Insights

Fresh thinking and actionable insights that address critical issues your organization faces.

Learn more

Resources

Services

KPMG's multi-disciplinary approach and deep, practical industry knowledge help clients meet challenges and respond to opportunities.

Services to meet your business goals

Technology Alliances

KPMG has market-leading alliances with many of the world's leading software and services vendors.

View all Alliances

Industries

Helping clients meet their business challenges begins with an in-depth understanding of the industries in which they work. That’s why KPMG LLP established its industry-driven structure. In fact, KPMG LLP was the first of the Big Four firms to organize itself along the same industry lines as clients.

How We Work

We bring together passionate problem-solvers, innovative technologies, and full-service capabilities to create opportunity with every insight.

Learn more

Careers & Culture

What is culture? Culture is how we do things around here. It is the combination of a predominant mindset, actions (both big and small) that we all commit to every day, and the underlying processes, programs and systems supporting how work gets done.

Learn more
Relevant Results
Sorry, there are no results matching your search.
Autocomplete suggestions are available. Use up and down arrows to review and enter to select.
See more results

A roadmap for the resilient org

The recent global tech outage shines a light on the critical need for robust resilience planning in the digital age.

Be organizationally and operationally resilient when — and where — it matters
During an IT outage, cyber-attack, or any significant functional disruption, organizations must focus on restoring critical operations in minutes and hours, not days and weeks.
Read more

Estimated read time: 3-4 minutes

In a perfect world, managing risk means eliminating every single threat. But back in the real business world, with its increasingly interconnected technologies, rapid changes, and multiplying threats, scoring a perfect 100 percent on risk management is just not a realistic goal.

Look no further than the recent global tech outage triggered by an automatic software update from a company that specializes in (wait for it) security and risk management. Because of the company’s entrenched role in enterprise technology, its routine update triggered costly outages and extensive remediation efforts for organizations around the world. The knock-on effects hit especially hard for businesses that lacked strong recovery plans.

Instead of perfection, then, leading-edge risk management today is about being 100 percent prepared for any problems—both potential and actual. That requires a commitment to organizational and operational resilience that will help companies stay ahead of risks as best as possible, rapidly navigate any fails, and quickly get back to business as usual.

Planning for everything

As the latest global outage demonstrated, threats can be internal or external, from friend or foe. That’s why resilience planning has become such a critical discipline, requiring ownership across the C-suite and companywide buy-in. Indeed, in one recent KPMG survey, chief risk officers said that ongoing training and communication for the entire organization was the most effective tactic for managing risks.1

Maintaining business resilience is a fluid process. It includes defining essential processes, identifying threats and risks, and designing a resilience strategy grounded in the proper controls, backups, and technology architecture. But like threats, effective resilience strategies don’t sit still. The underlying risk-and-control structures must be tested and optimized on an ongoing basis. 

As a starting point, we encourage clients to look for potential disruptions and build preventative controls across three key areas, as we outline in our new report. The big three:

Information technology (IT) resilience:

Clearly understanding the complexity of IT systems is perhaps the biggest risk-related challenge facing companies today. Many organizations increasingly rely on third-party software to deliver key services, which enables them to focus on what they do best and move faster. But this reliance also introduces complex new interdependencies and risks. Mapping out this IT matrix and any related vulnerabilities is essential.

Business continuity:

Inevitably, stuff happens. That’s where business continuity planning comes in, positioning the organization to respond to and recover from a broad array of operational disruptions. The goal is to sustain essential functional and core revenue-generating processes during an incident, and restore all other services as quickly as possible.

IT asset management and operations:

Technology leaders have a core responsibility to ensure the organization has a resilient tech stack and IT operating model. Clearly documenting software assets in a detailed configuration database is critical. This provides rapid visibility on dependencies that may be particularly vulnerable when threats arise.

This is not a drill

What does an effective business resilience plan look like in action? It’s a question most organizations hope they never have to answer, of course. But virtually every company has faced—and will face again—a real disruption. How companies prepare and respond makes all the difference.

To that end, the recent global tech outage reinforced several insights on the leading practices to face down a real-world challenge. In our observations, organizations with responsive, regularly tested backup and recovery strategies are ideally positioned to quickly limit the damage and restore operations. Their business resilience planning consistently focuses on recovery at scale and under pressure.

1

Develop a backup and recovery strategy that is scaled to your organization.

2

Test that strategy regularly to ensure it is robust and up to date.

3

Ensure that you can execute at scale based on clearly defined recovery objectives.

4

Include worst-case scenarios, such as loss of access to locations, cloud-based services, or third-party environments.

5

Perform impact assessments to forecast the damage radius if a key system fails or a network is breached.

6

Review software vendors and other critical third parties to avoid an overreliance on any single service or partner.

7

Evaluate business insurance coverage for third-party exposure and outage scenarios.

Toward a resilient org

Broadly, we have observed that companies have made solid progress in establishing a baseline of organizational resilience over the last few years. But that line needs to keep elevating. Bad actors continue to get more industrious and risk matrices will grow ever more complex.

Subscribe to receive the KPMG Opportunity (In)sight Newsletter

Turn insight into opportunity with unique perspectives and actionable insights addressing the burning issues atop the C-suite agenda. Delivered monthly.

Subscribe

Thank you

Thank you for subscribing to the KPMG Opportunity (In)sight newsletter. Be on the lookout for Opportunity (In)sight, a monthly newsletter from KPMG providing unique and data-driven perspectives into the most pressing C-suite issues.

Subscribe to the KPMG Opportunity (In)sight Newsletter

Turn insight into opportunity with unique perspectives and actionable insights addressing the burning issues atop the C-suite agenda. Delivered monthly.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

And while a strong resilience foundation relies on tight coordination of the organization’s people, processes, and technologies, companies need to keep in mind another growing consideration: the regulators. Much of the recent regulatory churn—whether new laws or proposed new guidelines—focuses on an organization’s risk management and resilience capabilities. In our recent survey of risk officers, for example, regulatory and compliance issues ranked as the top challenge.

Given that increasingly complex risk environment, then, organizations must strive for bounce-back resiliency, not “it won’t happen to us” perfection. That starts with a clearly defined tech infrastructure, rigorous third-party risk management, responsive recovery plans, and an organization-wide commitment to navigating the digital age’s expanding threats.

Footnotes:

1 KPMG Chief Risk Officer Survey

2 Navigating the fallout: Lessons from the CrowdStrike outage

Explore more insights and opportunities:

Insight
Webcast Replay Webcast Upcoming Listen Now

Navigating the fallout: Lessons from the Crowdstrike outage

Plus 7 key backup and recovery actions

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now

Building resilience in a hyperconnected world

Most enterprises are operationally dependent on a broad third-party ecosystem that must be equally resilient in the face of disruption.

Read more
Insight
Webcast Replay Webcast Upcoming Listen Now

CFOs Tackle Enterprise Risk Management

Learn why enterprise risk management is a hot topic for CFOs today

Read more

Meet our team

Image of David Tarabocchia
David Tarabocchia
Principal, CIO Advisory , KPMG US
Read bio
Image of Kyle Kappel
Kyle Kappel
Cyber Security Leader, KPMG US
Read bio
Image of Marcus Murph
Marcus Murph
Principal, CIO Advisory, KPMG US
Read bio
Image of Jill Farrington
Jill Farrington
Service Network Leader, Technology Risk, KPMG US
Read bio
Image of David Tarabocchia
David Tarabocchia
Principal, CIO Advisory , KPMG US
Read bio
Image of Kyle Kappel
Kyle Kappel
Cyber Security Leader, KPMG US
Read bio
Image of Marcus Murph
Marcus Murph
Principal, CIO Advisory, KPMG US
Read bio
Image of Jill Farrington
Jill Farrington
Service Network Leader, Technology Risk, KPMG US
Read bio

KPMG. Make the Difference.


Some or all of the services described herein may not be permissible for KPMG audit clients and their affiliates or related entities.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. KPMG LLP does not provide legal services.

The information contained herein is not intended to be “written advice concerning one or more Federal tax matters” subject to the requirements of section 10.37(a)(2) of Treasury Department Circular 230.

© 2024 KPMG LLP, a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organization please visit https://home.kpmg/governance.

Thank you!

Thank you for contacting KPMG. We will respond to you as soon as possible.

Contact KPMG

Use this form to submit general inquiries to KPMG. We will respond to you as soon as possible.

By submitting, you agree that KPMG LLP may process any personal information you provide pursuant to KPMG LLP's Privacy Statement.

An error occurred. Please contact customer support.

Job seekers

Visit our careers section or search our jobs database.

Search now!

Submit RFP

Use the RFP submission form to detail the services KPMG can help assist you with.

Submit

Office locations

View locations

International hotline

You can confidentially report concerns to the KPMG International hotline

Learn more

Press contacts

Do you need to speak with our Press Office? Here's how to get in touch.

Contact

Headline