Ep. 36: OpRes 2.0: Modernising Operational Resilience

Show Notes

Our GCCR co-leader Dave Stainback is joined by Shawn Lonergan and Phil Marina to to discuss why now is the time to modernise your operational resilience programme.

Transcript

David Stainback: Hello everyone, and welcome to the Emerge Stronger through Disruption podcast series. I'm Dave Stainback, co-leader of PwC’s Global Centre for Crisis and Resilience, or GCCR for short. And I'm coming to you today from our office in Atlanta, Georgia. The aim of this podcast series is to explore the challenges facing businesses in this environment of constant crisis and change, and discuss how successful business leaders can emerge stronger through disruption.

Before we dive into today's conversation, if you're enjoying the Emerge Stronger Through Disruption podcast series, please subscribe wherever you get your podcasts and consider leaving a comment or a like. Hearing from you helps us know that we're connecting, and it also helps more people discover the show. So thanks so much for your support. 

Today, we're diving into operational resilience (OpRes) - why now is the time to modernise your programme and what that really means now and into the future. Joining me today to explore this topic are two of my awesome partners, Shawn Lonergan, my US co-leader on all things resilience, and Phil Marina, our partner who specialises in GRC technology platforms and enablement. More and more we find that combining resilience expertise with the ability to configure and implement technology enablement is the key to bringing resilience programmes to life. Welcome Shawn and Phil. 

Shawn Lonergan: Thanks Dave, and hello everyone.

I'm Shawn and I'm happy to be back on this podcast series and to be part of this discussion today with Dave and Phil. I'm excited to dive into this topic given how critical operational resilience has become, especially in the current risk environment. Do you not agree, Phil? 

Phil Marina: I do. 100% Shawn. The three of us published a whitepaper  on modernising operational resilience recently, and it has spurred so much interest that it'll be great to talk more about the topic here today.

David Stainback: Excellent. So let's get started. Phil, help us set the context. What's driving the need for operational resilience modernisation in your mind? 

Phil Marina: Great question. Many organisations have historically looked at operational resilience as a compliance-driven expectation. They have business continuity plans and disaster recovery plans at the ready, but just going through the motions is not sufficient in today's world. Given these types of disruptions we are seeing, resilience can't be accomplished through paper-based or compartmentalised plans. Integration and technology enablement are critical and many companies aren't there. 

What we've seen is they have disparate ownership between risk, operations, IT and security functions, manual and disconnected processes for testing, reporting, and dependency mapping, outdated recovery plans unable to keep pace with digital transformation, and limited visibility into dependencies across critical services, vendors, and infrastructure. 

David Stainback: Yeah, that really highlights the problem with old school resilience planning, doesn't it? Manual siloed efforts are no longer enough. Shawn, from your perspective, how do you see this shift impacting organisations today?

Shawn Lonergan: Great question. We live in a hybrid connected world. As digital interdependencies grow across cloud, AI, and third-party ecosystems, organisations need end-to-end visibility and a focus on continuous resilience instead of response and recovery. Technology, such as a GRC platform built on foundational data models, is critical to seeing these complex interconnections, understanding the implications if something fails and maintaining your resilience as an organisation.

Regulators and standard setters are aligning around addressing these interdependencies as well. In the financial services sector, you see a lot of focus in the United States between the Federal Reserve Board and the Office of the Comptroller of the Currency. In the EU there's been a number of legislations that have come out in this space. The UK with the PRA has been very adamant about pushing certain standards, as has Canadian's OSFI office. Furthermore, you see this from a cyber lens. In the US you have the National Institute for Standards and Technology, NIST, which updated their cybersecurity framework to 2.0, which goes clearly beyond cybersecurity to include things like governance, risk and resilience, and reinforcing the need for unified oversight, not fragmented efforts.

David Stainback: Fully agree. And in fact, in an earlier episode of this series, I think it was episode 34, on turning compliance into strength, we explored the resilience regulations landscape, part of what you just started to outline Shawn, and unpacked how to take a strategic approach to resilience that also meets those tactical regulatory requirements.

And we also found in our last Global Crisis and Resilience Survey that 89% of business leaders recognise organisational resilience as an important strategic priority. Now is the time to take action. So let's dive a little deeper into what a modernised programme looks like. You wanna take the lead there, Phil?

Phil Marina: Yes, happy to. Fundamentally, it's about having an interconnected data model and modern technology that allows you to see the dependencies that Shawn references and understand the implications if something goes down. At the end of the day, disruption does happen. The key question is how do you link that back upstream to see what processes, servers, systems, or vendors are impacted?

If you don't have that linkage, it is literally nearly impossible to understand the downstream impacts. Let's say one of your critical vendors suddenly falls victim to a ransomware attack and can no longer fulfill orders. Without a modern, interconnected programme, your teams only discover the problem when your own delivery deadlines are missed, creating cascading impacts to production and customer satisfaction. Think about a world where you have a comprehensive data model that maps vendor dependencies to your internal services and processes. You can immediately see what areas will be affected. That enables proactive communication, the activation of alternative suppliers and rapid mitigation steps to minimise the business impact.

Now, imagine your critical vendors are clearly identified along with your total spend, and the dependencies tied to each of them across your services and processes. With that foundation in place, you can start seeing patterns and risk signals emerge before the worst case scenario occurs. Instead of only reacting when a vendor goes down, you can detect early indicators, understand how those risks could affect your services and operations, and take action earlier. If a disruption does happen, the organisation can respond much faster and in far more of a coordinated way because everyone understands the total impact. 

Shawn Lonergan: That is a great point, Phil, and this visibility does allow you to knock down risk.

Think of the 2021 blockage of the Suez Canal by a stranded container ship, which isn't too dissimilar to what we are seeing right now with the situation in the Strait of Hormuz. Many organisations relying on just in time delivery felt the immediate fallout. But imagine a system that simulates such disruptions, quantifies your exposure and provides actionable insights into alternative supply routes or contingency plans, enabling proactive rather than reactive management. That visibility is a means to proactively take measures to mitigate the effects of a disruption in many cases faster than your competitors.

David Stainback: Those are great examples Shawn. Let's talk a little bit more about the technology platforms that support modern operational resilience. 

Shawn Lonergan: There are a number of GRC tool options. What these systems do is facilitate the end-to-end visibility or the connecting of the dots that we've been talking about, and they connect risk,continuity, IT operations, and third-party data so that unified decisions can be made quickly.

With these capabilities, you can map and manage business services, assets and dependencies in one unified system of record. They support scenario planning, signaling disruptions, and stress testing operations against impact tolerances. They provide real-time monitoring for proactive issue detection and rapid response, and they allow you to automate, select response communication, and escalation procedures.

That's just a few of the features. We're not here today to talk at length about modern GRC tooling, so I'll stop there. But it's very important to recognise that the tool is not a magic bullet. You can have the best tool and architect the heck out of it, but if you don't have your core foundational data to support it, the tool can't make up for that.

Phil Marina: Thanks Shawn. And while these GRC platforms offer fantastic capabilities like mapping, dependencies and testing, they're only as good as the data and processes behind them. Without clean, accurate, and integrated foundational data and a strong collaboration across risk, IT and operations, these tools can't reach their fullest potential.

David Stainback: That is a really critical point there, and it's something that the three of us see all the time as we're helping organisations try to solve these problems. And it leads me to my next question for you two. We're talking about foundational data elements and data models. What are the foundational data elements that you need to make this doable?

What are the non-negotiables? Phil. 

Phil Marina: To your point, Shawn and Dave, we see this all the time being the biggest barrier of entry. One of the biggest hurdles organisations face is simply getting started with the right foundational data. Many don't have a complete inventory of their critical assets. You may also find gaps in processes or lack of processes in their entirety, or vendor relationships.

The key is to break things down. Start by identifying your highest priority assets and processes and then starting to build from there. Resiliency ultimately relies on the strong foundational data and the mapping between them. That means understanding things like your critical services and processes, your L-1 one through L-4 processes and technology landscape, tiering of your vendors, the tiering of your critical assets, and often tracked through tools like a CMDB, a configuration management database. But just identifying these elements isn't enough. The real value comes from understanding how they're connected. When you map the relationships between your processes, technology, vendors, and critical assets, you can clearly see the dependencies and understand how a disruption in one or many of these could impact the rest of the organisation.

Shawn Lonergan: Creating good process maps can be seen as a huge and daunting initiative, but there's so many benefits from doing this for the organisation. You now have structure in a way that you think about your organisation, and you can assess the risk associated with all kinds of scenarios. You know, as I said, this may seem like a lot to take on, but there are many ways to break it down and get started based on your level of maturity.

Start the journey around foundational elements, even if you don't have your CMDB fully squared away. From there, identify those critical assets and single points of failure that you need to prioritise recovery of, and enable other compensating controls to limit their downtime. 

David Stainback: Thanks Shawn and Phil.

This was really a great discussion and I know this is an area where PwC is investing heavily in our capabilities and we were honored to be positioned at the very top of the leaders category in the 2025-2026 IDC Marketscape for worldwide cybersecurity, governance, risk and compliance consulting services.

And as we look ahead, technologies like AI-enabled risk sensing and digital twin simulations promise exciting new capabilities. But it's important to remember that those don't replace the foundational data and processes that you're building today. They amplify them. So building a resilient organisation starts with getting the basics right and then layering in innovation.

Shawn Lonergan: Absolutely. These capabilities are on the horizon and within reach as companies advance their operational resilience maturity, and invest in modern platforms to scale and grow with them. It's really about connecting people, processes, data, and technology into a single framework, enabling you to recover faster, safeguarding your value and earning the trust of your customers.

David Stainback: Well, I want to thank you both. I think this is a great place to wrap this up. To our listeners, thank you for tuning in. In upcoming episodes of Emerge Stronger Through Disruption we'll continue to tackle the topics that keep business leaders up at night, and we'd love to hear ideas from listeners about topics you'd like for us to address.

So please get in touch with Shawn, Phil and me on LinkedIn, and in the meantime, remember to subscribe to Emerge Stronger wherever you get your podcasts. Until next time, stay resilient and prepared for whatever challenges come your way.

VO: Copyright 2026 PWC. All rights reserved. PWC refers to the PWC network and or one or more of its member firms, each of which is a separate legal entity. Please see www.PwC.com/structure for further details. This content is for general information purposes only and should not be used as a substitute for consultation with professional advisors.