Establishing a Resilience Council: Bridging the Gap Between Strategy and Practice

EDITOR’S NOTE: This article is part of a seven-part “Cross-Departmental Resilience Framework” series by Scott Balentine of Methodist Le Bonheur Healthcare. The series offers a practical roadmap for embedding resilience across governance, operations, and culture.

Resilience is no longer a topic confined to risk management teams or IT departments—it has become a board-level imperative. In an era defined by escalating cyber threats, supply chain vulnerabilities, climate-related disruptions, and global pandemics, organizations face a constantly evolving risk environment. Yet many institutions still approach resilience in a fragmented manner, with departments acting independently rather than collaboratively. This lack of integration results in significant blind spots and a hidden gap between preparedness on paper and performance in practice. The creation of a resilience council directly addresses this challenge by providing a unified governance structure that brings diverse functions together under one cohesive strategy. In doing so, organizations can align their resilience objectives with their mission, risk appetite, and regulatory obligations, while ensuring plans are not only written but also lived across the enterprise.

The Illusion of Cross-Functional Resilience

One of the most common pitfalls organizations encounter is believing resilience exists because individual departments have their own continuity or contingency plans. For example, IT may have a robust disaster recovery framework, HR may have policies for maintaining workforce availability, and operations may oversee vendor continuity. However, in the absence of a central governing body, these plans often operate in silos. When a real crisis strikes, these silos create confusion: IT may prioritize restoring systems, HR may focus on employee welfare, and operations may concentrate on logistics—all without alignment to the organization’s broader priorities. This illusion of resilience leads to misaligned priorities, duplicated efforts, and slower recovery times. True resilience requires an integrated council that orchestrates these efforts and ensures departments move in the same direction when it matters most.

Governance as the Bridge Between Policy and Action

Effective resilience is not measured solely by the existence of documented plans but by the ability to translate those plans into decisive action during crises. Governance serves as the bridge between policy and execution. International frameworks reinforce this point: ISO 22301 mandates top management’s involvement in business continuity governance, NIST SP 800-34 highlights oversight of contingency planning for information systems, and the NIST Cybersecurity Framework 2.0 introduces the “govern” function, which aligns resilience with organizational strategy. These frameworks collectively stress the importance of leadership accountability and coordinated oversight. A resilience council embodies these principles by uniting diverse departments into a single decision-making forum. Rather than functioning as an additional bureaucratic layer, the council acts as the operational hub where resilience strategy is debated, refined, and executed.

Why Councils Matter: Lessons from Experience

The value of a resilience council is best illustrated through real-world examples. In December 2022, Southwest Airlines experienced a catastrophic scheduling failure during the holiday season. The lack of cross-departmental governance meant IT, crew scheduling, and customer service teams acted independently, creating cascading failures which led to mass cancellations and financial losses. Conversely, Cleveland Clinic’s response to COVID-19 demonstrated the benefits of an integrated governance structure. Its cross-functional council included clinical leaders, IT, HR, and communications, allowing the organization to reallocate resources, build surge capacity, and maintain consistent messaging. Similarly, Kaiser Permanente successfully evacuated hospitals during California wildfires by leveraging a council-like command structure that coordinated clinical, operational, and emergency management teams. These contrasting case studies show governance is not optional—it is the deciding factor between resilience and breakdown.

The Hidden Gap in Resilience Efforts

Even when councils are formally established, they may fall victim to the same hidden gap that internal audits often reveal in disaster preparedness: the difference between documented policy and real-world execution. Councils may have charters, mandates, and membership lists, but if meetings are irregular, exercises are superficial, or reporting is inconsistent, the council becomes symbolic rather than operational. Bridging this gap requires embedding governance into the rhythm of the organization. Councils must move beyond compliance-driven meetings to actively test and challenge assumptions, sponsor realistic exercises, and follow through on corrective actions. Without these steps, councils risk becoming check-the-box entities that fail under pressure.

Actionable Steps to Close the Gap

To ensure a resilience council achieves its intended impact, organizations should implement the following steps:

Securing Executive Sponsorship

Securing executive sponsorship is the foundation of an effective resilience council. By appointing a senior leader—such as the COO, CIO, or CRO—as the council chair, organizations provide authority, visibility, and credibility. Executive sponsorship signals resilience is not simply an operational exercise, but a strategic priority tied to organizational performance and long-term sustainability. This visible leadership commitment encourages cross-departmental engagement and ensures the council has the weight to influence decision-making at the highest level.

A Clear Mandate

A clear mandate is equally critical. The council’s scope of authority must be well-defined, covering oversight of risk assessments, continuity planning, incident response, and post-incident reviews. Clarity prevents duplication of efforts or confusion about responsibilities. In addition, empowering the council to allocate resources and escalate key decisions directly to the board ensures resilience activities remain aligned with organizational strategy and receive the necessary support.

The Correct Composition

The council’s effectiveness also depends on its composition. Membership should extend beyond IT and risk management functions to include representatives from HR, finance, legal, communications, facilities, and sector-specific leadership. For example, in a healthcare setting, clinical leadership must be represented to ensure operational priorities are addressed. This diversity of perspectives ensures resilience planning reflects the full organizational landscape, leading to more balanced and effective decision-making.

Governance Processes

Governance processes formalize the council’s activities. Scheduling quarterly meetings for oversight establishes regular accountability, while reserving the ability to convene ad hoc during crises enables agility. A cyclical governance process allows the council to continually review risks, approve playbooks, oversee exercises, and monitor corrective actions. This balance of routine structure and flexibility equips the council to respond effectively in both steady state and disruptive environments.

Reporting Standards

Reporting standards further enhance accountability and transparency. By defining metrics such as recovery time objectives (RTOs), downtime against tolerances, and exercise completion rates, the council creates measurable indicators of resilience performance. Dashboards that consolidate these metrics provide executives and boards with a clear view of organizational readiness. Standardized reporting not only supports internal governance but also builds confidence among regulators, customers, and stakeholders.

Cross Functional Exercises

To validate plans and identify weaknesses, councils must sponsor cross-functional exercises. Enterprise-wide tabletop scenarios and live simulations test both technical recovery and business continuity in a controlled environment. These exercises foster collaboration between departments, expose vulnerabilities, and provide data which feeds back into corrective actions and strategic decisions. Exercises thus serve as both a training mechanism and a measurement tool.

A Culture of Preparedness

Finally, resilience councils should focus on embedding a culture of preparedness across the organization. Rather than being viewed as a controlling or punitive body, the council must position itself as collaborative and supportive. Preparedness should be framed as a shared organizational value reinforced through regular training, transparent communication, and integration into performance evaluations. When employees see resilience as part of daily work rather than an abstract compliance requirement, the organization develops the confidence and agility needed to respond decisively in times of crisis.

The Role of Senior Leadership

Resilience governance is ultimately a leadership responsibility. Without executive commitment, even the best-structured councils will lack influence. Leadership must allocate resources, approve tolerances for downtime, and support corrective actions. Leaders must model resilience by actively participating in exercises, engaging with council activities, and emphasizing preparedness as a cultural priority. This visible commitment builds trust across the organization and ensures employees understand resilience is integral to organizational success. Senior leaders who prioritize governance not only reduce risks but also strengthen reputation, regulatory compliance, and stakeholder confidence.

Challenges and Mitigation Strategies

While the benefits of establishing a resilience council are clear, organizations often face challenges in implementation. Departments may resist centralized oversight, fearing loss of autonomy. Others may point to overlapping governance bodies, such as IT steering committees or risk boards, as potential redundancies. Additionally, councils require time and resources from executives who already face competing priorities. To address these challenges, leaders should frame the council as collaborative rather than hierarchical, integrate resilience responsibilities into existing committees where appropriate, and emphasize regulatory requirements that mandate resilience governance. Highlighting high-profile failures such as Southwest Airlines demonstrates the cost of inaction and builds the case for investing in governance.

Conclusion

The resilience council is more than a committee—it is the mechanism by which organizations align cross-departmental efforts under a unified governance framework. It addresses the hidden gap between theoretical preparedness and real-world execution, transforming resilience from a compliance exercise into an enterprise capability. Organizations that embrace governance, like Cleveland Clinic and Kaiser Permanente, navigate crises more effectively and preserve stakeholder trust. Conversely, organizations without governance, such as Southwest Airlines, suffer costly failures that damage reputation and operations. By securing sponsorship, defining mandates, assembling diverse membership, and implementing structured processes, organizations can embed resilience as a living, breathing element of their strategy. In an unpredictable world, the resilience council ensures resilience is not an illusion but a tested, trusted capability that enables long-term success.

***

The next article in this seven-part series, “Defining Important Business Services: Prioritizing What Matters Most for Organizational Resilience,” explores how organizations can move beyond asset-based recovery to focus on the continuity of services that matter most to customers, regulators, and stakeholders. Drawing on leading frameworks such as ISO 22301, NIST SP 800-34, and the UK Financial Conduct Authority’s PS21/3 policy, it provides practical guidance for identifying critical services, setting impact tolerances, and aligning governance structures to ensure operational resilience. Real-world examples from Toyota, TSB Bank, and Cleveland Clinic illustrate how service-based resilience strengthens trust, efficiency, and long-term sustainability.