Disaster Recovery Journal Winter 2025

welfare, and operations may concentrate on logistics—all without alignment to the organization’s broader priorities. This illusion of resilience leads to misaligned priorities, duplicated efforts, and slower recovery times. True resilience requires an integrated council that orchestrates these efforts and ensures departments move in the same direction when it matters most. Governance as the Bridge Between Policy and Action Effective resilience is not measured solely by the existence of documented plans but by the ability to translate those plans into decisive action during crises. Governance serves as the bridge between policy and execution. International frameworks reinforce this point: ISO 22301 mandates top management’s involvement in business continuity governance, NIST SP 800-34 highlights oversight of contingency planning for information systems, and the NIST Cybersecurity Framework 2.0 introduces the “govern” function, which aligns resilience with organizational strategy. These frameworks collectively stress the importance of leadership accountability and coordinated oversight. A resilience council embodies these principles by uniting diverse departments into a single decision-making forum. Rather than functioning as an additional bureaucratic layer, the council acts as the operational hub where resilience strategy is debated, refined, and executed. Why Councils Matter: Lessons from Experience The value of a resilience council is best illustrated through real-world examples. In December 2022, Southwest Airlines experienced a catastrophic scheduling failure during the holiday season. The lack of cross-departmental governance meant IT, crew scheduling, and customer service teams acted independently, creating cascading failures which led to mass cancellations and financial losses. Conversely, Cleveland Clinic’s response to COVID-19 demonstrated the benefits of an integrated governance structure. Its

cross-functional council included clinical leaders, IT, HR, and communications, allowing the organization to reallocate resources, build surge capacity, and maintain consistent messaging. Similarly, Kaiser Permanente successfully evacuated hospitals during California wildfires by leveraging a council-like command structure that coordinated clinical, operational, and emergency management teams. These contrasting case studies show governance is not optional—it is the deciding factor between resilience and breakdown. The Hidden Gap in Resilience Efforts Even when councils are formally established, they may fall victim to the same hidden gap that internal audits often reveal in disaster preparedness: the difference between documented policy and real-world execution. Councils may have charters, mandates, and membership lists, but if meetings are irregular, exercises are superficial, or reporting is inconsistent, the council becomes symbolic rather than operational. Bridging this gap requires embedding governance into the rhythm of the organization. Councils must move beyond compliance-driven meetings to actively test and challenge assumptions, sponsor realistic exercises, and follow through on corrective actions. Without these steps, councils risk becoming check the-box entities that fail under pressure. To ensure a resilience council achieves its intended impact, organizations should implement the following steps: Securing Executive Sponsorship Securing executive sponsorship is the foundation of an effective resilience council. By appointing a senior leader—such as the COO, CIO, or CRO—as the council chair, organizations provide authority, visibility, and credibility. Executive sponsorship signals resilience is not simply an operational exercise, but a strategic priority tied to organizational performance and long-term sustainability. This visible Actionable Steps to Close the Gap

leadership commitment encourages cross departmental engagement and ensures the council has the weight to influence decision-making at the highest level. A Clear Mandate A clear mandate is equally critical. The council’s scope of authority must be well-defined, covering oversight of risk assessments, continuity planning, incident response, and post-incident reviews. Clarity prevents duplication of efforts or confusion about responsibilities. In addition, empowering the council to allocate resources and escalate key decisions directly to the board ensures resilience activities remain aligned with organizational strategy and receive the necessary support. The Correct Composition The council’s effectiveness also depends on its composition. Membership should extend beyond IT and risk management functions to include representatives from HR, finance, legal, communications, facilities, and sector specific leadership. For example, in a healthcare setting, clinical leadership must be represented to ensure operational priorities are addressed. This diversity of perspectives ensures resilience planning reflects the full organizational landscape, leading to more balanced and effective decision-making. Governance Processes Governance processes formalize the council’s activities. Scheduling quarterly meetings for oversight establishes regular accountability, while reserving the ability to convene ad hoc during crises enables agility. A cyclical governance process allows the council to continually review risks, approve playbooks, oversee exercises, and monitor corrective actions. This balance of routine structure and flexibility equips the council to respond effectively in both steady state and disruptive environments. Reporting Standards Reporting standards further enhance accountability and transparency. By defining metrics such as recovery time objectives (RTOs), downtime against tolerances,

36 DISASTER RECOVERY JOURNAL | WINTER 2025