Foresight and Resilience: Designing enterprises that adapt ahead of disruption

Pilots do not trust a single safeguard. Aircraft have recovery procedures, redundant systems, and instruments that warn of turbulence before it shakes the cabin. Enterprises need the same logic. Recovery matters, but the ability to “read the sky” early and adjust course is what keeps you out of trouble.

Business continuity provides security, but sources indicate it's limited to maintaining operations during disruptions¹. If disruption struck, the organisation could restore critical services, and operations would continue. That still matters. ISO 22301² formalises a management system for continuity, outlining how to plan, implement, monitor, and improve essential services so that they can be recovered quickly and reliably. Treat this as hygiene, not strategy.

The question for leaders is why some organisations absorb pressure, adapt their operating model, and emerge in a stronger position. The answer is foresight-driven enterprise design. Resilience is built when foresight informs how you design and operate the enterprise. Foresight expands the horizon of risks and opportunities, feeds scenario work, and shapes choices about the design, including the architecture, people and the experience. When that foresight becomes part of day‑to‑day design, resilience shows up in systems that bend under load, learn quickly, and continue to deliver value. That view is consistent with ISO 22316³, which frames organisational resilience as principles and attributes that leaders can tailor across the life of their organisations rather than a fixed checklist.

Cyber‑resilience engineering makes the role of anticipation explicit. NIST SP 800‑160, Vol. 2 (Rev. 1)⁴ defines the goals for cyber‑resilient systems as anticipate, withstand, recover, and adapt. The order matters. You design for what you expect to face, then engineer the system to hold up, restore quickly, and improve after each event.

Safety science arrives at the same place. Professor Erik Hollnagel's thoughts on Resilience engineering⁵ emphasise four abilities that resilient systems cultivate: monitor, anticipate, respond, and learn. When these abilities are embedded in operations and governance, the organisation becomes better at reading weak signals, acting early, and converting experience into capability.

What regulation is asking for

The regulatory trend reinforces this shift. In the EU, DORA⁶ establishes uniform operational-resilience requirements for the financial sector, including scenario-based testing, ICT risk management, incident reporting, and oversight of critical third parties. This is anticipatory by design, not just contingency planning.

The broader risk landscape points the same way. The World Economic Forum's Global Risks Report 2025⁷ highlights the interplay of geopolitical, environmental, societal, and technological risks, and the need to balance immediate crises with longer‑term priorities. Again, it is a case for anticipatory capacity, not reactive plans.

Where antifragility fits

Antifragility is a useful north star in specific contexts. Taleb's formulation⁸ describes systems that gain from volatility rather than merely survive it. In enterprises, this phenomenon is evident when stressors trigger learning, option creation, and portfolio adjustments that improve performance after the shock. Last year, I had a chat with an Antifragility Architect, Edzo Botjes. Feel free to listen on Spotify if you missed that.

The antifragility concept is powerful, though less standardised than resilience in management practice. Recent work is beginning to operationalise antifragility for organisations, but the empirical base is still emerging⁹.

A practical way to move now

Here is what organisational leaders need to remember and do to begin embedding foresight and resilience in the core of how their enterprises operate:

1. Strengthen continuity with ISO 22301 as the backbone. Confirm that critical services, recovery objectives, and communications are defined, tested, and maintained. Keep it lean and current.

2. Institutionalise foresight so it routinely informs your enterprise strategy and design. Build lightweight horizon scanning, scenario work, and dependency mapping into roadmaps, vendor choices, and architecture decisions. Align this with the principles in ISO 22316.

3. Engineer resilience into systems and operations. Use the NIST sequence of anticipate, withstand, recover, and adapt to guide architecture patterns, data protection, and incident playbooks. Pair it with resilience‑engineering abilities to monitor, anticipate, respond, and learn.

4. Meet regulatory intent by adopting operational‑resilience practices that define impact tolerances, test severe scenarios, and manage third‑party risk with evidence. This keeps you compliant and pushes the organisation toward anticipatory design.

5. Pursue antifragility where it fits. In product portfolios, innovation pipelines, or selective risk‑taking, create options that can grow in value during volatility. Keep claims modest and keep learning as the literature matures.

The thread running through all of this is straightforward. Foresight is the discipline that makes resilience truly possible. Continuity keeps the lights on. Foresight changes what you build and how you operate. Resilience is what shows up when those design choices meet the real world when you design your enterprise for it.

Further Reading

1. Splunk. (2025, January 7). Business continuity vs. business resilience: What’s the difference? Splunk Blog. https://www.splunk.com/en_us/blog/learn/business-continuity-vs-business-resilience.html

2. International Organization for Standardization. (2019). Security and resilience — Business continuity management systems — Requirements (ISO 22301:2019). ISO. https://www.iso.org/standard/75106.html

3. International Organization for Standardization. (2017). Security and resilience — Organizational resilience — Principles and attributes (ISO 22316:2017). ISO. https://www.iso.org/standard/50053.html

4. Ross, R., Winstead, M., & McEvilley, M. (2021). Developing cyber-resilient systems: A systems security engineering approach (NIST Special Publication 800-160, Volume 2, Revision 1). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-160v2r1

5. Hollnagel, E. (2015). RAG – Resilience analysis grid Technical note. https://erikhollnagel.com/onewebmedia/RAG%20Outline%20V2.pdf

6. European Parliament and Council of the European Union. (2022, December 27). Regulation (EU) 2022/2554 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011. Official Journal of the European Union. https://www.digital-operational-resilience-act.com/

7. World Economic Forum. (2025, January). The global risks report 2025: 20th edition Insight report. World Economic Forum. https://reports.weforum.org/docs/WEF_Global_Risks_Report_2025.pdf

8. Taleb, N. N. (2012). Antifragile: Things that gain from disorder. Random House. https://www.randomhousebooks.com/books/176227/

9. Trans European Policy Studies Association. (n.d.). Analysis: Antifragile things that gain from disorder by Nassim Nicholas Taleb. TEPSA. https://tepsa.eu/analysis/antifragile-things-that-gain-from-disorder-by-nassim-nicholas-taleb/

Thanks for reading!

If you enjoyed this, you’ll love the ideas in my other articles. Feel free to share this article with a colleague.