10.03.2025
Anyone who wants to be successful in the long term needs to focus on the topic of business resilience. Groups with international operations rely on crisis-proof supply and distribution chains. For other companies, climate change or rising cybercrime pose greater threats. Despite all the differences, there are also similarities. We asked Prof. Mirjam Gruber-Durrer how companies can become more resilient.
Would you like to know how to make your company more future-proof? Subscribe to our business newsletter.
In order to increase business resilience, both risks and crises must be taken into consideration. When the appropriate strategy is defined, crises can also become new opportunities. PostFinance's Risk Control department differentiates between financial, strategic and operational risks:
Becoming aware of existing risks and analysing the specific dangers for your own company is an important first step. The issue of cybercrime in particular is still all too often underestimated: According to PwC, there is a ransomware attack on a Swiss company every 11 seconds. More information can be found at The link will open in a new window pwc.ch.
In the following expert interview, you will learn more about how you can improve resilience in your company – from cyber resilience to a resilient supply chain.
We asked Prof. Mirjam Gruber-Durrer how to implement more resilience in companies. In the interview, the expert in board management also emphasized the legal obligations that company management has with regard to resilience and integral risk management.
Prof. Mirjam Gruber-Durrer is a lawyer and lecturer for normative board management at the Lucerne University of Applied Sciences and Arts – Business.
First, it should be noted that, even in an SME, the Board of Directors (or usually the highest management body) is responsible for the creation, implementation and monitoring of integral risk management. This legal obligation applies regardless of the industry and legal form and is therefore also relevant for the public sector.
As part of the risk identification stage, the Board of Directors must ask the key question of risk management: what is the worst that could happen to our company?
In practice, there is often a lack of imagination to help answer this question, and risk management is still given a secondary role to play in the matter. In addition, many companies continue to work with static individual risks. However, since reality is more dynamic and complex, this method is not sufficient to adequately capture developments such as cyberattacks, supply chain disruptions and geopolitical tensions. Companies should therefore develop complete scenarios, which also help identify "emerging risks" .
To increase the resilience of the company, and according to our Lucerne board management model, the Board of Directors needs to manage four areas of action:
In order for the board of directors to carefully manage these four areas of action and increase the company's resilience, it requires not only integral risk management but also company-wide opportunity management. This is one of the core competencies every board of directors needs to have when it comes to making a company future-proof and maintaining it
The Board of Directors must always monitor the financial balance of the company. If it finds that the company is in financial difficulties, it must take immediate action. This is where integrated risk management, which also includes the internal control system, crisis management and business continuity management, can make a valuable contribution: if crisis management measures have already been planned and – ideally – introduced, the Board of Directors can quickly switch to active crisis management mode. It is also important that the Board of Directors regularly defines the right priorities in the (continuous) development of the strategic portfolio. The normative framework serves as a value-based compass for the company and provides valuable guidance.
We questioned approximately 400 board members, and this survey showed that the importance of cyber resilience has increased over the past few years. Most of the companies we surveyed are aware of cyber threats, since cyber attacks can cause significant damage. As digitization increases, cyber risks are also on the rise. It is crucial that board members continue to work on the issue and have a clear understanding of their role and responsibilities. In addition, transparent and regular communication between management and the Board of Directors is key.
In practical implementation, it is also vital to handle cyber risks as part of integral risk management and to consistently assess and manage those risks in the risk management process. It is advisable to carry out crisis management exercises in the event of a cyber attack.
It is important that risks related to the supply chain are systematically identified, analysed and assessed in the risk management process. Within the meaning of the integral approach, both preventive measures (e. g. diversification of the supplier base) and reactive measures (e. g. drafting of a communication concept for all stakeholders) should be defined in order to be prepared for an emergency.
It is essential that the Board of Directors always considers what impact the failure of the main supplier, for example, will have on the four areas of action of the Lucerne Board Management Model: Governance, Running the Business, Changing the Business and Resources.
Under Swiss law, the Board of Directors is considered to be the company’s first “resilience line”. It is therefore responsible for the risk culture with which it shapes the thinking and actions of all the employees with regard to integral risk management. The risk culture reflects the corporate culture and is a key success factor for fully functional risk management.
In order for risk management to increase the resilience of a company, employees need to have a similar risk awareness. In order to establish this, the Board of Directors and the management board should lead by example and openly discuss risks. It is also advisable to regularly practice emergency situations with employees and to stress lessons learnt.
Unfortunately, there is no universal solution that works perfectly for every company. Nevertheless, we would like to provide you with some guidelines below on how you can approach the topic of business resilience in a structured and effective manner.
The first step should consist of an in-depth analysis. As part of this, you can ask how resilient the company already is in various areas: market, supply chain, IT, finance and employees. The simulation of a crisis situation can also be part of this analysis; it can highlight how quickly important information reaches the relevant decision-makers, to what extent the crisis is addressed in a structured way and how well crisis plans work. This includes targeted tests, for example in the field of IT security, but also the complex scenarios mentioned in the interview. Especially where such analyses show a weak point, you should start taking measures to increase business resilience.
It basically depends on the needs of each individual company in which areas measures for increased resilience should be introduced first. In addition, business resilience is a continuous process that constantly requires additional adjustments. Irrespective of this, measures can also be organized based on the urgency within certain limits.
Advanced digitization is key to a company’s resilience in times of economic uncertainty. This should ideally improve efficiency and increase the speed in the transmission of information. Furthermore, testing and implementing innovations is easier in a digital environment. Moreover digitization as a macro trend is itself one of the main challenges companies have to rise to nowadays. In this context, digital resilience is also important – from appropriate cybersecurity and data protection measures to cybersecurity training for employees.
As soon as possible, the company's leaders and managers should strive to implement an innovative, resilient corporate culture with transparent communication at the same time as digitization. This also creates an environment that is conducive to additional measures around business resilience. Depending on the size of the company, adapting the corporate culture to involve both management and all employees can be a challenging task This is why you should resort to tried-and-tested Change Management methods. You should also not delay resilient financial planning. Nobody knows when the next crisis will happen. Therefore, crisis-proof liquidity must become a top priority. However, in the context of growth strategies based on innovation and diversification, this is a long-term measure. The same applies to the supply chain. In the short term, possible risks can be quickly identified, using the FM Resilience Index. The 2024 FM Resilience Index is available here: The link will open in a new window fm.com. In the long term, however, it may also make sense to have alternative plans in the event of a crisis. Here, too, stress tests are a good way to check existing resilience and identify potential for improvement.
Cash management, payment transactions and digital invoices improve financial resilience, by ensuring a stable financial situation and promoting digitization. Discover products and solutions for payment transactions, cash management and digital invoices.
Or get personal advice from our experts to find the solutions that suit your company.
Business resilience describes the ability of a company to manage crises and quickly adapt to changing conditions.
ISO standard 22316 "Security and resilience — Crisis management — Guidelines" describes the following characteristics of resilient companies:
The example of plants can be used to illustrate what resilience can look like for companies. A number of plants develop despite adverse conditions, make their way towards the light or survive long dry spells. The preconditions for this, however, can be found in their structure: only particularly deep roots can reach groundwater at a depth of more than 30 meters; for example, the famous "Arbre du Ténéré" was able to continue to thrive hundreds of kilometres away from other trees, in the Nigerian desert in North Africa – while all other trees around it slowly disappeared.
