to learn from past disruptions and adapt to emerging threats. By integrating these principles—comprehensive risk mapping, diversification, digital integration, robust cybersecurity, strategic partnerships, agile scenario planning, and continuous learning—banks enhance their supply chain resilience and better navigate extreme events in today’s dynamic digital landscape, thereby protecting their operations, customer trust, and overall financial stability.

Given the speed of digital transformation and innovation, the conversation is no longer just about cyber security. It’s about operational resilience. The conversation CEOs and the Board care about is how quickly the company can recover and continue normal business operations during a major crisis or incident. This is not a question of NIST, MITRE or ISO. Most don’t know about these frameworks and don’t care. Based on my current client initiatives, there are 5 ways the shift from security to resilience is shaping the future: 1. Deep Focus on Continuity, Not Just Breach Prevention: While traditional cyber security emphasized keeping threats out, resilience is about minimizing downtime and ensuring critical operations can continue, even during an attack. Many leaders are incorporating business impact analyses into their asset management and risk management programs. This ties an asset to specific processes and focuses conversations on impacted assets and makes risk quantification more accurate. 2. Cross-Department / Silo Collaboration: Resilience goes beyond the IT and Security teams. It involves HR, legal, operations, and more to ensure that every aspect of the business can respond and recover quickly from disruptions. The culture of the organization will be the biggest obstacle or enabler for response and recovery speed. 3. Regular Simulations and Chaos Drills: Resilient organizations don’t just react to incidents—they proactively prepare with simulations and chaos drills that test their ability to bounce back. If you don’t test alternative processes or minimum process downtime while doing tabletops - you’re doing it wrong. 4. Incident Recovery Speed is the New Benchmark: (Note - the goalpost is now recovery and not just response.) Post-incident recovery time is now as important as breach prevention. Companies that can swiftly restore operations after a breach, like we saw in the #CrowdStrike incident, will have a competitive edge. 5. Third-Party Risk and Supply Chain Resilience: With companies relying more heavily on third-party vendors, ensuring the resilience of the entire digital ecosystem has become a top priority. Transparency across the chain is leading to more monitoring and audits of data flows, integrations and risks for larger entities We are also seeing CISOs move into the CTO and CIO roles. Once a CISO has established the ability to recover quickly in the face of adversity, it’s often considered a critical trait for promotion. Resilience is not just a trait of great leaders, but of great organizations. As cyber threats continue to evolve, resilience will be the foundation that empowers businesses to thrive, no matter what comes their way. It's time we ask ourselves: Is your company prepared and ready to bounce back after a major disruption? #cyberresilience #security #digitaltransformation #CrowdStrike #cyberstrategy #RevolutionCyber