Empowering resilience through Risk and Assurance activities

The traditional notion of resilience as merely bouncing back from adversity - or as an IT-driven concern focused on system availability, data recovery, and cybersecurity - no longer suffices. Today, resilience has evolved into a far broader, enterprise-wide capability that extends well beyond technology.

Modern organizations must adopt a proactive stance that enables them not only to withstand disruptions but to thrive amid uncertainty and emerge stronger from challenges. Achieving this requires treating resilience as an enterprise-wide capability built on close collaboration between business and IT.

This article explores how coordinated efforts across the four pillars of governance, risk management, internal control, internal audit - whether addressed individually or in combination - can strengthen an organization’s ability to anticipate, absorb, and adapt to change.

We are entering a new era of volatility, one marked not by occasional crises but by constant, multidimensional disruption. Geopolitical tensions are reshaping global value chains, technological breakthroughs such as AI are creating both opportunities and vulnerabilities, while economic uncertainty and regulatory complexity have become the new normal.

In this context, resilience has moved beyond its roots in crisis management to become a defining characteristic of successful organizations - those capable of anticipating risks, adapting rapidly, and transforming challenges into sustainable competitive advantages.

Findings from the KPMG Risk and Resilience Survey 2025 highlight the urgency of this transformation:

• 52% of organizations have not yet integrated their risk and resilience activities or structures.
• Only 26% benefit from strong collaboration and a cross-functional view of risk.
• Nearly two-thirds face moderate to severe barriers to effective risk management.

Our message is clear: to turn uncertainty into opportunity, fragmented and reactive approaches are no longer sufficient. Organizations need a structured, proactive, and an integrated approach to risk and assurance activities.

Resilience should not be viewed solely through an operational lens. To achieve long-term value and sustainable performance, organizations need to develop resilience across multiple dimensions: strategic, operational, financial, technological, organizational, and reputational.
Each dimension represents a different angle of strength and adaptability; together they form a comprehensive view of what it truly means to be resilient.

• Strategic resilience: The capacity to adapt strategy and business models in response to market shifts and emerging opportunities.
• Operational resilience: The ability to sustain critical operations through robust continuity planning and rapid recovery capabilities.
  
• Financial resilience: The financial strength to absorb shocks through sound liquidity, diversified revenues, and risk management.
  
• Technological resilience: Secure, reliable, and adaptive digital systems enabling both protection and innovation.
  
• Organizational resilience: A culture that promotes leadership, engagement, and adaptability at all levels.
  
• Reputational resilience: The preservation of trust through transparency, ethics, and effective stakeholder communication.

The foundation of enterprise resilience rests on four interconnected pillars - Governance, Risk Management, Internal Control, and Internal Audit - each playing a distinct yet complementary role in shaping a strong and adaptive organization.

While these pillars are mutually reinforcing, progress in any one of them strengthens preparedness, consistency, and confidence. Together, they form an integrated foundation for lasting enterprise resilience.

While this article focuses on these four core pillars - which form the backbone of Enterprise Risk & Assurance (ERA) activities – enterprise resilience is a collective effort that extends beyond them.

Functions such as Compliance and Legal, Information Security (CISO), Data Protection (DPO), Business Continuity Management, and Third-Party Risk Management all play crucial roles in reinforcing resilience. These areas intersect with the four pillars, providing specialized expertise and safeguards that contribute to a stronger, more cohesive risk and control environment.

• Governance - The guiding force
  Strong governance provides direction, oversight, and accountability. It ensures that risk and control activities align with strategy and stakeholder expectations, embedding resilience considerations into Management decision-making.
  
  
• Risk management - The foundation of preparedness
  Effective risk management acts as an early-warning system, identifying threats and opportunities before they materialize. It combines dynamic monitoring, scenario analysis, and integrated reporting to support timely, informed decisions.
  
  
• Internal control - Ensuring reliability and consistency
  Internal controls act as the organization’s immune system, ensuring operational integrity and compliance. They detect anomalies, prevent errors and fraud, and provide confidence in information used for decision-making.
  
  
• Internal audit - The assurance and insight function
  Internal audit provides independent and objective assurance on the effectiveness of governance, risk management, and control processes. Beyond compliance, it offers insights that support informed decision-making and continuous strengthening of the organization’s resilience.

Strong individual pillars are valuable, but resilience reaches its full strength when they are connected.
Operating in silos leads to overlaps, gaps, and inconsistent perspectives, while integration enables a dynamic exchange of information that continuously strengthens the whole system.

• Risks identified by risk management shape control design and resilience testing.
• Control weaknesses or audit findings inform the refinement of risk assessments and frameworks.
• Incident data strengthens both operational controls and preparedness.
• Governance and technology act as catalysts, connecting and aligning these efforts across the organization.

Turning integration into action requires translating vision into concrete mechanisms across the four pillars - Governance, Risk Management, Internal Control, and Internal Audit - to strengthen resilience along strategic, operational, financial, organizational, technological, and reputational dimensions, while reinforcing resilience at every level of the organization.

1. Enhanced decision-making: Reliable, comprehensive information supports faster and better decisions.
2. Improved stakeholder confidence: Demonstrated controls and transparency build trust with investors, customers, and regulators.
3. Operational efficiency: Coordination reduces overlaps and creates efficiency gains.
4. Competitive advantage: Superior resilience enables informed risk-taking, and the pursuit of opportunities others avoid.

Building resilience is an ongoing journey. Success requires leadership commitment, investment in people and systems, and a culture that views uncertainty as an opportunity for growth and innovation.

In an era defined by volatility, uncertainty, complexity, and ambiguity, resilience is no longer optional, it is fundamental for survival and success. The current context is not a passing storm but a new climate for business. In this environment, fragmented approaches to governance, risk, control, and assurance activities are not only outdated but dangerous. Resilience must be viewed as a strategic capability, a continuous process of adaptation that distinguishes organizations that merely endure change from those that shape it.

Resilience is strengthened through four key levers: effective governance, proactive risk management, robust internal control, and a forward-looking internal audit that fosters continuous improvement.

Yet the real strength lies not in the individual components but in the integration that unites them, supported by technology and a culture of collaboration.

Resilience is the outcome. Integration can be the enabler.
Resilience is not a destination, it is a continuous journey of adaptation and improvement, supported by strong collaboration and a shared vision.

KPMG’s Enterprise Risk Services (ERS) define resilience not merely as the ability to recover, but as a proactive state of readiness, adaptability, and sustained performance and continuous improvement in response to new resilience threat.

We invite you to contact our teams to explore how, together, we can begin building a stronger, more agile, and more resilient organization - today and for the future.

Authors: Raphaël Schair, Principal