A recurring theme throughout the latest Resilience First session on Hybrid Threats to the UK and Business Operational Sovereignty was that resilience is moving upstream into strategy and business models.
Businesses are currently operating in an environment affected by geopolitical tension, which is driving cyber threats, supply chain disruption, misinformation, insider threats and the potential for jurisdictional-imposed constraints on access to services. Operational sovereignty is therefore an important strategic consideration.
Operational sovereignty means that organisations can continue operating at the very least to a minimum level when there is disruption to critical dependencies by hostile acts or jurisdictional constraints. These may include restrictions on access to technology, cloud or AI services, deliberate disruption of supply chains, or cyber and physical attacks affecting energy, digital and telecommunications infrastructure.
A key point raised in the discussion was that professionals need to adopt a more architectural and engineering-based approach to resilience. Having a clear picture of critical dependencies, being able to assess their vulnerability to nation-state actions, informing strategic choices and creating optionality are becoming essential capabilities.
In practice this means designing resilience into systems and operating models through diversification, redundancy, offline capabilities, local control where appropriate, and tested contingency plans. The discussion also highlighted how hybrid threats are no longer solely a government concern. Businesses of every size are now part of the frontline, with cyber, supply chain, information and infrastructure risks becoming increasingly interconnected. As a result, resilience can no longer be viewed simply as a matter of protection and recovery; it is becoming a core strategic capability that helps preserve operational freedom when disruption occurs.
Actions organisations can take to strengthen operational sovereignty include:
- Identifying critical business services and the minimum requirements needed to sustain operating capability, and establishing the organisation’s Minimum Viable Company (MVC) and Minimum Viable Services (MVS).
- Understanding the dependencies that support those services.
- Assessing vulnerabilities to geopolitical, cyber, supply chain and technology-related disruption.
- Creating optionality and alternative pathways where critical dependencies exist.
- Developing board-level understanding of resilience, so that the focus extends beyond recovery and continuity planning to strategic choices, critical dependencies, operational sovereignty and long-term organisational viability.
The growing adoption of AI across business operations was also identified as an emerging area of focus. As AI becomes embedded within organisations, it introduces new dependencies, vulnerabilities and geopolitical considerations alongside more traditional cybersecurity challenges. Understanding these dependencies and the risks they create will become increasingly important as organisations seek to maintain operational sovereignty.
Another challenge highlighted was visibility across supply chains. While many organisations have a reasonable understanding of their direct suppliers, insight into Tier 2 and Tier 3 dependencies often remains limited, creating hidden vulnerabilities that may only become apparent during disruption.
Businesses cannot rely on government intervention alone, they are responsible for building their own resilience to these threats. Equally, building cross-sector cooperation and fostering trusted relationships is essential.
Above all, national resilience depends on everyone playing their part. Close collaboration between businesses, government and critical infrastructure operators helps to build an understanding of their interdependencies and enables them to share insights, thus strengthening collective resilience.
As we have written previously, we need to change both the language and the thinking around resilience. It must be a strategic imperative for organisations in a world of persistent and increasingly significant disruption.
Thank you to our speakers for a thought-provoking discussion:
- Steve Hill, Strategic Adviser, PwC UK
- Anne Leslie, Head of Cloud Risk EMEA, IBM
- Chris Medhurst-Cocksworth, Head of Pool Re Solutions, Pool Re
- Arthur Rabjohn, Senior Group Business Resilience Manager, Tesco
- Jari Stenius, Vice President – Corporate Safety and Security, Fortum
