Excellence in Digital Capability in Uncertain Times — Part 2
Defensive Capabilities and Operational Resilience
When Survival Becomes the Strategy
There is a particular kind of boardroom conversation that has become familiar over the past two years. Growth targets get quietly revised. Capital allocation decisions that looked straightforward six months ago are back on the table. The language shifts — from expansion to preservation, from ambition to resilience. Nobody says "we're in survival mode," but everyone in the room understands that the priority has changed.
This is not a failure of leadership. It is a rational response to an environment where the variables keep moving. What it does create, however, is a specific set of demands on digital capability — and a specific set of risks for organizations that haven't built it.
This article looks at four of those capabilities: cybersecurity, operational efficiency, business continuity, and risk management. In each case, the more interesting question is not what the capability does when it's working, but what happens to organizations that haven't built it when conditions turn.
Cybersecurity: The Cost of Treating It as an IT Problem
Most boards understand, at least in principle, that cybersecurity matters. Fewer have genuinely reckoned with what a serious incident actually costs. Not in abstract terms, but operationally: what happens to cash flow when systems are down for two weeks? What happens to customer trust — and regulatory standing — when a data breach becomes public? What happens to a private equity-backed company's valuation trajectory when it emerges that controls were inadequate?
Ransomware attacks have become sophisticated enough that the question is no longer whether an organization will face a serious attempt, but whether it will be able to contain one. The perimeter defence model — the idea that threats can be kept outside a defined boundary — has been obsolete for years, but many organizations are still operating as though it holds. Remote work, cloud adoption, and the integration of supplier and partner systems have made the boundary effectively meaningless. Zero-trust architecture, which requires verification of every access request regardless of source, is not a technical nicety — it is a recognition of how networks actually work now.
The governance question is where boards most frequently fall short. Cybersecurity briefings tend to focus on compliance status — frameworks, certifications, audit findings. These matter, but they don't answer the questions that determine organizational resilience: Can we operate if primary systems are compromised? How quickly can we restore critical functions? What scenarios have we actually tested, not just documented? Red team exercises — where skilled attackers attempt to breach systems under controlled conditions — reveal vulnerabilities that theoretical planning misses. Boards that ask only about the document are not governing the actual risk.
Operational Efficiency: Where Automation Goes Wrong
When revenue growth stalls, efficiency becomes the primary lever for protecting margins. This is well understood. What is less well understood is why so many efficiency initiatives deliver less than promised — and the answer is almost never the technology.
Intelligent process automation, when it works, genuinely transforms operations. Processing times drop by 60-80%. Errors that accumulate in manual workflows disappear. Skilled people stop spending their days on reconciliation and report generation and start doing work that requires judgment. The economics are real and the benefits are achievable.
But automation requires the organization to change around it, and that is where initiatives consistently stall. The process that existed before automation usually evolved over years — sometimes decades — accumulating workarounds, informal steps, and institutional knowledge that never made it into any documentation. When automation is deployed against that process without redesigning it first, what you get is the old process running in parallel with the new system, each requiring maintenance. The efficiency gains are real in the system. They don't show up in the outcomes.
The organizations that capture the full value of automation treat it as an opportunity to fundamentally rethink how work gets done — not just to accelerate the existing approach. That rethinking is cultural as much as technical. It requires people to question processes they may have designed, challenge approaches they're comfortable with, and accept that faster is not always the same as better. Creating the conditions for that kind of honest examination is a leadership challenge, not a technology one.
Business Continuity: Visibility Before the Crisis
The organizations that navigate supply chain disruptions well tend to share a characteristic that only becomes visible when something goes wrong: they already knew where they were exposed.
When a fire at a chip factory in Asia or a routing change through the Red Sea disrupts supply, the organizations that respond quickly are not the ones that react fastest — they are the ones that had already mapped their dependencies beyond their direct supplier relationships. Most supply chain disruptions originate in tier-two or tier-three suppliers, in components or raw materials that organizations may not even realize they depend upon until they stop arriving. Digital supply chain visibility converts a crisis into a known scenario with a prepared response.
Digital supply chain twins take this further, allowing organizations to model disruptions before they occur: to ask what happens to production if a key facility becomes inaccessible, how quickly inventory is depleted, which alternative suppliers could be activated and at what cost. The value is not prediction — no one forecasts with certainty in genuinely chaotic environments — but preparedness. Organizations that have worked through these scenarios can act while competitors are still trying to understand what they're dealing with.
Scenario planning is most valuable when it is specific and stress-tested. Not "what if there's a supply disruption" but "what happens to our European operations if tariffs on Chinese components reach 40% and our primary logistics partner loses capacity?" The specificity is uncomfortable. It is also what makes the exercise useful.
Risk Management: From Reporting Function to Operational Reality
Traditional enterprise risk management has a well-documented failure mode. Risk registers get maintained. Reports get produced. They circulate to the right committees on the right schedule. And they have limited influence on the decisions that actually determine how exposed the organization is.
The problem is not the analysis — it is the integration. When risk assessment operates as a separate function rather than as an input to operational decisions, risk considerations arrive too late to change behaviour. A currency exposure flagged in a quarterly risk report is a different problem from one that appears on the dashboard of every finance decision-maker in real time. A supplier's deteriorating financial health identified in an annual review is a different problem from one that triggers an alert when the pattern first emerges.
Digital risk management is not primarily a technology question — it is a question of where risk information lives in an organization and when it reaches the people making decisions. What requires deliberate design is how signals connect to operational decisions rather than compliance reports.
The regulatory dimension deserves particular attention. Requirements for data privacy, AI governance, sustainability reporting, and supply chain transparency are multiplying across jurisdictions, and conflicting EU, US, and Asian obligations mean global organizations face genuine complexity, not just volume. The more important capability is adaptive: the ability to assess new requirements quickly and adjust processes before the deadline rather than after the penalty.
What Defensive Capability Actually Enables
There is a tendency to think of defensive capabilities as the unglamorous prerequisite — what you have to build before you get to do anything interesting. That framing undersells them.
Organizations that have genuinely built these foundations are freed from a particular kind of cognitive tax — the background anxiety of knowing the infrastructure is uncertain — that constrains strategic thinking in ways that are hard to measure but very real. When the foundations are solid, attention can go where it belongs: sensing opportunity, moving quickly, making better decisions.
That is what Part 3 explores — the offensive capabilities that allow organizations to do more than survive uncertainty, and the people-centric foundations that make both actually work.
Photo by Eilis Garvey on Unsplash