Operational resilience isn’t a department, capability, or framework you implement. It’s what comes from ITSM processes that actually work.
In my experience, too many organizations are tackling operational resilience the wrong way. They treat it as a governance, risk, and compliance activity — a set of controls and risks to identify, track, and check off.
Operational resilience is the organization’s ability to protect, withstand, and recover from threats to its services and operations.
From an information technology perspective, it’s about the systems that support those business services and operations.
In reality, operational resilience is the result of well implemented ITSM processes — processes that mitigate the risk of change, detect and resolve incidents before they escalate, and recover when things go wrong. This is exactly what I mean when I say process maturity isn’t academic — it’s just good management.
That’s not to say the GRC function isn't important. But if your operational resilience budget is focused primarily on GRC, you’re missing the point.
Operational Resilience Regulations
Regulations like DORA (Digital Operational Resilience Act) — which targets financial institutions and the ICT providers they depend on — are becoming more prevalent.
Consulting firms are lining up to help organizations demonstrate compliance across its five pillars: ICT risk management, incident reporting, resilience testing, third-party risk, and information sharing.
But here’s the real question:
Are they making you more resilient or are they just checking the regulatory and GRC boxes?
It's not only the UK, operational resilience mandates are being rolled out world-wide.
Whether it’s DORA in Europe, FCA/PRA in the UK, MAS in Singapore, or APRA in Australia — they all point to the same requirement: organizations must be able to withstand and recover from disruption.
Operational resilience shouldn't be theoretical.
HIPAA in the U.S. is fundamentally a cybersecurity regulation, with elements of operational resilience focused on privacy, availability, and security.
But did you know that Healthcare was among the hardest-hit industries in 2025 — and one of the few where operational failures had immediate, real-world consequences.
HIPAA is a mature regulation mandated across healthcare in the USA. So why are they one of the most impacted industries seeing some of the largest and most expensive failures?
I believe it's the disconnect between being compliant on paper as opposed to having practical well implemented processes that stand up under the pressure of a crisis.
Compliance ≠ operational resilience.
ITSM processes are fundamental to an organization's operational resilience. Some, like Asset Management, Change Management, Incident Management, Monitoring and Event Management are part of daily operations.
Processes like Software Development Management, Service Validation and Testing and Release Management ensure your services are built with operational resilience in mind.
Others like Risk Management, Information Security Management, Supplier Management, Infrastructure and Platform Management, and Service Continuity Management are the watchdogs, ensuring your operations hold up when things go wrong
Fix weak ITSM processes, and operational resilience will follow.
I am not saying that regulations are useless — they focus our attention. And GRC is important, so we can track and stay on top of issues.
But the single most important thing you can do for operational resilience is to assess your ITSM processes, identify the weak ones, and start fixing them.
- Are your processes documented?
- Does every department consistently follow them?
- Have people been trained?
- Do you measure process performance?
- What actions do you take based on the metrics?
- Do you continuously improve your processes?
Navvia can help you achieve operational awareness with our Operational Resilience Assessment based on ITSM processes, along with our process design and governance solutions.
Operational resilience isn’t something you declare — it’s something you demonstrate. Not in policies or frameworks, but in how your processes perform when things go wrong. Get your ITSM processes working, and resilience will follow.
