At virtually every event I have attended recently, the topic of resilience comes up. Supply chain resilience, national resilience, business continuity, corporate resilience—the subject is everywhere. The current coalition agreement between the SPD, CDU, and CSU alone uses the word “resilience” an astonishing 26 times, referring to financial market resilience, transportation resilience, IT resilience, and even democratic resilience. Yet one question remains unanswered: how does an organization actually become resilient?

To understand this, I have approached the topic professionally and am now serving on the board of an association for crisis resilience. First of all, resilience is not a state that can be achieved merely by complying with legal requirements—such as the KRITIS umbrella law or the NIS2 directive—or by implementing standards like DIN EN ISO 22301. While these frameworks can help build resilience capabilities in an organization over the long term, this usually happens bottom-up, across all departments. Resilience is an attitude and therefore part of organizational culture. Like any skill, developing resilience requires practice, but it is worthwhile: resilient organizations remain stable over time and handle crises more effectively.

By resilience, I mean the robustness and coping capacity of an organization—its ability to deal with crises, whether they occur suddenly or develop gradually. An often underestimated aspect is vigilance, a form of preventive monitoring. It involves continuous awareness of potential disruptions or risks long before they become a crisis. Vigilant organizations detect early warning signs in time and can act preventively rather than just reactively.

A colleague who has worked in crisis management consulting for years shared his experiences with me. I was surprised to learn that even large corporations often have significant gaps in their crisis resilience. How can this be? These organizations generally comply with all legal requirements, have appointed crisis teams, and spare no expense to secure their sites physically. Yet many still fail when a real crisis occurs.

The answer is actually simple. First, crises are often recognized too late. Valuable time passes before a situation is officially classified as a crisis and the crisis team begins work. This delay is often driven by a reluctance to take responsibility for decisions. Second, many organizations fail to distinguish the essential from the nonessential. Instead of focusing on core processes following the Pareto principle, they get lost in working groups and endless discussions. Decisions are postponed, which can be fatal in a crisis. Third, information gathering is often insufficient, especially in crises with external causes. The internet and phone lines are often unreliable during a crisis. Methods and techniques are needed to remain operational even when communication channels are compromised.

None of this is rocket science, and it does not cost a fortune. The value, however, is immeasurable if the next crisis is handled professionally. And the next crisis will inevitably come; we just do not know when or in what form. A cyberattack requires different measures than a flood or earthquake, but preparation remains the key to success.

While companies in critical infrastructure sectors are legally obliged to ensure resilience, many small and medium-sized enterprises still exhibit uncertainty or even a form of “crisis amnesia.” In a time when hybrid attacks and supply chain disruptions have become the new normal, smaller companies should also regularly simulate emergencies and practice crises. Crises have always existed, but the frequency with which they occur today is much higher. The hope that everything will simply turn out fine is certainly the worst advisor in this matter.