The Shift from Reactive to Accountable
UK directors are confronting a fundamental change in their legal responsibilities. <cite index="23-1,23-2">In Principle 6, Responsible Business, of its Code of Conduct for Directors (2024), the Institute of Directors makes clear that one of the duties of a director is to manage risks so as to maintain longer-term resilience and strategic objectives.</cite> This represents a decisive shift from treating operational disruption as an unfortunate business event to recognising resilience as a core director duty.
The implications are profound. <cite index="2-1,2-19">The UK's Department for Business and Trade cites increasing supply chain resilience as a matter of 'economic and national security'.</cite> For boards, this elevation of resilience from operational concern to national security issue signals that directors can no longer delegate this responsibility to management teams.
<cite index="2-6">Given that over over 76% of European businesses experienced disruptions in 2024</cite>, the question is no longer whether your organisation will face operational challenges, but whether your board can demonstrate it has adequately prepared for and overseen your response.
The Regulatory Enforcement Reality
Financial services firms are experiencing the sharp end of this regulatory evolution first. <cite index="22-2,22-5">In its Dear CEO letter on 2024 priorities for supervision of UK Deposit Takers, insurers and international banks, the PRA notes that it "expects Boards and senior management to actively oversee the delivery of their firm's operational resilience programme." The FCA has also made it clear that it is scaling up efforts to deal with Firms who cannot meet the new FCA standards on operational resilience</cite>.
But this is not confined to regulated sectors. <cite index="12-9,12-10,12-11">Having a BCP is no longer just for big corporations or regulated industries. In fact, it's becoming a standard expectation – especially if you work with larger partners, run an online business, process personal data, or want to secure funding. Even though in most sectors it's not strictly a legal requirement, failing to plan exposes your business to huge risks.</cite>
The practical reality is stark: <cite index="27-4,27-5,27-6,27-7">The main one being Provision 29, which requires the Board to make a "Declaration of Effectiveness" of the internal controls in their annual Financial Statements. The declaration should cover all material aspects of operational compliance and reporting. Boards will also have to explain in their annual report how they have performed their monitoring of the material controls. However, the "Declaration of Effectiveness" will only apply to financial years beginning on or after 1 January 2026.</cite>
The Supply Chain Vulnerability Multiplier
The interconnected nature of modern business operations has fundamentally altered the director's duty of care. <cite index="3-13,3-19">In today's connected global economy, supply chains are a measure of national competence – the breadth and depth of supplier networks, the integration of services alongside goods, and the adaptive capacity to reconfigure when disruptions strike. These might seem isolated shocks. But taken together, they point to a deeper challenge: the absence of deliberate foresight and strategic positioning, leaving the UK slow to adapt to rapidly evolving global market shifts.</cite>
Directors cannot claim ignorance of supply chain risks when <cite index="1-20,1-21,1-22">Since January 2024, the UK government has implemented strict border controls on importing plants, animals and food from the EU. These new regulations categorise goods into high, medium and low-risk groups, requiring security declarations and physical checks at the border, particularly for medium and high-risk items. Naturally, this regulatory shift has significant implications for businesses reliant on EU imports, which can further exacerbate existing supply chain issues.</cite>
<cite index="5-6,5-7">Furthermore, as reported in the BCI Supply Chain Resilience Report 2023, this is a wider concern as nearly half of respondents to the report said that they have not checked/validated their key supplier's business continuity arrangements. Running exercises with suppliers and holding workshops is an important tool to encourage collaboration across the supply chain in terms of cyber resilience.</cite>
The Cyber-Physical Convergence Challenge
The traditional separation between cyber security and operational resilience has collapsed, creating new director accountability requirements. <cite index="4-1,4-2,4-3">Ransomware attacks can ripple through supply chains, causing serious disruption and massive financial consequences for multiple businesses in one fell swoop. As such, CISOs are spending more time considering how to keep operations secure as ecosystems span across dozens, if not hundreds, of vendors, contractors, and digital dependencies.</cite>
<cite index="10-16,10-17,10-18,10-19">There's no avoiding the fact that cyberattacks remain a critical threat, casting a shadow over the operational resilience of businesses. The evolving digital supply chain of 2024 presents an expansive risk surface, exposing supply chains to unprecedented vulnerabilities and disruptions. As businesses address the web of global supply networks, their risk exposure to cyber threats amplifies. Small and medium-sized enterprises (SMEs), in particular, find themselves at the mercy of malicious actors, lacking the robust cybersecurity infrastructure of larger corporations.</cite>
This convergence means directors must understand that operational resilience decisions are simultaneously cyber security decisions, with supply chain attacks reaching unprecedented levels affecting organisations globally.
The Three Lines Model Imperative
Effective board oversight requires understanding how operational resilience governance operates across the organisation. <cite index="26-14,26-15,26-16,26-17">Defining clear roles and responsibilities for the board and senior management helps to ensure firms meet key individual and collective role requirements, maximising efficiency, improving decision-making, and ultimately enhancing the firm's operational resilience. Members offered examples of their varying governance arrangements for operational resilience. Members agreed during working sessions that the UK authorities have made it clear that the board and senior management have ultimate oversight of the resilience strategy and are responsible for promoting a resilience culture</cite>.
The board's role is distinct but interconnected with management execution: <cite index="21-1,21-8,21-9">Approve the operational resilience program framework and key strategies presented by senior management. Approve the organization's risk tolerance and appetite for disruption related to operational risks. Establish clear objectives and goals for the operational resilience program, aligning it with the overall business strategy.</cite>
This extends to active involvement in testing and validation: <cite index="23-26">When appropriate, exercises and simulations include board-level involvement, not just management teams.</cite>
The Impact Tolerance Framework
Central to the new director responsibilities is the concept of "impact tolerance" - essentially, the board's determination of how much disruption the organisation can withstand while continuing to deliver critical services. <cite index="24-17">identify important business services – boards and senior management must identify and prioritise services that, if disrupted, would impact our objectives and the public interest; set impact tolerances – firms must say to what extent they would be able to continue important business services after severe but plausible disruptions</cite>.
<cite index="30-1,30-12,30-13">Boards will need to work with senior management to set impact tolerances that are appropriate for their organisation. Boards will need to work with senior management to set impact tolerances that are appropriate for their organisation. Further, board chairs must ensure that the board has adequate knowledge, skills and experience to provide constructive challenge in relation to choice of important business services and impact tolerances, and that the board articulates and maintains a culture of risk awareness and ethical behaviour for the organisation which drives the firm's operational resilience.</cite>
Building Director Competence
The complexity of operational resilience governance demands new director competencies. <cite index="21-10,21-11">Actively participate in board-level discussions and training related to operational resilience. Seek independent assurance and review of the program's effectiveness regularly.</cite>
<cite index="26-22,26-23">The firm should focus a strong level of awareness of and commitment to operational resilience, recognising that staff at all levels have important roles to play. Key role holders across the three lines maintain appropriate skills and knowledge to understand and manage risks to operational resilience</cite>.
This includes understanding the interconnected nature of modern business risks, from AI governance challenges to traditional business continuity planning.
Security Implications for Your Organisation
• Board Education Imperative: Directors must develop operational resilience literacy beyond traditional financial oversight, understanding how cyber threats, supply chain vulnerabilities, and business continuity intersect to create compound risks that can threaten organisational survival.
• Governance Integration Challenge: Operational resilience cannot be treated as a separate management function - it requires integration across all board committees and decision-making processes, with clear accountability lines and regular board-level testing of response capabilities.
• Regulatory Compliance Evolution: The shift towards mandatory board declarations of control effectiveness from January 2026 means directors must demonstrate active oversight rather than passive reporting, creating potential personal liability for inadequate resilience governance.
To assess your board's operational resilience readiness and develop an integrated governance framework, contact our team for a comprehensive resilience governance audit.
For immediate guidance on implementing board-level operational resilience oversight, speak with our senior consultants who specialise in translating regulatory requirements into practical board governance frameworks.
Strengthen your organisation's security posture