Thought Leadership
Somewhere in the last 2 years, operational resilience stopped being a department's problem and became a name on a document.
Under DORA, the management body itself is accountable for ICT risk, and senior leaders can face personal fines.
Under the UK Senior Managers Regime, a named individual carries personal accountability for resilience.
APRA CPS 230 puts the obligation squarely on the board.
The pattern is consistent across regimes: the responsibility now attaches to specific people, the board and the executives answerable to it.
The individuals now liable for resilience are, in most firms, the people who have never watched it happen.
The briefing gap
A board learns about its own resilience the way it learns about most things: through a briefing.
A slide says the incident response plan is current. A summary says the last exercise went well. A vendor presents a maturity score. The director reads it, asks a question or two, and signs.
APRA named this directly in its 2026 letter to industry. Boards lean too heavily on vendor presentations and summaries, without examining what sits underneath them or the impact on critical operations. The regulator was writing about AI, and the point generalizes. A board can approve a resilience posture it has only ever seen described.
This is the quiet problem with attestation. A plan is a claim about what people will do. A summary is a claim about that claim. Neither is the thing itself.
What a document cannot tell you
You can read an incident response plan end to end and still not know the answers to the questions that decide an event. When the bridge call starts, who actually leads. How long the room takes to agree on what is happening. Whether the CEO and the security team are working from one picture or two. Where the plan names a person who left in March.
These are behavioral facts, and they surface only when people are placed in a realistic situation and asked to act.
A board that has watched its own executives work a severe scenario knows things about its resilience that no report can carry.
Marking your own homework
The people who brief the board on resilience are usually the people who built it. That is a structural conflict, the governance equivalent of marking your own homework. Independent assurance was the traditional answer, but an audit of documentation tests the documentation. It does not test the capability.
Watching the capability perform is the independent evidence. When a board sits inside a scenario, or runs its own, it sees the unedited version: the hesitations, the gaps, the moment the plan meets reality. That is the view a signature is supposed to rest on.
What a director should be able to say
The bar is concrete. A current plan is the floor. Above it sits the thing regulators, auditors, and acquirers increasingly ask for, stated in the first person: I have watched this team handle a severe scenario, I know how they performed, I know where we were weak, and I know what we changed as a result. That sentence cannot be sourced from a slide. It comes from observation.
The value of a board scenario is finding the gap before a regulator or a real event does, while the cost of the lesson is still measured in a couple of hours rather than a headline.
Capability has a short shelf life
One more reason this is never a one-time sign-off. The team you watched perform last year may not be the team you have now. People move, a key responder leaves, a core vendor changes, the playbook gets rewritten. The capability a board observed in one exercise begins drifting the moment the exercise ends. A signature based on last year's view is a signature based on a firm that no longer exists.
So a board's read has to be current, and it has to show change over time. A single annual set piece cannot do that. A cadence of shorter, measured scenarios can.
Where iluminr fits
Through microsimulations, boards and executives step into severe but plausible scenarios and make the calls a real event would demand.
Their decisions and behaviors are captured, and the Capability Intelligence Index turns the session into a measure a director can stand behind.
The Capability Graph records how that capability changes between exercises, so the board's view stays current instead of frozen at the last offsite.
The question for your next board meeting
Ask a sharper question than whether the plan exists. When did this board last watch its own people handle a crisis, and what did we learn from it? If the honest answer is a briefing, a summary, or a slide, the attestation is resting on a claim. The way to make it rest on evidence is to watch the capability work.
