Closing 2025 and Reframing Resilience for 2026
Resilience, When You Don’t Get to Choose the Disruption
As 2025 draws to a close, many people around the world are entering a season of reflection. Whether marked by Christmas, Hanukkah, the New Year, or other traditions, this is a time when we pause, look back on what the year demanded of us, and consider what lies ahead.
For my wife (Mandi) and me, this moment carries particular gravity.
She has completed chemotherapy. She has completed immunotherapy. What remains are reconstruction surgeries in 2026. We are, without question, on the other side of a journey that reshaped our lives. What stays with me most is not simply what she endured, but what the experience revealed about resilience itself.
She entered cancer treatment healthy. She had been attentive to her health for years. There was no family history of cancer. Genetic testing showed no inherited predisposition to cancer. Every comforting narrative we tell ourselves about risk, probability, and control said this should not have happened . . . And yet, it did.
That reality dismantles a deeply human assumption: that if we prepare well enough, follow the rules closely enough, and do the right things consistently enough, disruption will pass us by . . . It does not.
What followed was not dramatic defiance or inspirational slogans. It was something far more instructive: resilience practiced quietly and relentlessly. Adjusting expectations. Preserving energy. Accepting uncertainty without surrendering purpose. Continuing forward without guarantees.
That experience has profoundly shaped how I now think about strategic and operational resilience in organizations — particularly as regulatory conversations intensify heading into 2026.
Operational resilience is not earned through compliance
In many organizations, resilience is still treated as a destination; something you arrive at once controls are mature, audits are clean, and frameworks are documented.
But resilience does not work that way . . .
- Resilience is not a certification.
- It is not a policy.
- And it is certainly not a reward for good behavior.
Resilience is the capacity to continue delivering what matters most when disruption occurs anyway, often in ways that defy models, probabilities, and prior experience.
This is where many operational resilience programs quietly fail. They are built on the assumption that disruption is an exception, rather than a recurring condition. They emphasize prevention and preparedness, but struggle when systems, suppliers, people, and decisions collide under stress.
Just as health does not guarantee immunity from illness, strong controls do not guarantee immunity from disruption. What matters is how the organization responds, adapts, and sustains its purpose when assumptions break down.
Why operational resilience has become a universal concern
Operational resilience is no longer confined to financial services or “critical infrastructure” labels. The modern enterprise — regardless of industry — delivers value through dense networks of dependency:
- Digital platforms and data flows
- Cloud services and managed providers
- Third-party and fourth-party ecosystems
- Physical facilities and human decision-making
- External infrastructure such as energy, telecoms, and transport
When disruption occurs, it rarely respects organizational boundaries. Failures cascade. Delays compound. Recovery becomes nonlinear. This is why operational resilience has shifted from a technical discipline to a strategic capability. Organizations are increasingly judged not by whether incidents occur, but by whether they can:
- Continue delivering critical services
- Stay within tolerable levels of exposure
- Recover with speed and coordination
- Learn and adapt without repeating failure
This service-centric view of resilience — focused on outcomes rather than components — is the common thread running through today’s regulatory landscape.
DORA: a clear expression of resilience as performance
Among global regulatory initiatives, DORA stands out not because it introduces entirely new ideas, but because it forces organizations to operationalize them.
DORA reframes digital operational resilience as an enterprise obligation tied directly to business services, third-party dependencies, testing discipline, and evidence-based assurance. Its real impact will not be measured by how many policies were written, but by how organizations perform under sustained supervisory scrutiny.
As we move into 2026, DORA enters its most consequential phase—not implementation, but practice (see end of this article for upcoming webinar). This is the moment when organizations discover whether resilience is embedded in how they operate, or merely described in how they document.
The shift is subtle but profound. Under mature DORA supervision, questions change:
- Not “Do you have a framework?” but “Does it work under stress?”
- Not “Is this risk assessed?” but “Can you stay within tolerance?”
- Not “Is this vendor critical?” but “What happens when they fail—and how do you know?”
Testing becomes more than validation; it becomes revelation. Third-party oversight becomes systemic, not contractual. Evidence becomes continuous, not episodic. And resilience begins to look less like compliance—and more like organizational fitness.
Supporting signals from the wider regulatory landscape
DORA does not exist in isolation. It is part of a broader convergence of resilience expectations globally.
In Europe, UK Operational Resilience has been in place for several years. NIS2 reinforces that cyber incidents are operational disruptions with governance, reporting, and accountability consequences. CER broadens the lens further, emphasizing resilience across physical, environmental, and systemic threats to essential services.
Outside Europe, Australia’s CPS 230 offers one of the clearest tolerance-based expressions of operational resilience, explicitly linking critical operations, disruption limits, continuity capability, and service provider governance.
Beyond these, there is a growing body of resilience regulation and guidance emerging from jurisdictions such as Hong Kong, Singapore, the BIS, and U.S. regulators including the OCC. Each reinforcing, in different language, the same fundamental principle: organizations must understand what matters most, design for disruption, and prove their ability to endure. The important point is not the differences between these regimes. It is the shared direction of travel.
The danger of compliance-first resilience
One of the greatest risks organizations face heading into 2026 is mistaking regulatory alignment for resilience that erroneously thinks:
- Compliance can be achieved without capability.
- Documentation can exist without coordination.
- Testing can occur without learning.
A truly resilient organization does not ask, “Which regulation do we need to satisfy?” It asks, “Can we continue to serve our purpose when our environment becomes hostile?”
That question naturally drives a holistic resilience program—one that integrates:
- Business services and value delivery
- ICT and digital dependencies
- Third-party and concentration risk
- Scenario-based and adversarial testing
- Incident response and recovery governance
- Continuous assurance and learning loops
Regulations like DORA are not the destination. They are the forcing function that exposes whether this integration actually exists.
Closing 2025, looking toward 2026
As this year comes to an end, resilience feels less like an abstract concept and more like a lived reality — for me and Mandi, personally.
Resilience is not about eliminating uncertainty. It is about continuing with intention when certainty disappears. It is about designing systems that bend without breaking. The organizations that embrace resilience as a principle, not a checklist, will find themselves better prepared not just for supervisors, but for the world as it is.
I’ll be expressing these thoughts in more detail — particularly what DORA in practice means as we move into 2026, and how organizations can evolve from regulatory readiness to sustained operational resilience — in my upcoming session:
DORA in Practice: What’s Next for Operational Resilience in 2026
January 6, 2026 | 12:00–1:00 pm | London, UK