Moving Beyond Compliance

A compliance-driven approach is understandable: regulatory fines and reputational risks from non-compliance are immediate and tangible. Executives often rely on color-coded risk reports and focus on meeting the minimum requirements set by laws and regulations like the Critical Entities Resilience Directive and the Network and Information Systems 2 (NIS2) Directive[SD1] , believing this reduces risk.

However, this approach often fails to address the underlying vulnerabilities that threaten business continuity. At Highberg we conclude that "compliance first thinking" can perpetuate a tick-box culture, where the existence of controls is prioritized over their actual effectiveness, leaving organizations exposed to systemic risks that compliance frameworks may never cover.

This compliance focus can also lead to "regulatory fatigue," diverting resources from innovation and real risk reduction. Leaders may feel reassured by successfully passing compliance audits but remain uncertain about their organization's true ability to recover from major incidents—especially those that fall outside the scope of regulations.

A resilience-first strategy reframes resilience as an operational business challenge, where IT and Facilities are enablers but not in the lead. It recognizes that a diverse portfolio of risks threaten the continuity of critical business processes and require direct ownership from executive leadership—not just delegation to technical experts.

The goal is not to eliminate all risks, which is an impossible task, but to manage them effectively so the organization can continue to operate and recover swiftly when disruptions occur. A very good example of this is the Dutch Railway sector, where continuity, resilience and fail-over is not retrofitted, but built into all operational processes and systems.

Highberg recognizes five domains that can contain critical operational dependencies.

• People. Processes are traditionally run by people and human resources can be a critical dependency, for example trought unique knowledge or skills or through a threshold number of available hours
  
  
• Facilities. In for example industrial sectors physical facilities, like a factory, can be critical for delivering product
  
  
• IT-Infrastructure. Delivers digital functionality and information to employees, suppliers and customers. Once processes have been digitalized, dependency on IT-infrastructures rises significantly. And often falling back on the old, more manual, processes is no longer possible
  
  
• Business partners. Supply-chains depend on suppliers delivering just-in-time and customer demand is essential to keep the supply-chain flowing
  
  
• Information. Is the new “gold” of this digital age and once lost cannot be easily recovered

Managing resilience means managing the availability of these critical dependencies explicitly.

A resilience-first approach is built on four key principles:

• Whole System in the Room: Bring together all relevant stakeholders—across business, IT, and the supply chain—to collaboratively identify and address risks. This ensures a holistic understanding of critical processes and dependencies

• Operational Risks Across Functions: Map risks from a business operations perspective, not just an IT lens. Use business process walkthroughs and simulate scenarios to uncover vulnerabilities and define recovery priorities

• Risk Tolerance and Financial Impact: Quantify risks in financial, reputational and other business terms. This enables leadership to align resilience investments with business objectives, balancing risk mitigation with innovation and growth

• Cross-Domain Risk Awareness. Understand and manage risks that cross digital and physical boundaries. Collaborate across IT, security, and operations to uncover vulnerabilities and respond to combined threats

• Organizing and Testing for Continuity and Recovery: Develop, test, and refine crisis management and recovery processes using realistic scenarios. Regularly stress-test plans for large-scale ‘outages’ to ensure operational continuity is more than a paper exercise

At Highberg, we guide organizations through the transition from compliance-first to resilience-first. Our approach includes:

• Board-Level Engagement: We facilitate strategic discussions at the executive level, helping leadership understand and own operational resilience as a core business issue—not just an IT problem

• Holistic Risk Mapping: Using proven frameworks, we help organizations identify their "crown jewels" and map critical processes, dependencies, and third-party risks across the entire value chain

• Quantified Risk Management: We translate technical risks into business language, enabling informed decisions on risk tolerance and resource allocation

• Scenario-Based Testing: Highberg designs and executes realistic scenarios (both IT and non-IT), ensuring that recovery plans are robust, actionable, and validated in practice

• Continuous Improvement: We support the development of a resilience culture—embedding continuous learning, cross-functional collaboration, and structural enhancements into your operating model

• Realization: We support in realizing resilient business strategies, operational and tactical processes, IT-infrastructures and information processing facilities

Resilience is not achieved by ticking boxes. And it goes beyond digital and IT. It requires a shift in mindset and strategy—from compliance-driven activity to proactive, organization-wide resilience. By adopting a resilience-first approach, organizations can not only meet regulatory requirements but also ensure they are truly prepared to withstand and recover from the disruptions that define today’s digital landscape. Highberg stands ready to partner with you on this journey, helping you build a future-proof, resilient organization.