Operational Resilience in the Age of Cyber and Third-Party Risks

Over 70% of global organizations are leaning more toward operational resilience than ever before. The increase in trends has a lot to do with the rapidly growing threats from cyberattacks, ransomware, information leaks, and third-party application vulnerabilities. Some research estimates the value of such threats to be in the $10.5 trillion range. Considering the profit margins of most businesses, that is too great a risk to ignore. 

The goal of resilience has more to do with sustainability instead of survival. A business must find a predictable level of operational continuity, or the experience of misplaced conduct risk could throw a wrench in daily goals, leaving the organization open to all kinds of financial and systemic damage. 

Cyber risk management and third-party exposure are a growing area of assessment. Modern tools like AI (artificial intelligence), ML (machine learning), and the rapid adoption of NLP (natural language processing) prompts allow hackers of all skill levels to develop powerful tools in little to no time. The point is that operational resilience is more important now than ever before. It must be embedded into how an organization moves so that when a threat or regulatory pressure arises, it can be managed appropriately.

What Is Operational Resilience & Why It Matters Now

A simple definition of operational resilience is the ability of a given entity to prevent, respond to, and recover from unanticipated disruptions. It is more than maintaining operations or having a disaster recovery plan in place. Think of operational resilience as a holistic approach that integrates core strategies from risk management, tech compliance, and company culture. 

The reason there is such a need for operational resilience has to do with the growing threat of attacks and vulnerabilities. What would have been an isolated attack 20 years ago to knock out a single service is not a massive infiltration compromising sensitive data and grinding operations to a halt. 

Without modern resilience strategies through ethical risk management, a company runs the risk of a broad spectrum of vulnerabilities.

Balancing Risk Appetite with Operational Continuity

To become truly resilient, a business must assess what risks are “acceptable” to its operations. Risk appetite refers to the level of risk an organization is willing to tolerate in pursuit of its goals. 

Consider cloud migration in financial services. To remain competitive, a local credit union knows it must adopt cyber third-party cloud tools to maintain client intake. However, that also opens the door to cyberattacks as more information is stored online. 

Balancing the risk appetite for growth with operational continuity might involve: 

• Building in information redundancies outside of the single cloud migration services.
• Retaining some on-site/off-site physical records. 
• Clearly outlining third-party contracts concerning responsibility before, during, and after attacks. 

Ride-sharing apps are another good example of striking this balance. Uber or Lyft might accept more regulatory risks to secure a greater market share. That might require additional legal teams and exit planning to manage regulatory compliance. 

Building in this flexibility is a key factor in operational resilience because it allows you to test assumptions and pretest systems without stepping so far over the line that you lose control or continuity. 

Cyber and Third-Party Risks

A recent study by the University of Maryland examined cyber threats. According to that data, a new cyberattack occurs every 39 seconds. Understanding how this applies to modern cyber risk management requires separating the overlapping terms and areas of interest, such as: 

• Information Security: protecting private data by keeping it as confidential as possible while making it available to those using it. 
• Cybersecurity: defending information or assets from threats targeting digital systems (and networks). 
• Cyber Resilience: ensuring a business or organization can continue operating, even when facing growing attacks or digital failures. 

Drawing distinctions between these tiers helps inform operational resilience. It demonstrates that a single source of protection is insufficient. You have to go beyond securing systems to maintain continuity under immense pressure.

Third-Party Risks

Whenever a business outsources operations, there is risk. While third-party systems, applications, and resources can drastically improve agility and growth, they come at a cost. The SolarWinds attack of 2020 is the perfect example of third-party vulnerabilities. 

SolarWinds is a software company providing technical services to thousands of international organizations, including an IT performance monitoring system called Orion. That system provided the company with access to sensitive information, making it an attractive target for hackers. 

One such hacking collective targeted SolarWinds, resulting in more than 30,000 public and private organizations worldwide going down and leaking sensitive data. 

Although organizations like the U.S. Department of Homeland Security and the Treasury Department were affected, it wasn’t because of their own systems, but due to a third-party vulnerability. You must remember a single weak link connected to internal systems can result in a massive risk.

How DORA Changes the Game

In January 2023, the European Union (EU) passed the Digital Operational Resilience Act (DORA). It was tweaked and improved until a new version was recently launched in January of 2025. The basics of this act primarily apply to financial sector organizations and investment firms, ensuring that such entities can withstand, respond to, and recover from disruptions. 

To ensure such standards succeed, organizations must maintain a good framework for identifying, assessing, mitigating, and managing ICT (Information and Communication Technology) risks. That means subjecting the business to DORA testing, incident reporting, information sharing, and third-party risk management. 

While there are some kinks to work out, DORA has changed the financial world. Everyone is enhancing cybersecurity postures and improving operational resilience through a more standardized approach with greater oversight of third-party ICT providers.

Building a Resilient Organization

In a post-DORA world, the challenge now is to integrate all the gathered conduct risk information to develop a comprehensive set of cyber risk management policies and considerations concerning third-party integration. A practical framework must be adopted to become truly operationally resilient, which may include: 

• Identify & Categorize Risk: Mapping the risk landscape by defining critical business functions, identifying sources of disruption (internal, external, third-party, etc.), and classifying the likelihood and impact of such risk. 
• Continuous Monitoring: Ensuring real-time alerts for any detected threat through the use of powerful tools looking at user behavior patterns (conduct risk), third-party service delivery metrics, network anomalies, and regulatory updates (especially concerning reporting). 
• Defining Third-Party Metrics: Any third-party integration or entity must have defined metrics. The vendor or service provider should be reliable, but also offer robust incident responses, data protection, and regulatory compliance. Conducting an onboarding audit and monitoring metrics tied to controls, certifications, downtime tolerances, and other such aspects is a good starting point. 
• Incident Response Plans: Simulate disruptions to build clear and easy-to-follow incident responses, ensuring containment of the threat, triggering recovery procedures, and facilitating clear communication throughout all levels of the organization, aligned with regulatory reporting. 

Leveraging cyber risk management software, such as Pirani, aids in this framework. Organizations receive centralized dashboards for all risk types (cyber, vendor, compliance, third-party, etc.) and automated workflows that will flag incidents and escalate them as needed. 

Technologies like Pirani also place a score on conduct risk and external volatility. It has compliance frameworks that align with DORA, like ISO 27001 and NIST. 

Automation is necessary to ensure full operational resilience because the tools being leveraged by online criminals or those seeking information beyond the scope of their position advance so quickly. An efficient, tech-first approach to cyber and third-party risk is needed so a business remains focused on growth and goal setting rather than constantly recovering from damaging attacks.

Resilience Is More Than a Checklist

Organizations hoping to lead their industries over the next 10, 20, or 50 years must find a way to adapt and recover from any potential disruptions. While cyber risk management is evolving and regulatory compliance is facilitated through tools like DORA, continuous visibility, faster decision-making, and a proactive approach are the best recipe for resilience. 

Investing in operational resilience now protects a business's profits, systems, and resources. Platforms like Pirani help safeguard a company’s reputation during an attack and build stakeholder trust that if something does happen, there is a defined pathway to learning and growing from these issues on the other side of the risk.

Want to learn more about risk management? You may be interested in this content 👇

• Mastering Operational Risk for Business Resilience
• 9 Essential Risk Management Strategies for Business Success