What comes to mind when you think about organizational resilience? For many, it’s about safeguarding their business against disruptions such as physical system failures—as seen recently in Spain—natural disasters, or cyber threats, with cybersecurity often taking center stage.

In fact, according to Deloitte, while 88% of C-suite executives consider resilience a priority, only 39% have a clear and shared definition of what resilience actually means for their organization. Importantly, organizational resilience is not just about prevention, but also business continuity after system failures.

The past two decades have seen resilience strategies needing to be adapted for software instead of hardware, with many simply applying traditional approaches to new technology. Common strategies include N+1 and 2N+1 redundancy, which entail workloads either running on one system with another as a back-up, or running across two with a third as back-up. This is to remove single points of failure and maintain operations in the event infrastructure components fail.

However, in hybrid cloud environments, a more comprehensive approach to organizational resilience is needed, which includes a complete map of all potential threats. This is the direction that regulators are recently taking with an “all hazards approach” in regulations like the EU Digital Operational Resilience Act – DORA (for the financial sector), Network and Information Security Directive 2- NIS2 (for critical infrastructure) and the Cyber Resilience Act – CRA (for product security).

Let’s focus on cyber first

Cyber is the priority threat that companies spend millions trying to protect themselves against. This threat has become increasingly complex in the world of AI because AI systems increase vulnerabilities by expanding attack surfaces while also introducing new and more sophisticated threats, creating unprecedented security challenges.

Moreover, AI-dependent infrastructures require robust cyber resilience frameworks that protect not just data but the integrity of autonomous decision-making systems that are increasingly gaining traction with the likes of agentic AI.

If these systems are built in a hybrid cloud environment, you can’t always rely on your public cloud provider to ensure robust security measures. Take matters into your own hands – any workload you run must have built-in resilience across multiple layers of the architecture. What’s important here is to deploy a solution that delivers defense in depth and is agnostic of the workload and the cloud solution within your tech infrastructure (public or private) – while also providing centralized control.

Regular simulation scenarios are important to test your solution and make sure it actually works as intended. What works in theory often fails under real-time stress. This is no longer just a security best practice but for some sectors a regulatory requirement as shown in the text of DORA and accompanying Regulatory Technical Standards (RTS).

Protecting against global events and changing regulations

Another key resilience consideration is the impact of external forces beyond cyberattacks. We live in uncertain times with geopolitical tensions increasingly affecting the tech landscape. For instance, global conflicts not only result in regional instability but can lead to supply chain disruption and, in extreme cases, entire areas being cut off. 

Organizations need strategies in place that allow for workloads to be moved at speed, without any compliance constraints. And certain hardware may become unavailable on short notice due to supply chain disruption.

The global regulatory landscape continues to fragment regionally. As the recent imposition of trade tariffs demonstrates, global regulatory divergence can not only have serious cost implications, but may necessitate a re-wiring of organizational structure to reflect the regions the organization is focused on.

Organizational resilience should also factor in potential future regulatory changes. For instance, although DORA and the accompanying RTS have been years in the making, could a version of the EU’s financial sector’s DORA legislation for other countries with some unique regional/local characteristics emerge much faster?

This would require implementing robust digital risk assessment frameworks at a local or regional level with clear governance structures, while establishing comprehensive incident response capabilities that document compliance. Sovereign cloud solutions can help build resiliency here – allowing for continued innovation while enabling regulatory compliance.

An internal review

There are a number of internal factors that can impact an organization’s operational resilience. Look at your tech contracts, for instance, and the conditions and clauses within each. Workloads need to be built and managed in a platform-agnostic way to provide flexibility and adaptability in your systems and you should consider the importance of portability for certain workloads.

Continuous upskilling of your workforce is also important. Investing in comprehensive skills development creates organizational resilience through cross-trained employees who eliminate single points of failure and respond effectively to the different challenges. This strategy ensures team capabilities overlap, fosters adaptability, improves incident response, and develops collective intelligence that enables quicker recovery from disruptions.

So, what’s next?

Building a hardened, integrated 2N+1 stack, or splitting across two Tier 4 data centers is no longer sufficient for the resilience needs of today and for some industries it may not even be legally sufficient to remain compliant.

Once dependencies are mapped out, organizations need to turn to platforms that will enable business continuity and disaster recovery by allowing them the flexibility to run their critical workloads across multiple cloud environments – private, public, and edge with the ability to move between them at speed if needed. IT management needs to also ensure that these platforms have built-in disaster recovery and failover capabilities, so that critical applications remain available even in the event of a disruption.

Essentially, after thoroughly documenting system dependencies, organizations must bake resilience into their platforms and their application architectures – designing them to operate seamlessly across diverse environments. These solutions should enable workloads to transition between private infrastructure, public cloud providers, and edge locations without significant disruption, preventing single points of failure that could compromise operations during outages.

They must incorporate automated failover mechanisms that continuously monitor system health and rapidly redirect processing when issues are detected, with minimal human intervention required. Where human intervention is required, it’s important to surround yourself with partners who act as a continuation of your internal team, providing experience-driven consultancy and insights.

This comprehensive approach to resilience – combining distributed computing environments with automated and intuitive recovery systems – allows organizations to achieve true operational continuity that addresses both cybersecurity threats and broader operational disruptions while enabling continuous monitoring.

Our rankings of the best cloud backup platforms.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro