Resilience must be built into everyday operations of companies, say experts

Experts from the technology, engineering, and financial services sectors said organisational resilience can no longer be treated as a compliance-driven exercise, but must be designed into everyday processes and decision-making. They were taking part in a panel discussion on “Resilience by Design: Embedding Continuity into Organisational DNA using ISO 22301 and ISO 27031” at The Hindu Tech Summit 2026 on Thursday (February 12, 2026). The summit, hosted by The Hindu, is presented by Vellore Institute of Technology and co-presented by Sify Technologies.

The speakers noted that while global standards such as ISO 22301 and ISO 27031 provide structure, resilience could fail when it is approached as a standalone IT or risk function. Instead, leadership ownership, business-aligned recovery priorities, and continuous testing were identified as key to ensuring that continuity plans work under real-world disruption.

Speaking on how perceptions around continuity have evolved, Gokulavan Jayaraman, Infosec Leader at Mahindra Group, said organisations were moving away from a checklist-driven mindset. “It is no longer a checkbox or documentation-only exercise. Organisations have understood this and are starting with the process and procedure because resilience has to be built into how applications and processes actually run,” he said. He added that modern systems must be designed assuming failure, with testing embedded across application, infrastructure, and business layers.

From an engineering and project-delivery perspective, Santhosh Murthy Neriyanuri, Senior Director – Operations at Kellogg Brown and Root Company, outlined a structured approach to business impact analysis. He said that all critical activities that depend on IT systems are first identified, followed by detailed data collection through interviews with project managers and stakeholders to understand what truly affects business outcomes. The impacts are then classified as financial, reputational, or operational and assessed accordingly.

Based on this four-step analysis, applications are identified and categorised into three tiers. Mission-critical systems form the first tier, the second tier comprises applications that are important but can tolerate longer downtime, and the third tier includes non-critical systems, said Mr. Neriyanuri.

Highlighting the importance of tailoring continuity objectives to business realities, Sivaramakrishnan N., Chief Information Security Officer at M2P Fintech, spoke about defining Minimum Business Continuity Objective levels during disruptions. One approach, he said, is to focus on ‘just enough’ services to keep the business running, rather than trying to restore everything at once. He said organisations could operationalise this by defining a limited set of “golden signals” for observability — such as latency, traffic, error rates, and saturation — to quickly assess system health without relying on detailed reports or executive dashboards.

Addressing the need for regular validation, Saravanakumar R., Senior Director – Tech Risk Management at Sutherland, said continuity plans could not remain static. “Earlier, organisations were satisfied with doing one annual drill, but that approach is no longer sufficient,” he said, adding that preparedness must be validated regularly across infrastructure, application and business layers, with resilience built into how systems are deployed and supported during a crisis.

Teams, he noted, were increasingly embedding resilience into applications through automation, frequent tabletop exercises and practices such as chaos engineering, where failures are deliberately introduced to test response. Regular, repeated exercises, he added, helped build operational memory and enabled organisations to respond more effectively when disruptions occur.

The panel was moderated by Suresh Vijayaraghavan, Chief Technology Officer, The Hindu.