Operational Resilience in the U.S.: From Obligation to Strategic Mindset
For years, operational resilience felt like a conversation happening somewhere else—mainly in the UK, Europe or Asia Pac. But things are shifting. What started overseas is beginning to ripple through U.S. boardrooms and risk teams. And it’s about time.
In the U.S., we’ve had federal guidance and state-level regulations, like the New York Department of Financial Services’ [1] cybersecurity rules. But now, with the frameworks like the UK’s Prudential Regulation Authority and the Financial Conduct Authority [2] rule, Canada’s Office of the Superintendent of Financial Institutions [3], and the EU’s Digital Operational Resilience Act[4] setting the pace, American companies are realizing something important: resilience isn’t just a regulatory checkbox. It is a strategy for survival—and growth.
The global push
The Prudential Regulation Authority and the Financial Conduct Authority rule in the UK made firms sit up by asking them to identify important business services, set impact tolerances, and test against them. The Office of the Superintendent of Financial Institutions in Canada followed with its E-21 guideline. Europe brought the Digital Operational Resilience Act into play. Singapore, Australia, and others have added their own expectations.
The thread tying them all together? Protecting financial markets from shocks—whether they come from operational failures or cyber threats These regulators aren’t focused on one bank or insurer; they’re safeguarding the stability of entire financial ecosystems.
Why U.S. companies should take notice
Even if your company doesn’t operate abroad, the reality is that our systems are interconnected. A disruption in London or Toronto can have a knock-on effect in New York or Chicago. Add in our reliance on third parties—cloud services, SaaS platforms, business process outsourcers (BPO)—and the web gets even more tangled.
The Federal Reserve has already issued sound practices guidance[5]. The New York Department of Financial Services has put cybersecurity regulations into action. Whether you are in finance or not, the message is clear: resilience is moving from optional to expected.
Beyond banking and insurance
Financial services are often leading the way, but let’s be honest, every industry now runs on digital systems and vendor networks. Healthcare, manufacturing, retail—pick one, and you’ll see the same story. You have suppliers or vendor services you rely on. Additionally, reliance on fourth party vendors is a rising risk.
Cyberattacks, cloud outages, vendor failures—these are not “what ifs” anymore. They’re happening. And they highlight why companies outside of finance should take note. Operational resilience offers a framework that brings together cyber risk, business continuity, disaster recovery, security, and operations into one cohesive strategy.
From recovery to resilience
Here’s the real shift: it’s no longer enough to prove you can get back up quickly. Customers expect you to keep going, to deliver even when the unexpected happens. It’s more than bouncing back, it’s being able to thrive through adversity, those severe events that can impact your company’s people (customers, employees, contractors), reputation, financial status, regulatory, technology and cybersecurity.
That’s the heart of operational resilience. It’s not static. It’s about creating living frameworks that evolve with your business and with the threats you face. Done right, resilience moves you from surviving disruption to thriving through it. It is moving from a static to dynamic approach.
The next big wave
The last seismic change in our field, BCMS, came after 9/11, nearly 24 years ago. That tragedy reshaped continuity and crisis management. Now, we are standing in front of another wave, a tsunami of change driven by digital risk and global interconnection.
Forward thinking companies aren’t waiting for regulations to force their hand. They see resilience for what it is: a strategic imperative and a competitive advantage.
Final word
Resilience is more than compliance. Additionally, it’s more than operational or cyber resilience alone, in my view – it needs to be a holistic approach aligning enterprise and organizational resilience. It is a promise to your customers, your employees, and your stakeholders that you’re here for the long haul.
And whether you’re in finance, healthcare, manufacturing or tech, the wave is coming. The question is: will you ride it, or will it crash over you?
More on
About the author
Ashley Goosman
Risk Manager II - Business Continuity & Crisis Management Specialist
Ashley Goosman, MBCP, MBCI, ARMP is an accomplished Risk Manager at Liberty Mutual, specializing in crisis response and business interruption preparedness on a global scale. With extensive experience coordinating high-profile crisis incidents such as pandemics, natural disasters, white powder incidents, power/network, IT outages, cyberattacks and terrorist events, Ashley is well-equipped to navigate any challenge.
As the Program Owner for the Enterprise Crisis Management program, Ashley has a pivotal role in transforming Liberty's Business Continuity Management program into an Operational Resilience focus. Her contributions as a member of the Business Continuity & Resilience team to streamline and scale crisis response capabilities are instrumental in driving this transformation forward.
Prior to her role at Liberty Mutual, Ashley made significant contributions to various disaster relief efforts. She worked with the American Red Cross on the September 11 Recovery Program and served as a member of the Hurricane Katrina-Massachusetts Operation Helping Hand, during her tenure as the Director of Emergency Services at the MA Department of Mental Health. Beyond her corporate and disaster relief work, Ashley has also been involved in academia. For seven years, she served as a Senior Instructor of Terrorism and Disasters at Cambridge College, sharing her expertise and knowledge with students.
Additionally, Ashley's expertise and contributions extend to publications, where she has been featured in the Journal of Continuity & Emergency Management Planning and has written articles for LinkedIn, ICMC, DRJ, and BCI. Her extensive knowledge and experience have led her to present at prestigious conferences such as DRJ, Business Continuity Institute World (BCI), Continuity Insights, the International Crisis Management Conference (ICMC), and Association of Continuity Professionals programs.
Ashley's insights have also been sought after in various podcast and webinar platforms, making her a trusted expert for organizations such as the International Facility Manager Association (IFMA)-Boston, BCI, Alert Media, and Five Minutes to Chaos, among others. She's contributed to the BCI's annual conference, podcast and articles multiple times.
In 2019, Ashley founded disasterempire.com, demonstrating her commitment to giving back to the community. She also currently serves as an Editorial Board Member for the Disaster Recovery Journal. She also published in the Journal of Continuity & Emergency Management Planning.
With her extensive background in crisis management, risk assessment, and disaster response, Ashley Goosman is a multiple-time guest lecturer for MIT's Advanced Business Resiliency course.
