Creating Operational Resilience: How to Align Compliance and Risk Management for Operational Success

• Learn the Essentials of Operational Resilience: Discover what operational resilience means, why it’s a regulatory focus, and how it impacts your organization.
• Identify and Manage Risks Effectively: Understand your organization’s risk environment and apply proactive strategies to minimize disruptions.
• Strengthen Your Incident Response: Implement proactive incident response measures and leverage best practices to enhance resilience and maintain compliance.

With the multiple regulations regarding information security entering into force over the past two years, 2025 marks a new era for organizational compliance.

These regulations span from the European Union with the likes of the Digital Operational Resilience Act (DORA) and Network and Information Security Directive 2 (NIS2) to America with Cybersecurity Maturity Model Certification (CMMC) and even Australia with Cyber Operational Resilience Intelligence-led Exercise (CORIE), all touch one central theme: operational resilience.

All these regulations raise the question of what resilience is and what operational resilience looks like in best practice with reference to compliance.

To answer those questions, we will analyze several components of resilience and identify those that are crucial for your resilience journey, as well as some additional measures that make that journey a little bit less onerous and burdensome.

Origins of Operational Resilience

As I mentioned at the beginning of this piece, operational resilience is a phrase that now appears across regulatory landscapes.

Whilst operational resilience has loosely formed the basis of many best practice information security frameworks dating back to the late 1990s and early 2000s (BS 7799, NIST 800-34), it was never explicitly mentioned until the release of the CERT Resilience Management Model (CERT-RMM) by Carnegie Mellon in 2006.

This model took the then innovative approach of looking across numerous domains critical to business efficiency, such as security planning and management, business continuity and disaster recovery, as well as IT operations and service delivery, then harmonizing them under the umbrella of operational resilience.

Today’s approach is similar, but due to technological advancements, the scope of this exercise would now be significantly larger than originally conceptualized. Nevertheless, in looking at many of today’s modern information security frameworks, you can see the pertinence of the concepts discussed in CERT-RMM and how this has molded today’s holistic approach to the separate management of information security and operational resilience.

Understanding Your Organization’s Risk Environment is Key

Having now learned the origins of operational resilience, you may be asking yourself, what is the first step I can take to make my organization more resilient?

The first aspect of resilience that is absolutely crucial is to identify the risk environment in which your organization operates. Without a proper understanding of this, your organization will ultimately be unable to respond to any potential incidents or events in an efficient, effective, and cohesive manner.

To take the initial steps to understand the risk environment, you should first look at the organization as a whole. Ask yourself and business unit leaders what they see as the top risks to the business.

It’s important to identify and review all risks across your organization so no one area should be left out of this process. Some of the most common risks that are typically identified during such discussions include:

• Reputational risk: anything negative that has the potential to impact public perception
• Regulatory and non-compliance risk: violations of existing laws, civil litigation, failure to comply with new laws
• Financial risk: credit risks, cash flow problems, poor investments, loss of investment
• Environmental risk; pandemics, natural disasters, geopolitical instability
• Operational risk; supply chain interruption, human error, occupational health and safety hazards
• Technology risk; malicious attacks, outdated applications, lack of necessary skills and knowledge.

Once risks have been identified, you can begin to treat these risks through mitigation, modification, transferal, or acceptance. It is important to remember that reviewing your risks and their associated treatments regularly is just as important as the initial identification phase.

Incident Response: Proactive is Better than Reactive

Now that you have identified and are starting to treat the risks to your organization, you might ask yourself, how could an incident affect operational resilience?

The answer to that question is fundamentally covered by the notion that your incident response function should aim to be as proactive as practicable. Whilst risk management inherently feeds into this concept, it is important to ensure that incident response, which is primarily considered to be reactive in nature, has some key proactive elements that supplement this reactive tendency.

So, what proactive measures can you take?

In today’s environment, a necessary measure is to have multiple tools in place to detect and prevent incidents before they occur.

Such tools may include mechanisms such as a SIEM, IPS, and IDS as well as a host of aids such as EDR and SOAR; physical security deterrents such as CCTV and alarms also fall within this category.

Although all of these tools can be incredibly useful, you should not only configure them to address the threats faced by your organization but also ensure they are complemented by processes and policies that detail how your organization intends to make use of these regarding implementation, responsibility, execution, and review. Without adequate guidelines and ownership, these tools cannot be utilized in a way that maximizes their proactive capabilities.

Running parallel to tooling and processes are incident response exercises. This can include practice activities such as testing your incident response or other associated policies, conducting tabletop exercises with various business functions, and even more technical measures such as red and blue teaming.

However, these more practical exercises must be followed by a review to evaluate how your organization responded and whether any processes or tools may need to be updated or reconfigured; changes to existing processes and controls need to be documented and tracked to ensure they take place. By conducting and using all the above mechanisms and activities, your organization can, therefore, attempt to maximize the proactive nature of its incident response function, increasing your overall operational resilience.

Can I Take a Shortcut to Operational Resilience?

Whilst there is no short and fast way to becoming operationally resilient, here are a few ideas to note that can assist in this journey.

As previously mentioned, many of the best practice frameworks, such as ISO 27001, as well as others, such as the NIST CSF, feature key operational resilience themes. In fact, ISO 27001 is actually a risk-based approach to managing your information security environment and therefore, at its core, emphasizes resilience.

This notion is only further stressed when examining the ICT Risk Management Regulatory Technical Standard (RTS) that supplements the Risk Management Pillar of DORA.

Upon closer examination, you can see that many of the requirements of this RTS document are from ISO 27001:2013. Moreover, DORA actually mentions in Recital 47 that it was largely inspired by these best practice sources.

You may be wondering what all of this means. These best practice frameworks greatly inspire a large part of DORA meaning that if you already comply with or measure against one of the frameworks, you should be on the way to being operationally resilient and compliant with many DORA requirements already.

Due to the large number of organizations that are compliant with or certified to such frameworks, utilizing and building upon these can not only significantly reduce your workload but also help you in progressing the maturity of your operational resilience.

Conclusion: Operational Resilience is the new norm

Ultimately, as the compliance landscape around information security continues to evolve, operational resilience will continue to become more important and necessary. By taking steps now, regardless of whether or not you may be within the scope of these regulations, you can not only further mature your approach to information security but also provide greater stakeholder and customer reassurance.

Operational resilience managed through proactive steps is the new norm and is likely something that will affect your organization or supply chain soon. Getting ahead of the curve and implementing these measures now can be highly efficient in the long run.

For more information on how Trustwave can help you on your compliance or operational resilience journey, reach out to the cyber advisory team.