There is a chart most directors have seen. Businesses rise, mature, plateau, and then decline. It is usually framed as a market story. Competition tightens, innovation slows, new entrants disrupt.
That explanation is comfortable. It is also incomplete.
From a cyber and operational resilience standpoint, the curve tells a different story. Not about markets, but about what builds quietly underneath success.
In the early stages, organisations are relatively simple. Systems are fewer. Dependencies are clearer. Decisions travel quickly. Risk exists, but it tends to be visible and contained.
Scale changes that. Technology accumulates rather than being designed. Platforms are layered. Third parties become critical without ever being treated that way. Legacy systems stay in place because replacing them feels disproportionate. Over time, the organisation becomes harder to fully understand, even from the inside.
By the time performance stabilises and the business looks mature, something else has happened. Complexity has outpaced control.
Boards do not always see this. They are looking at the right things, just not the whole picture. Revenue is steady. Margins are holding. Operations appear consistent. The signals of success are all there.
The problem is that resilience does not sit neatly in those signals. It sits in the joins. In the dependencies that are assumed rather than mapped. In the systems no one wants to touch. In the belief that because something has worked, it will continue to do so.
That is where governance starts to slip. Not through negligence, but through misplaced confidence.
Many boards are not underestimating resilience risk. They simply do not experience it until it is tested. Assurance papers are read. Controls are noted. Incidents are low. The absence of disruption starts to feel like evidence of strength.
It is not.
Consider the more realistic sequence. A supplier fails or degrades without warning. A system behaves in a way no one anticipated. A cyber incident exposes a dependency that was never fully understood. What begins as a contained issue moves quickly. Operations are affected. Customers notice. Time compresses. Decisions that would normally take weeks are made in hours, often with incomplete information and rising pressure.
At that point, the conversation changes. Strategy pauses. Performance becomes secondary. The board is no longer guiding the business. It is trying to steady it, often without a clear line of sight into what is actually failing and why.
That shift does not happen because the strategy was wrong. It happens because the organisation was more fragile than it appeared.
This is where resilience needs to be understood differently. It is not an operational detail to be delegated and reported back through layers of assurance. It is part of whether the business can absorb stress without losing control. Treating it as a compliance exercise does not reduce risk. It simply delays its visibility.
Boards need to engage more directly. Not just asking whether controls exist, but whether they would hold under genuine stress. Not relying on assurance as a substitute for understanding. Not confusing stability with strength.
Because complexity does not announce itself as risk. It sits quietly inside success until something forces it into the open.
And when that happens, the question is no longer how the business will grow. It is whether the board ever truly understood the organisation it was governing.
- business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.comÂ
Michael Irene, CIPM, CIPP(E) certification, is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
