What happens when operational resilience fails… very publicly?

Operational resilience has moved from the back office to the boardroom. And this year’s failures prove one thing: You don’t need a plan B. You need the lessons these companies didn’t apply in time.

In the past 12 months, the list of operational resilience failures has read like a disaster log for modern business. A national power grid went dark. Flights were grounded. Servers crashed. Food supply chains were thrown into chaos.

And most weren’t ready to respond in time.

From IT giants to high street retailers, the past year has exposed a hard truth: business continuity plans aren’t enough. When failure hits at scale, your fallback becomes your footprint. You’re judged not by what you planned to do, but by how fast you recover, what you protect, and whether you saw it coming at all.

Welcome to the new standard. You don’t need a plan B. You need operational resilience.

This year’s resilience report card is brutal

Let’s take a look at what the last 12 months have already taught us.

• Marks & Spencer suffered a severe ransomware attack over Easter 2025, with customer orders halted, contactless payments disabled, and up to £300 million estimated in profit loss.

• The Co‑op revealed in July that all 6.5 million of its members had their personal data stolen in an April cyber-attack. Despite rapid detection, the response was under-resourced and hampered by a lack of cyber-insurance.

• CrowdStrike released an update in July 2024 that triggered a global outage, forcing around 8.5 million Windows systems offline and halting essential services worldwide.

• Heathrow Airport experienced a power outage on 21 March 2025 following a substation fire. Over 1,300 flights were cancelled or diverted, impacting approximately 200,000–250,000 travellers.

• On 28 April 2025, a fault led to a blackout across the entire Iberian Peninsula, cutting power to Spain, Portugal, Andorra, and parts of France for around 10 hours.

The problem isn't disruption. It's unpreparedness

Each of these failures reveals the same pattern. These incidents share a common thread of complex systems, hidden interdependencies, and a lack of testing—or the absence of board-level awareness.

And when they broke, no one could move fast enough.

What was missing? Scenario testing. Critical operations mapping. Board visibility. And a plan for the plan to fail.

Australia’s CPS 230 now requires organisations to map critical operations, run credible scenarios, and ensure executive and board accountability. The UK’s PS 21/3 demands similar oversight, especially over third-party services, and mandates severe-disruption impact tolerances.

And these aren’t just check-the-box exercises. They’re structured frameworks designed to move operational resilience from siloed planning to boardroom-level strategic priority.

Resilience is no longer a technical project

The idea that resilience belongs in IT, or in compliance, or in business continuity teams - that’s outdated thinking. Resilience is now a reputational risk. A regulatory requirement. A business imperative.

And the smartest organisations are making it a strategy.

They’re simulating disruptions before regulators ask. They’re mapping dependencies across supply chains and vendors. They’re creating clear evidence for the board and the regulator. Not theoretical plans. Proof.

Platforms like Drova are emerging to support this shift. Not just to help teams comply with standards like CPS 230 or PS21/3, but to make resilience operational - with AI-driven scenarios, board-ready reports, and structured evidence that lives beyond spreadsheets and shared drives.

This is your moment to lead, or fall behind

If there’s one message to take from this year’s failures, it’s this: resilience isn’t about recovery anymore. It’s about readiness. And readiness starts now.

Because the next outage, breach, or disruption isn’t a matter of if. It’s a matter of whether your organisation is the one that makes headlines — or the one that moves through it without breaking stride.

You don’t need a plan B. You need a resilience strategy that actually works. One that’s tested. Visible. Auditable. And built for the real world.

If there’s one lesson this year proves, it’s that resilience is strategic—not a secondary fallback. The next major outage won’t ask if you had a Plan B; it will expose whether you had a resilience strategy that worked.

Don’t wait for the whistleblower moment; the age of operational resilience is already here. Now it's just a question of how prepared you want to be.

Build it. Prove it. Own it.

Get started using Drova’s Operational Resilience and Compliance software for free today.