Resilience, or the lack of it, has become one of the hottest business talking points of recent years. Whether it’s a small company struggling with economic uncertainty or a massive global brand taken offline by a cyber-attack, the consequences of disruption can be dramatic.
According to the Business Resilience Index 2026, commissioned by Six Degrees, nearly three-quarters of organisations view the topic mainly through a security lens, when in reality, the issues are much broader and more nuanced. Yes, effective cyber security is a major contributor towards resilience, but developing a holistic approach means looking beyond protection to how the organisation maintains operations and responds to change.
To an extent, the fundamental challenge comes down to mindset, particularly when resilience is assumed rather than measured. Beyond operational teams, there’s often limited awareness of the issues at stake, and even when resilience activities may well exist (as is often the case), they are not always framed to support strategic decision-making.
As a result, organisations can dangerously overestimate their maturity and, by definition, their levels of preparedness. But in the absence of a clear benchmark, it is difficult to identify gaps or compare performance with peers.
The Business Resilience Index study, based on research with 600 senior UK IT and security leaders, reveals most organisations sit in the middle of the maturity curve, meaning they can respond to disruption but lack the consistency and foresight to move beyond a reactive approach.
Attempts at improving processes are often uneven, with strength in one area masking weaknesses in others, creating gaps that only become visible under pressure. As a result, resilience remains fragmented, with potentially very serious consequences should an organisation encounter a significant or unexpected challenge.
Benchmarking resilience
So, what are the main levels of business resilience, and how can organisations identify and implement areas of improvement?
The first point to understand is that resilience is not a fixed state. Generally speaking, organisations operate on a spectrum of five maturity levels depending on how consistently resilience is embedded across the business.
At the least developed end of the scale, ‘At Risk’ organisations are vulnerable to disruption. Here, processes are fragmented, planning is limited, and recovery is often manual, which increases exposure when issues arise.
Next, ‘Reactive’ organisations are able to respond when incidents occur but don’t anticipate them. As a result, issues are addressed after the fact, which can lead to repeated disruption.
As mentioned, many organisations sit in the ‘Stable’ category. In these environments, controls are in place so major failures are less likely. However, resilience is likely to remain process-driven rather than fully embedded, limiting the ability to adapt quickly.
‘Agile’ organisations can pivot rapidly to changing demands, with people, processes and platforms aligned to support responsiveness. At the highest level, ‘Strategically Resilient’ organisations embed resilience across the business, aligning it with leadership priorities and using it to support both operational performance and decision-making.
Key pillars
Progressing between these stages is not driven solely by investment; it depends on how well resilience is integrated across the organisation and consistently applied across five key pillars ranging from continuity and scalability to efficiency, innovation and, of course, security.
Take continuity, for example, which is the most fragile dimension of resilience. Almost one in three organisations (28%) are At Risk, and fewer than one in ten (9%) reach Strategically Resilient status. Mean uptime across critical business services in the last 12 months was just 73% – indicating continuity is still something firms recover rather than engineer in. The lack of embedded practice poses a real risk. Without clear ownership and alignment across teams, even well-documented continuity plans are unlikely to be effective in the moment.
In contrast, Scalability is where most organisations are performing better. While 14% remain At Risk and another 18% are classed as Reactive, a combined 54% fall into the Agile (37%) and Strategically Resilient (17%) tiers. This suggests that, for many businesses, the ability to scale infrastructure and operations, both reactively and proactively, is a growing strength.
Efficiency remains a critical area of untapped potential. Only 7% of businesses have reached the highest tier of Strategically Resilient, while 39% are rated Agile. This means just under half of all businesses appear to be actively streamlining operations and using digital tools to drive smarter, more responsive decisions.
Innovation is the clearest indicator of future readiness, and yet it’s the most unevenly distributed of the five pillars. While nearly half (48%) of businesses in the Business Resilience Index are rated as Agile on innovation, only 2% are Strategically Resilient. This suggests that although many are experimenting with or adopting new technologies, very few have embedded innovation into their culture, governance, and day-to-day decision-making.
Turning to security, only 5% of businesses have reached the Strategically Resilient tier, suggesting that few have embedded proactive, governance-led security models that continuously evolve. At the other end of the spectrum, 8% of businesses remain At Risk, reflecting significant gaps in visibility, leadership support, or control frameworks. The majority cluster in Agile (51%), indicating that many are taking security seriously, but have yet to reach the levels of integration and agility that would define a modern, opportunity-ready position.
Bring all these elements together and clearly, while most organisations understand the importance of resilience, relatively few have fully embedded it as a strategic capability. Those who approach it holistically are better positioned to address future challenges head-on, but progress depends on how consistently it is built into everyday operations.
Rhys Shap
Rhys Sharp is Solution Director at Six Degrees. A seasoned strategic leader, cloud specialist, and technology evangelist with more than 20 years’ experience in the IT sector, Rhys’ career spans co-founding innovative start-ups to serving as CTO at SCC, Europe’s largest privately owned reseller.
