[OR] [ISACA] [CIAG] [C8] Key Challenges & Pitfalls

Chapter 8

Key Challenges & Pitfalls

Introduction

While the concept and framework of operational resilience are increasingly well understood, many organisations encounter significant challenges in implementing and sustaining it in practice.

Despite strong intentions, well-documented frameworks, and regulatory guidance, the journey from concept to capability is often complex and uneven.

These challenges are not unique to any one industry.

Whether in financial services, healthcare, manufacturing, or the public sector, organisations frequently face similar obstacles—ranging from cultural resistance and organisational silos to technical complexity and unrealistic expectations.

This chapter highlights the most common challenges and pitfalls encountered during the implementation of operational resilience. More importantly, it provides practical insights into why these issues arise and how organisations can address them effectively.

Purpose of the Chapter

The purpose of this chapter is to enable the reader to:

• Identify the key challenges faced during operational resilience implementation
• Understand the root causes behind common pitfalls
• Recognise the warning signs of ineffective implementation
• Learn practical mitigation strategies
• Strengthen the organisation’s ability to build a sustainable resilience capability

By the end of this chapter, the reader will be better equipped to anticipate and avoid common mistakes.

Challenge 1: Misunderstanding Operational Resilience

The Issue

Operational resilience is often misunderstood as:

• A rebranding of Business Continuity Management (BCM)
• A compliance requirement
• A purely risk management exercise

Impact

• Limited scope of implementation
• Failure to integrate across functions
• Lack of meaningful outcomes

Root Cause

• Lack of clarity at the leadership level
• Insufficient awareness of resilience concepts

Mitigation

• Establish a clear, organisation-wide definition
• Conduct executive-level briefings
• Position resilience as a strategic capability, not a function

Challenge 2: Treating Resilience as a Compliance Exercise

The Issue

Organisations focus on:

• Documentation
• Audit readiness
• Regulatory reporting

Instead of:

• Building actual resilience capability

Impact

• “Paper compliance” without operational readiness
• False sense of security
• Failure during real disruptions

Root Cause

• Compliance-driven culture
• Overemphasis on audits

Mitigation

• Shift focus from “Are we compliant?” to “Are we resilient?”
• Incorporate scenario testing as a core requirement
• Measure outcomes, not documentation

Challenge 3: Failure to Identify True Critical Business Services

The Issue

• Too many services are classified as “critical”
• Confusion between processes and services
• Lack of clear prioritisation

Impact

• Diluted focus
• Inefficient allocation of resources
• Ineffective response during the disruption

Root Cause

• Lack of structured criteria
• Insufficient business engagement

Mitigation

• Apply clear CBS identification criteria
• Limit CBS to truly critical services
• Validate with senior stakeholders

Challenge 4: Incomplete Dependency Mapping

The Issue

• Hidden dependencies not identified
• Third-party risks underestimated
• Lack of end-to-end visibility

Impact

• Unexpected points of failure
• Cascading disruptions
• Delayed recovery

Root Cause

• Complexity of modern systems
• Limited cross-functional collaboration

Mitigation

• Map dependencies across:
• People
• Processes
• Technology
• Third parties
• Use structured templates and workshops
• Regularly update dependency maps

Challenge 5: Unrealistic Impact Tolerances

The Issue

• Impact tolerances set too aggressively or arbitrarily
• Lack of alignment with operational capability

Impact

• Inability to meet defined targets
• Misalignment between expectations and reality

Root Cause

• Lack of data-driven assessment
• Pressure to meet regulatory expectations

Mitigation

• Base tolerances on:
• Historical data
• Testing outcomes
• Operational constraints
• Validate with business and technology teams

Challenge 6: Ineffective Scenario Testing

The Issue

• Limited or superficial testing
• Over-reliance on tabletop exercises
• Scenarios not realistic

Impact

• Gaps remain unidentified
• False confidence in resilience capability

Root Cause

• Resource constraints
• Lack of testing expertise
• Fear of exposing weaknesses

Mitigation

• Develop severe but plausible scenarios
• Conduct a mix of:
• Tabletop exercises
• Simulations
• Technical tests
  
• Focus on learning, not blame

Challenge 7: Siloed Organisational Structures

The Issue

• GRC functions operate independently
• Limited collaboration between business, IT, and risk

Impact

• Fragmented response during disruptions
• Lack of shared understanding

Root Cause

• Organisational design
• Cultural barriers

Mitigation

• Establish cross-functional resilience teams
• Align roles and responsibilities
• Promote shared ownership of resilience

Challenge 8: Lack of Executive Ownership

The Issue

• Operational resilience delegated to middle management
• Limited board and senior management involvement

Impact

• Lack of strategic direction
• Insufficient resources
• Weak accountability

Root Cause

• Perception of resilience as an operational issue
• Competing priorities

Mitigation

• Assign clear executive ownership
• Integrate resilience into governance structures
• Include resilience metrics in board reporting

Challenge 9: Over-Reliance on Technology

The Issue

• Focus on IT recovery as the primary solution
• Neglect of people and process factors

Impact

• Incomplete resilience capability
• Failure in non-technology disruptions

Root Cause

• Technology-centric mindset
• Underestimation of operational complexity

Mitigation

• Adopt a holistic approach:
• People
• Processes
• Technology
• Third parties

Challenge 10: Failure to Sustain the Programme

The Issue

• Initial implementation completed
• Programme not maintained or updated

Impact

• Outdated CBS and dependency maps
• Reduced effectiveness over time

Root Cause

• Lack of continuous improvement processes
• Competing organisational priorities

Mitigation

• Establish a continuous improvement cycle
• Schedule regular reviews and updates
• Integrate resilience into business-as-usual activities

Summary of Key Pitfalls and Mitigation

 The journey towards operational resilience is not without its challenges. While frameworks and methodologies provide a clear path, successful implementation depends on how organisations navigate the practical realities of execution.

The challenges outlined in this chapter highlight a common theme: operational resilience cannot be achieved through isolated efforts, documentation, or technology alone.

It requires a coordinated, organisation-wide approach that integrates governance, risk, compliance, and operations into a unified capability.

By recognising these pitfalls early and applying the outlined mitigation strategies, organisations can avoid common mistakes and accelerate their resilience journey.

More importantly, they can move beyond theoretical preparedness to build a capability that is tested, adaptive, and sustainable.

In the final chapter, we will consolidate the key insights from this eBook and present a clear roadmap for organisations to begin or enhance their operational resilience journey.