Governance and Business Continuity: A Strategic Alliance for Resilience
By 
This second stop in our “Governance Universe” expedition series is the result of a great collaboration with M. Patrick S. Ayangma. The article explores practical levers of organizational resilience and, through resilience instruments drawn from international standards, regulatory frameworks, and real-world examples, proposes a structured approach to building a robust wall of resilience in anticipation and in the face of crises.
Introduction
The 2025 Allianz Risk Barometer makes a definite statement: cyberattacks, business interruptions, and natural disasters top the list of concerns for risk management professionals worldwide. These threats were ranked top of the list by over 3,700 experts surveyed across 106 countries, confirming their direct impact on operational/business continuity. Climate risks, industrial fire incidents, and political tensions closely follow, reflecting the growing prominence of both environmental and geopolitical threats. This landscape indicates that organizational resilience is no longer a mere strategic option— it has become imperative for survival, obliging companies to strengthen governance mechanisms for crisis preparedness and response.
While the Allianz Risk Barometer sheds light on the more tangible/practial concerns of businesses in the face of immediate and emerging threats, the World Economic Forum’s Global Risks Report takes on a broader view by identifying systemic risks on a planetary scale. Nonetheless, there are points of convergence: cyber incidents, extreme weather events, geopolitical tensions, and misinformation rank among the top ten risks in both reports. This similarity—despite stemming from different perspectives, one focused on operational resilience and the other on global stability—highlights the urgency for organizations to adopt integrated governance approaches. Such governance must be capable of addressing local threats while proactively anticipating global turbulence.
Among the most striking recent events, the COVID-19 pandemic stands out as perhaps the most significant illustration of the critical importance of organizational resilience. Due to its global scale and cross-sectoral impact, it marked a turning point — establishing many precedents in how businesses (should) anticipate, adapt to, and overcome crises. It disrupted supply chains, obliged large-scale remote work, and compelled companies to maintain critical services amid global uncertainty. On a more local scale, the ransomware attack on Colonial Pipeline in 2021 paralyzed a significant portion of fuel supply along the U.S. East Coast. Floods in Germany and cyclones in Mozambique also serve as stark reminders that crises can strike suddenly and severely test an organization’s capacity to survive.
These examples show that regardless of efforts invested to ensure a rigorous and efficient management of business, IT, technical, and administrative operations, an organization’s ability to function continuously…sustainably remains vulnerable to both exogenous and endogenous shocks. Strategic monitoring of these influences—often sporadic and unpredictable—falls squarely within the scope of governance, which seeks to anticipate, guide, and reinforce organizational resilience.
It is within this context that (some) corporate governance frameworks reveal their full relevance. They offer principles and tools that empower corporate executives and boards to build a “wall of resilience,” anticipate disruptions, and safeguard business continuity—even in dire circumstances.
1. Noteworthy frameworks: when rules define resilience
Throughout this Governance Universe series, we draw on internationally recognized frameworks that chart the course for effective governance, applying them to critical areas such as business continuity, risk management, information security, operational excellence, financial reporting reliability, and even artificial intelligence. These standards—what we refer to as “instruments”—address essential dimensions including organizational structure, policy development, oversight, accountability, and control.
Having established both the historical and modern perspectives on governance, let us examine a selection of leading governance frameworks that have pioneered best practices in business continuity and operational resilience, both locally and globally.
ISO 37000 – Organizational Governance
ISO 37000:2021 sets out a governance framework grounded in principles such as long-term sustainability, risk management, accountability, and effective oversight. In the context of resilience, the standard underscores the importance for governing bodies to adopt a systemic and proactive approach to risk (see section 6.9 – Risk Governance) and to safeguard both viability and performance over time (section 6.11). It further advocates for the establishment of integrated governance structures (section 4.2) and robust internal control mechanisms to ensure business continuity amid disruptions.
ISO 22301 – Business Continuity Management Systems
ISO 22301:2019 is the global standard for business continuity management systems (BCMS). It mandates the identification of critical business activities, the execution of business impact analyses (BIA), the development of continuity strategies, and the implementation of recovery plans. Key requirements are detailed in Clause 6 (Planning: continuity objectives, BIA, risk assessment), Clause 8 (Operation: implementation and control of continuity plans), and Clause 9 (Performance Evaluation: testing, audits, and management reviews).
BCI Good Practice Guidelines (GPG) – Edition 7.0
The Business Continuity Institute’s Good Practice Guidelines (GPG) provide a comprehensive methodology for establishing and maintaining a BCMS. The guidelines are organized around six Professional Practices (PP), spanning from program initiation to validation.
PP1 – Establishing a Business Continuity Management Programme highlights the necessity of clear governance, including the assignment of roles and responsibilities, executive endorsement, and the creation of oversight mechanisms—formal steering structures tailored to the organization’s size and complexity. These may include continuity/resilience committees, cross-functional working groups, or dedicated coordination units overseeing the entire program.
Other best practices promoted by the GPG include embedding continuity into organizational culture, conducting business impact analyses (BIA), designing continuity strategies, designing innovative solutions, and validating them through testing, use, and audits.
Basel II and III Accords – Operational Resilience in the Banking Sector
The operational resilience principles published by the Basel Committee on Banking Supervision (BCBS) in March 2021 are designed to strengthen banks’ ability to withstand major disruptive events such as cyberattacks, technology failures, or natural disasters. These principles have their roots in a series of financial crises: the Latin American banking crises of the 1980s led to the creation of Basel I in 1988, while the shortcomings revealed during the global financial crisis of 2007–2009 prompted the development of Basel III.
Principle 10 of the Basel II framework, specifically within the “Principles for the Sound Management of Operational Risk” (Basel Committee, 2003, revised 2011), stipulates that banks must have business continuity and resilience plans in place to ensure the continuation of operations and to limit losses in the event of severe disruptions. These principles are built upon the three pillars of Basel II: (minimum) capital requirements, supervisory review, and market discipline. They are further enhanced by the liquidity and capital buffers, leverage ratio, and stable funding ratios introduced by Basel III to better address systemic and operational risks.
Solvency II – Governance and Business Continuity in the Insurance Sector
Delegated Regulation EU 2015/35 – specifically Article 258 – requires insurance and reinsurance undertakings to implement a business continuity policy aimed at safeguarding essential data and functions in the event of a disruption, or enabling their rapid recovery. The Prudential Regulation Authority’s (PRA) Policy Statement PS2/22 further strengthens these requirements by introducing impact tolerance thresholds for critical services and mandating that recovery plans be approved by governing bodies.
DORA Regulation – Digital Resilience in the European Financial Sector
Effective from January 17, 2025, the Digital Operational Resilience Act (DORA) requires financial entities within the European Union to establish a comprehensive ICT risk management framework. This includes mapping critical functions/activities, conducting business impact analyses (BIA), defining continuity strategies, performing regular testing, and reporting to competent authorities. DORA harmonizes digital resilience requirements across 20 categories of financial entities and their critical third-party service providers, introducing obligations for documentation, oversight, and information sharing.
NIS2 Directive – Cybersecurity and Continuity in Critical Sectors
EU Directive 2022/2555, known as NIS2, expands cybersecurity and resilience obligations across a wide range of sectors. Article 21(2)(c) requires essential and important entities to have business continuity and crisis management plans in place, including backup systems, emergency procedures, and dedicated response teams. Executives are directly accountable for compliance, and penalties can reach up to 10 million euros or 2% of global annual turnover.
FFIEC BCM – Continuity Governance in U.S. Financial Institutions
The Federal Financial Institutions Examination Council’s (FFIEC) Business Continuity Management Booklet, revised in 2019, presents a comprehensive, process-oriented approach to continuity, fully integrated into the risk management cycle. It requires a resilience strategy, the development of continuity plans, training and awareness programs, testing and exercises, as well as regular reporting to the board of directors. The guidance emphasizes aligning the continuity program with the institution’s strategic objectives and highlights the importance of proactive resilience. It should be noted that the FFIEC framework shares many similarities with the DORA regulation, even though their scopes and regulatory contexts differ.
COBAC Regulation – Business Continuity in Central African Credit Institutions
COBAC Regulation R-2008/01, applicable within the CEMAC region, requires credit institutions to establish a business continuity plan that addresses both technical and human factors. Governing bodies are responsible for defining a continuity policy, oversight of its implementation, and receiving reports on incidents, testing, and action plans. The plan must be audited regularly—either by an internal or external audit—and an annual report must be submitted to the board of directors. This framework aims to strengthen institutional resilience against major operational disruptions and to ensure the timely recovery of critical activities.
CIMA Regulation – Growing Resilience Requirements for African Insurers
In 2024, the Inter-African Conference on Insurance Markets (CIMA) strengthened its requirements for business continuity and risk governance for insurance and reinsurance companies operating in its member states. Regulation No. 010/CIMA/PCMA/CE/SG/2024, published in the December 2024 official bulletin, mandates that insurers establish a business continuity plan (BCP) that is updated at least annually to ensure the continuation of operations in the event of a disaster, crisis, or force majeure.
This plan must be part of a comprehensive internal control system, as defined in Article 331-15 of the Insurance Code, amended by Regulation No. 009/CIMA/PCMA/CE/SG/2024. The internal control framework must include an internal procedures manual covering all critical activities, automated information processing systems, and monitoring and risk management mechanisms to guarantee operational resilience.
2. Resilience in Action: From Anticipation to Adaptation—Lessons from the past
Organizational resilience can manifest in two ways: through strategic anticipation or reactive adaptation. Both approaches, though distinct, have enabled certain companies to overcome major crises.
2.1. Resilience through Anticipation: Preparing Before the Storm
Some organizations have successfully anticipated systemic risks through strategic investments and long-term vision. For example, Microsoft had already developed and deployed its Teams collaboration platform well before the COVID-19 pandemic. When remote work became the norm, the company was able to respond immediately to market needs, strengthening its position and increasing its market value. Similarly, Amazon had established an agile supply chain and massive storage capacity, enabling it to prioritize essential products and maintain operations in spite of global disruptions. Tesla, for its part, benefited from an integrated supply chain and solid digitalization, allowing it to continue production and deliveries—ultimately becoming the world’s most valuable automaker. These companies demonstrated proactive resilience, built on planning, innovation, and flexibility.
2.2. Resilience through Adaptation: Rapid Response
Other organizations, though initially caught off guard, managed to respond effectively to crises. In May 2021, Colonial Pipeline fell victim to a ransomware attack that paralyzed fuel supply along the U.S. East Coast. Despite lacking specific preparation for such an attack, the company collaborated with federal authorities to restore operations and strengthen its cybersecurity. The incident led to the creation of the Joint Cyber Defense Collaborative (JCDC) and the adoption of new security directives. In another context, Cyclones Idai and Kenneth, which struck Mozambique in 2019, severely impacted local businesses. Some, in partnership with NGOs such as ADRA, quickly organized the distribution of food, water, and shelter—demonstrating community resilience based on rapid mobilization and solidarity. These examples illustrate reactive resilience, grounded in the ability to improvise, mobilize available resources, and adjust priorities in real time.
3. How to Build It: Your (Wall of) Resilience Toolkit
Building a robust resilience framework is a gradual process. In this section, we present a concise set of key actions that any organization can implement to construct its own “wall of resilience.” When this initiative is strategically led at the highest level, it ensures that efforts are aligned with the organization’s overarching vision and strengthens its ability to respond to crises.
Committee oversight – Orchestrating and Setting the Pace:
The board of directors delegates oversight to a specialized committee responsible for evaluating and monitoring the continuity program. Regular meetings help align decisions and actions with the organization’s risk appetite and overall strategy, as required by the FFIEC in the United States or COBAC in the CEMAC region.
Policies – Setting Direction and Leading by Example:
According to ISO 22301, management must formalize a continuity policy aligned with the organization’s strategic direction. This policy, drafted by the committee, approved by the board and communicated to all employees, serves as a compass for operational actions.
Risk Management – Anticipating to Withstand:
Mapping risks and conducting impact analyses are essential steps. Under Solvency II, for example, insurers must integrate continuity into their Own Risk and Solvency Assessment (ORSA), evaluating crisis scenarios and their impact on the company’s solvency. The board is responsible for supervising this process, approving the ORSA, regularly reviewing scenarios, and ensuring recovery strategies are in place to protect policyholders.
Reporting – Accountability and Building Trust:
Test results, recovery times, and incidents are regularly reported to committees and the board. DORA, in particular, emphasizes transparency regarding incidents involving third-party providers, highlighting reporting as a key supervisory tool. In the CEMAC region, banking regulations require that business continuity plans be regularly reported to executive bodies.
Audit and Internal Control – Verifying, Correcting, and Improving:
A credible continuity framework cannot exist without independent evaluation. Internal and external audits, validated by the board, assess the effectiveness of the framework and recommend improvements. ISO 22301 emphasizes continual improvement, while COBAC and CIMA require that continuity plans be reviewed annually by internal control and presented to the board.
Conclusion: Governance—The Foundation of Resilience
Business continuity is far more than a glossy document carefully tucked in a drawer. It is a living process, rooted above all in active and committed leadership. Committees, policies, risk management, reporting, and audits are all levers that, when effectively (and consciously) deployed, transform a vulnerable organization into a resilient one.
Recent crises—whether health-related, climatic, or cyber—remind us that no organization is immune. As Dr. Tedros Adhanom Ghebreyesus, Director-General of the World Health Organization (WHO), stated in his opening address at the World Governments Summit on February 12, 2024: “And there will be a next time. History teaches us that the next pandemic is a matter of when, not if.” The real question, then, is not if a crisis will occur, but WHEN. On that day, resilience will depend directly on the measures put in place today through various resilience levers.
Rather than being viewed as regulatory constraints, governance should be seen as the foundation that enables organizations to withstand crises and create value sustainably—even amidst adversity.
Are you truly prepared to face the next crisis? We invite you to take this quick self-assessment of your resilience and governance maturity. Building your “wall of resilience” is a concrete first step toward transforming good intentions into a robust and sustainable governance framework.
Download our curated Resilience Governance Self-Assessment Questionnaire.
———————————————
