Organizational Culture and Resilience Must Work Together

• 27 Nov 2025
• Brian

• Article
• Policy and programme management
• Embedding
• 0

  Comment

Whether or not Peter Drucker actually said ‘culture eats strategy for breakfast’, the impact of organizational culture is huge, and that includes the internal view of resilience and how it is embedded.

An interesting recent example is the timely reporting of phishing attempts, as highlighted in a Journal of Cybersecurity research paper ‘Information security culture and phishing-reporting model: structural equivalence across Germany, UK, and USA[1].’ It backs up, with a solid example, a key finding from BCI’s recent Continuity and Resilience Report [2]

The study investigated the role of information security culture in enhancing the reporting of phishing emails among employees across Germany, the UK, and the USA. Reporting phishing emails is crucial for organizational resilience against cyber threats, with timely reporting helping mitigate financial losses and operational disruptions.​ However, the study found that only about 20% of employees report phishing emails, indicating a need for improved reporting mechanisms. ​

But the study also found notable cultural differences; for instance, in Germany, attitudes towards information security were stronger predictors of reporting, while in the UK and USA, a sense of responsibility was more influential. So, both organizational and geographic culture play a role.

Linking management and operations

The BCI’s Continuity and Resilience Report 2025 shows the impact of internal culture. It notes that more organizations now have a dedicated person for managing resilience efforts and that this is often a way to strengthen alignment between strategic leadership and operational execution.

This year, the report notes, resilience leads reporting directly to the board has increased. Indeed, approximately 60% of organizations with such a role have established it within the past five years, reflecting the growing strategic importance of resilience.

Over 45% have a dedicated person responsible for overseeing the running of a resilience programme who reports directly to the board. However, although board-level support for resilience is gradually increasing, with more organizations establishing clearer and more direct reporting lines to the C-suite, particularly in regulated sectors like financial services, most practitioners expressed a desire for such a role but felt they lacked the internal support to make it happen.

Employee behaviour and culture

Employee behaviours in everyday tasks reflect the health of the resilience culture in the organization, and that goes beyond approaches to reporting problems.

A study of the creative industries in Indonesia [3] by Cogent Business and Management Journal found that a sustainable workforce not only contributes to the internal dynamics of an organization but also enhances its external performance by fostering innovation and collaboration. The journal also cites a previous study by Yousaf et al[4] argued that empowering employees through skill development and a supportive work culture makes them more likely to engage in innovative practices that differentiate a business from its competitors.

Getting the internal culture right also benefits workers’ mental well-being and overall contribution, a paper [5] in the Journal of Personality and Psychosomatic Research drew the conclusion that ‘that workplace resilience and team cohesion significantly contribute to reducing workplace stress’.

These examples demonstrate that the role of culture in all aspects of an organization is multifaceted. But there are practical things that can be addressed in the context of resilience.

What should you do?

The Journal of Cybersecurity study emphasizes the importance of organizational communication and technical solutions [6] in enhancing phishing reporting behaviour.

In the wider resilience culture discussion, the BCI report recommends getting your employees involved in resilience. The top three approaches cited by respondents reflect an attempt to make business continuity more actionable, visible, and aligned with the organization’s operational priorities.

1. Prioritize regular training and exercising while board support remains favourable (51.3%). These sessions, when detailed and part of a regular programme, can support both leadership and wider teams in understanding not just the plans, but their role in maintaining continuity during disruption.
2. Foster greater collaboration across teams (47.1%). Respondents cited efforts to enhance the integration of IT stakeholders through tools such as dependency mapping and joint ownership of services. Such cross-functional collaboration helps reinforce the relevance of resilience at the strategic level and provides the board with a more accurate picture of systemic risks.
3. Invest in networks of business continuity ‘Champions’ (44%). These professional figures act as internal advocates, helping to keep business continuity visible and understood across the organization. In this regard, many organizations are updating how they report resilience activities, developing dashboards, setting KPIs, and presenting high-level metrics that highlight vulnerabilities and progress. In this regard, a few respondents stated that they use industry comparisons and case studies to reinforce the value of resilience as a strategic differentiator.

These ideas are summed up in one of the report’s key takeaways:

‘Organizations are looking to build flexible and effective response capabilities. Resilience functions must go beyond planning, providing response and recovery measures that would be fit to counter the impacts of a real disruption.’

Culture plays a key role.

More on

• Business Continuity
• Human aspects of resilience
• Resilience/ Organizational Resilience

About the author

Brian Runciman

Content Manager, The BCI