Digital Risk and Resilience: Orchestrating for Digital Trust
Inevitability of Failure: the Digital EcoSystem of Business
Every organization today is defined by the digital fabric and architecture in which its operations relies upon. This fabric is sprawling, complex, and interdependent. The systems, processes, and relationships that sustain modern business are increasingly digital, and increasingly fragile. Reminds me of the U.S. National Security Agency (NSA) paper from the 1990’s The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments, which was foundational in my early career. The reality is that this is no longer just about the IT department, the data center, or even the historic CISO role. The digital architecture of the enterprise is now the architecture of the business itself.
We have seen in stark terms how this fabric can unravel . . .
- CrowdStrike. In 2024, a CrowdStrike update spiraled into global disruption. This was not a hacker, virus, or worm — it was a trusted vendor’s software failure, rippling across industries and bringing down organizations worldwide.
- U.K. Retail Attacks. Earlier this year, the United Kingdom retail giants Marks and Spencer, Harrods, and the Co-Op faced devastating cyberattacks and ransomware that crippled operations and shook customer trust.
- Ascension Ransomeware. In healthcare, Ascension Hospital’s ransomware crisis last year was a chilling reminder that digital failure does not just stop business; it can endanger lives.
- Southwest Airlines Digital Meltdown. Southwest Airlines’ holiday meltdown was driven by outdated crew scheduling and IT systems that failed to track and reassign staff during winter storms, turning a weather disruption into a full-scale operational collapse.
Each of these events underscores a reality we can no longer ignore: digital risk is systemic, enterprise-wide, and existential.
What makes digital risk so challenging is not just the sophistication of threats but the convergence of multiple risk factors. Human error continues to cause outages and breaches through simple missteps. Malicious behavior — whether from insiders or external adversaries — adapts constantly. The relentless pace of change across infrastructure, applications, and cloud transformation adds new exposures by the day. And perhaps most precariously, organizations now operate in vast digital supply chains where one weak link can send shockwaves across thousands of entities. In practice, disruption often emerges from a combination of these elements, such as:
- A misconfiguration in a cloud environment paired with a rushed change window.
- A ransomware attack on a supplier that cascades into dependent operations.
- An insider error or action that intersects with a system update or third-party service.
This intricate web means digital risk management cannot be siloed into compliance checklists or narrowly scoped security controls. It must be orchestrated, decision-driven, and tied directly to business objectives.
Rearchitecting to Digital Risk & Resilience for Digital Trust
Too many organizations still treat digital risk as a matter of regulatory compliance or a set of prescribed controls. But compliance alone is not resilience, and certainly is not risk management. Controls alone cannot deliver digital trust. True resilience begins with clarity of objectives — understanding what the business is trying to achieve and how digital capabilities support those goals.
From there, organizations must build foresight into their approach: anticipating disruption, simulating scenarios, and preparing adaptive responses. And it requires integration — weaving governance, risk management, and compliance into the very design of digital business operations rather than layering them on afterward. This is digital risk and resilience management to deliver digital trust.
The digital supply chain highlights why this is so urgent. Organizations depend on ecosystems of cloud providers, SaaS vendors, outsourcers, and digital partners. These relationships provide value but also amplify fragility. A single failed software update, as with CrowdStrike, can cause cascading outages. A ransomware-hit partner can expose data far beyond their own network. Even a brief supplier outage can paralyze entire business units. Managing this requires more than vendor scorecards or compliance attestations. It requires the ability to map dependencies, monitor signals, simulate breakdowns, and design resilience into interconnected digital ecosystems.
GRC 7.0 – GRC Orchestration of Digital Trust
This is where the future of GRC comes into play. GRC 7.0 — GRC Orchestrate provides the architecture to meet this challenge (as long as strategy and process are in place). It is not about defense alone but about foresight and trust. This does not eliminate risk to objectives but enables resilience so they can be achieved:
- Agentic AI. With agentic AI, organizations can sense risk in real time, analyze context, and support decision-making at scale.
- Digital Twins. With digital twins, they can model supply chains, business processes, and systems, simulate disruptions, and evaluate recovery strategies before crises strike.
- Orchestration. With orchestration, resilience becomes embedded into governance, objectives, performance, and compliance, ensuring trust is designed into digital operations rather than left to chance.
The organizations that will thrive are those that embed resilience into their DNA. This is not a technical initiative but a business imperative. Digital trust is earned not through slogans but through deliberate strategy, careful design, and continuous execution.
On October 1st in London, I will be leading the Digital Risk & Resilience Management by Design workshop — a full-day session delivering a blueprint for building agile, integrated, and context-aware digital resilience programs. We will explore how to align digital risk with enterprise objectives, shift from reactive continuity to proactive resilience, and use emerging technologies like agentic AI and digital twins to orchestrate trust across complex ecosystems.
Digital risk is the business risk of our time. The question is no longer whether disruption will occur, but how ready your organization will be to anticipate, absorb, and adapt. The future belongs to those who design resilience into their digital architecture — and orchestrate digital trust.