Resilience under pressure

Our capabilities and expertise

Organizations operate in an environment of continuous, multidimensional disruption. Geopolitical shifts, cyber threats and AI-driven change are reshaping how value chains and operations function, while regulatory expectations continue to increase.

Critical systems can fail without warning, suppliers may become unavailable, and cyber incidents can spread rapidly across interconnected environments, often when organizations are most dependent on them.

Despite this, expectations remain unchanged: organizations must continue operating, serve customers and maintain financial stability under pressure.

Enterprise resilience is the ability to deliver critical services during disruption while strengthening organizational resilience and long-term sustainability. It takes an end-to-end view across technology, data, third-party relationships, operations and people.

At KPMG, we help organizations build resilience in a structured and practical way, reducing operational disruption and strengthening response capabilities under stress.

Operational disruption quickly translates into financial impact through revenue loss, cost escalation, liquidity pressure and regulatory exposure. Leading organizations therefore treat business resilience as an integrated enterprise risk management capability across operations, finance and governance.

Matthias Bossardt

Partner, Head of Cyber & Digital Risk Consulting

KPMG Switzerland

mail
call

René Koets

Partner, Head of Management Consulting

KPMG Switzerland

mail
call

Why resilience matters now

Regulation is fundamentally reshaping how organizations approach resilience.

Requirements such as the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2) are pushing organizations to move beyond isolated IT or risk measures toward a more integrated, end‑to‑end approach to cyber risk management and cybersecurity resilience..

In Switzerland, FINMA Circular 2023/1 reinforces this shift by raising the bar on expectations around:

identifying critical services and functions

defining impact tolerances

understanding operational dependencies

ensuring continuity during severe yet plausible disruption scenarios

The message from regulators is clear: organizations must strengthen resilience capabilities to ensure compliance.

In practice, organizations need to:

strengthen business continuity planning and disaster recovery capabilities

establish effective cyber incident response, cyber recovery and crisis management processes

proactively conduct third-party risk management (TPRM) programs and outsourcing risk management

test resilience regularly under realistic disruption scenarios

improve visibility across systems, suppliers and operational dependencies

integrate operational resilience with financial and regulatory risk management

4 key processes in enterprise resilience

These processes provide a structured resilience approach, enabling organizations to move from reactive crisis management to a controlled, coordinated response.

1. Strategic alignment
Define clear strategic objectives and targeted enterprise outcomes, supported by the key drivers and methods required to measure progress effectively.

2. Modeling
Leverage data to define key performance metrics and apply quantitative methods for predictive analysis and simulations.

3. Implementation
Execute defined objectives and ensure alignment with the key metrics established during modeling.

4. Resilience enhancement
Identify strategic options to strengthen resilience and determine the optimal approach based on ROI and confidence levels.

Operational resilience vs. business continuity management

Operational resilience is often confused with business continuity management (BCM), but the focus is different.

BCM focuses on recovery after a disruption. The goal is to restore operations within a defined timeframe, supported by disaster recovery planning.

Operational resilience, by contrast, focuses on keeping critical services during disruption.

It combines:

BCM
IT resilience
Cyber resilience
Third-party risk management (TPRM)
Crisis management
Operational risk management

In simple terms:

BCM asks: How do we recover?

Operational resilience asks: How do we continue operating during disruption?

This shift changes how organizations manage risk, prioritize investments and make decisions.

Why resilience must include financial stability

Operational disruption quickly creates financial repercussions. Revenue loss, cost escalation, liquidity pressure, regulatory exposure and reputational damage can emerge within hours of a major incident.

This is why resilience must extend beyond operational continuity alone and support effective risk management strategies to mitigate risks.

Leading organizations connect:

operational resilience
financial resilience
governance
crisis management
strategic decision-making

into a single, integrated enterprise capability.

How KPMG can help

Building enterprise resilience requires an integrated approach that connects operational continuity, financial stability, governance and transformation capabilities.

KPMG helps organizations identify vulnerabilities through risk assessments, strengthen critical operations and improve decision-making under pressure.

Identify critical services and resilience gaps
We support organizations in identifying critical business services, conducting due diligence on key dependencies and defining resilience objectives aligned with regulatory requirements such as DORA, NIS2 and FINMA.

We also provide independent assurance over resilience frameworks and controls.
- Risk Consulting & Cyber Security
- Audit & Assurance Services

Strengthen continuity and crisis response
We help organizations strengthen their ability to respond to operational disruption, cyber incidents and crises while maintaining continuity of critical services.

We support leadership teams in improving decision-making and governance during disruption.
- Risk Consulting & Cyber Security

Protect financial stability during disruption
We help organizations manage liquidity pressure, cost escalation, and regulatory or legal exposure, including restructuring capabilities.
- Turnaround & restructuring
- Finance transformation
- Finance & treasury resilience
- Tax consulting
- KPMG Law

Increase operational and supply chain resilience
We help organizations improve visibility across global supply chains and reduce risks across critical supplier dependencies.

Strengthen technology and data resilience
We help organizations build resilient technology environments and improve data transparency.

FAQs

Operational resilience is the ability to continue delivering critical products and services during disruption.

It is a core component of enterprise resilience, focusing on maintaining continuity under stress while minimizing operational and financial impact.

Financial resilience is the ability to absorb financial shocks through strong liquidity, diversified revenue streams, effective capital management and sound risk governance.

Business continuity management focuses on recovery after disruption.

Operational resilience, by contrast, focuses on maintaining critical services throughout disruption and takes a broader, enterprise-wide approach.

DORA requires organizations to strengthen ICT risk management, ensure the continuity of critical services, manage third-party risks and conduct resilience testing under realistic scenarios.

Impact tolerance defines the maximum level of disruption an organization can absorb before causing unacceptable harm to customers or the business.

It helps prioritize resilience efforts and set clear thresholds for critical services.

These are realistic disruption events, such as cyberattacks, system failures or supplier disruptions.

Organizations use them to test whether their resilience capabilities perform effectively under real conditions.

Building operational resilience requires identifying critical services, understanding dependencies, strengthening risk and crisis management capabilities, and testing these regularly.

The goal is to remain in control and limit impact during disruption.

Responsibility typically sits with executive management and the board, supported by risk, technology and operational functions.

Clear governance and well-defined roles are critical for an effective response under pressure.

A core platform such as an ERP, customer platform or production system becomes unavailable, causing operations to stop or become severely constrained.

Key questions

What happens if a critical system fails tomorrow?

Which services would be affected first?

How long can we continue operating under degraded conditions?

Where organizations struggle

Limited visibility into critical services

Misalignment between business priorities and IT recovery

Over-reliance on single systems

What resilient organizations do differently

Clearly prioritize critical services

Align technology recovery with business impact

Establish structured incident response and escalation processes

A supply chain disruption interrupts delivery, production or operational continuity.

Key questions

How dependent are we on individual suppliers?

How quickly can we adapt or switch providers?

Which risks exist beyond Tier 1 suppliers?

Where organizations struggle

Limited visibility across supply chain dependencies

Excessive focus on cost optimization over resilience

Weak ongoing monitoring of supplier concentration risks

What resilient organizations do differently

Map critical supplier dependencies end-to-end

Identify single points of failure early

Integrate resilience into sourcing and procurement decisions

A third-party provider underperforms or becomes unavailable, affecting critical operations.

Key questions

Who is accountable when something goes wrong?

Do we have operational control or only contractual coverage?

What happens if the provider fails completely?

Where organizations struggle

Weak third-party, outsourcing and vendor risk management

Limited operational visibility into vendors

Missing fallback or exit strategies

What resilient organizations do differently

Define clear ownership and accountability

Continuously monitor critical providers

Maintain tested fallback and exit options

A major incident occurs, but response is slow, unclear or inconsistent.

Key questions

Are decision-makers prepared to act under pressure?

Are escalation paths clearly defined?

Can leadership make decisions quickly with incomplete information?

Where organizations struggle

Crisis plans exist only on paper

Decision rights are unclear

Teams lack realistic simulation training

What resilient organizations do differently

Establish clear crisis governance structures

Conduct regular simulation exercises

Align leadership teams before disruption occurs

Meet our experts

Matthias Bossardt

Partner, Head of Cyber & Digital Risk Consulting

KPMG Switzerland

mail
call

René Koets

Partner, Head of Management Consulting

KPMG Switzerland

mail
call

Thomas Oschlisniok

Partner, Head of Business Services Transformation

KPMG Switzerland

mail
call

Mischa Sollberger

Partner, Global Transfer Pricing Services, Value Chain Management

KPMG Switzerland

mail
call

Resilience – a leadership decision

Matthias Bossardt

René Koets

Why resilience matters now

4 key processes in enterprise resilience

Operational resilience vs. business continuity management

Why resilience must include financial stability

How KPMG can help

Identify critical services and resilience gaps

Strengthen continuity and crisis response

Protect financial stability during disruption

Increase operational and supply chain resilience

Strengthen technology and data resilience

FAQs

Meet our experts

Matthias Bossardt

René Koets

Thomas Oschlisniok

Mischa Sollberger

Related articles and more information

Contact

Company

Careers

Matthias Bossardt

René Koets

Why resilience matters now

4 key processes in enterprise resilience

Operational resilience vs. business continuity management

Why resilience must include financial stability

How KPMG can help

Identify critical services and resilience gaps

Strengthen continuity and crisis response

Protect financial stability during disruption

Increase operational and supply chain resilience

Strengthen technology and data resilience

FAQs

1. What is operational resilience?

2. What is financial resilience?

3. What is the difference between operational resilience and business continuity management (BCM)?

4. What does DORA require for operational resilience?

5. What is impact tolerance?

6. What are severe but plausible scenarios?

7. How do you build operational resilience?

8. Who is responsible for operational resilience?

9. What happens if a critical system fails, and how should organizations respond?

10. What happens if a key supplier fails, and how should organizations respond?

11. What happens if a critical outsourced provider fails, and how should organizations respond?

12. What happens when a crisis escalates, and how should organizations respond?

Meet our experts

Matthias Bossardt

René Koets

Thomas Oschlisniok

Mischa Sollberger

Related articles and more information

AI Assurance