Key takeaways
- Technology resilience is becoming a strategic driver of ROIC, not just an IT cost. Over the next decade, leading organisations will treat resilience as a capital allocation decision that protects revenue, strengthens pricing power, lowers risk-related costs, and ultimately improves the spread between ROIC and the cost of capital.
- The value of resilience depends on economic outcomes, not the amount spent. The most successful firms will invest in resilience based on revenue at risk, customers’ willingness to pay for reliability, and the marginal return relative to alternative growth investments. Excessive redundancy, unnecessary complexity, and failure to retire legacy systems can destroy value rather than create it.
- Resilience creates long-term competitive advantage when embedded into the operating model. Organisations that make resilience auditable, capital-efficient, and commercially relevant can benefit from lower insurance and financing costs, stronger customer trust, faster recovery from disruptions, and sustained premium pricing that compounds over time.
The thesis
For most of the past decade, technology resilience sat in the CIO’s budget as a cost of doing business. Over the next ten years it will sit on the CEO’s scorecard as a determinant of return on invested capital.
The shift is not because the technology has changed. It is because the consequences of failure have moved from the operations report to the earnings call. The cost of redundancy has moved from a rounding error to a material capital allocation decision.
The firms that will widen the spread between ROIC and cost of capital are not those that spend the most on resilience. They are those that price resilience the way they price any other capital decision: against the revenue it protects, the premium it commands, and the alternative uses of the same dollar.
Reframing the CEO question
The wrong question is “how much resilience should we buy?” That question almost always produces gold plating, because no executive wants to be the one who underspent before an outage.
The right question has three parts:
- What is our revenue and reputation exposure if the most critical systems fail for one hour, one day, one week?
- What price will the market pay for our reliability relative to competitors?
- What is the marginal return on the next dollar of resilience spend versus the next dollar of growth spend?
Answer those three and the resilience budget falls out of the analysis. Skip them and the budget will be set by the loudest risk officer in the room.
The math that matters
ROIC is NOPAT divided by invested capital. Resilience moves both. The interesting cases are not where it moves one in isolation but where the two move together.
On the numerator, resilience protects revenue from downtime, reduces incident response cost, lowers insurance premiums, and increasingly supports pricing power in regulated and trust sensitive markets. In healthcare, and critical infrastructure, demonstrated resilience is moving from a sales objection handler to a pricing lever. We see B2B software vendors with verifiable four nines uptime command price premiums of fifteen to twenty five percent over functionally equivalent competitors.
On the denominator, the picture is more mixed than most boards appreciate. Naive resilience inflates the asset base without proportional revenue lift. Think geographic redundancy on legacy monoliths, hot standby capacity that runs at low utilisation, parallel data estates that cannot be decommissioned. The cost is not the spend itself. It is the opportunity cost of capital that could have funded growth.
Take my favourite sector. Healthcare already pays higher cyber insurance premiums than most other sectors. Try to construct a USD 300m tower with multiple underwriters and layers. With strong technology resilience, you might get good quality cover at USD 15m. With weak resilience exposed by the underwriters’ audit, expect to pay USD 30 to 45m, assuming your broker is lucky to place it at all. In the worst case, the claim could be denied for exclusion (known weakness) or misrepresentation in the proposal form.
The contrarian insight, drawn from the operating playbooks of the hyperscalers, is that modern resilience can reduce invested capital rather than increase it. When software is designed to absorb hardware failure, firms can run on commodity infrastructure at higher utilisation rates. They avoid the proprietary, mirrored, high cost stacks that traditional resilience demanded. The cultural shift required is significant. The capital efficiency gain is larger than most CFOs have modelled.
Where resilience compounds value
Five conditions make resilience accretive to ROIC over a ten-year horizon.
Industries where downtime maps directly to lost revenue. Trading platforms, payments, e-commerce at scale, on demand logistics, and clinical systems share a property: an hour of outage is an hour of revenue gone, and reputational damage compounds the loss. Resilience moves to the top of the capital allocation stack because the downside is genuinely existential, not merely embarrassing.
Markets where customers explicitly pay for reliability. Sovereign cloud, regulated workloads, and any B2B software where the buyer has a regulator of their own. Sales teams should be measured on the price premium they capture for reliability, not the volume of resilience features they describe.
Operating models that have already absorbed the cultural cost of distributed systems. Firms that have moved past monolithic architectures and built mature site reliability practices can layer additional resilience cheaply. The foundation is in place, and the marginal dollar produces a real return. Firms that have not made this transition will find that bolted on resilience is expensive and brittle.
Regulatory environments that are tightening. DORA in Europe, evolving SEC cyber disclosure rules in the United States, and the wave of AI safety regulation arriving over the next three years all push firms to make resilience auditable. Get ahead of the curve and you avoid both fines and the much larger cost of restructuring under regulatory pressure.
Capital structures sensitive to the cost of debt. Lenders and rating agencies are starting to price cyber and operational resilience into credit decisions. For capital intensive businesses, a fifty basis point reduction in borrowing cost compounds over a decade into material ROIC improvement. Often larger than the operational benefits the resilience program was originally justified by.
Where resilience destroys value
Five patterns reliably destroy value. Most large enterprises will fall into at least two of them without active CEO attention.
The gold plated redundancy trap. Buying mirrored everything for systems whose business impact does not justify it. The fix is a rigorous business impact assessment that ranks systems by revenue at risk per hour, not by the political weight of the executive who owns them.
The complexity tax. Each additional layer of resilience adds operational surface area, requires specialised talent, and slows change. The talent premium for senior site reliability engineers and security architects has roughly doubled over five years and will keep rising. Complexity that does not generate revenue is a margin diluter, full stop.
Stranded capital in legacy systems. Firms build resilient new platforms but cannot turn off the old ones, so they pay twice. The board should require, as a condition of any major resilience investment, a binding decommissioning plan with named accountability and dates. Without it, the new asset and the old asset both sit on the books and ROIC suffers for years.
CEO Tip 1: Use this rule of thumb at your next meeting with the COO
Ask them to bring data on the percentage of servers running an operating system older than the version officially sold as of April 2026.
For example, Ubuntu Server is 26.04, and everything older will need replacement from a quantum resilience perspective. If your company has, say, 25% of servers pre-April 2026, you know those 25% will drag on ROIC across most countries where you operate.
The same rule of thumb helps you direct your COO and CTO in setting their performance objectives.
Resilience theatre. Manual change boards, layered approval workflows, and process heavy controls that produce audit comfort but slow product velocity. Engineering productivity is the largest cost line in most digital businesses. A program that protects against a low probability event by reducing engineering throughput by twenty percent is rarely worth it.
Compliance driven spending with no operating impact. Some resilience investments exist purely to satisfy a regulator and produce no revenue protection or efficiency. These should be ruthlessly minimised to the actual regulatory floor, not gold plated by internal risk teams seeking comfort.
“For too long, technology resilience has been measured by uptime and incident counts. The organisations that will outperform over the next decade are those that measure resilience by the revenue it protects, the premium it enables, and the capital efficiency it creates. Resilience is no longer an insurance policy for the business; it is a driver of long-term enterprise value.”
Santosh Pandit
The ten-year arc
The most useful framing for boards is to think about resilience spend across three phases:
- In years one to three, most major resilience programs depress ROIC. Capital deployment runs ahead of NOPAT impact. Boards should expect this and not punish CFOs for it, provided the program has clear milestones tied to business outcomes.
- In years four to six, resilient firms reach an inflection point. Insurance premiums fall; audit costs decline, incident frequency drops, and engineering velocity improves as the architecture stabilises. ROIC moves back to baseline and begins to outperform peers.
- In years seven to ten, the gap widens. Resilient firms enjoy lower cost of capital, command pricing premiums, and win deals their less reliable competitors cannot bid for. They recover faster from the inevitable shocks that hit the broader market. The ROIC differential between resilience leaders and laggards in capital intensive industries is likely to be three to five hundred basis points sustained. That is a meaningful number on a Fortune 100 balance sheet.
The firms that struggle are those that treat resilience as a one-year budget exercise. The benefits do not materialise on that timeline.
Five questions for the boardroom
A practical agenda for the next board meeting:
- Do we know our revenue at risk per hour for our top ten systems, and is that data refreshed every quarter. If not, the rest of the resilience conversation is uninformed.
- What price premium do we capture for our reliability today, and what would we capture if we were demonstrably best in class. If the answer is zero, we are spending on resilience as insurance, not as a growth lever, and the budget should be sized accordingly.
- Where in our estate are we paying twice because we cannot decommission legacy systems. What is the explicit plan and date to turn each one off.
- What is the marginal ROIC of our next resilience dollar versus our next growth dollar. If we cannot calculate this, we are allocating capital by intuition.
- Are our resilience controls accelerating or slowing engineering velocity. If they are slowing it, what is the dollar value of the lost velocity and is the protection worth it.
We must walk the talk. So here is a concrete suggestion.
CEO Tip 2: An exercise for your executive away day
Ask your three lines of defence and your Board to independently place each of the following in a 4×4 heatmap. The X-axis is resilience assessment (very low, low, medium, high). The Y-axis is impact if things were to go wrong (low, medium, high, catastrophic). Place each item in the grid, both status and target.
- Own cyber resilience
- Third party cyber resilience
- Post quantum resilience
- AI attack resilience
- Other operational resilience
See the illustrative example in Picture 1. Note that “high” resilience may not always achieve optimal ROIC. The bottom left corner (where CROs may place A2 to E2) would be symptomatic of someone missing the big picture.

The gap between target and reality will help you prioritise resilience investments while managing the external and internal stakeholders you face as CEO. Once the exercise is complete, it is time to ask the right questions to optimise ROIC. Picture 2 has an illustrative example. Let your intuition prevail.

Closing
Technology resilience over the next decade will not be a binary choice between spending and not spending. It will be a portfolio decision, made under genuine capital constraint, that distinguishes the firms which compound value from those which simply pay an insurance premium. CEOs who treat it as a strategic capital allocation problem rather than a technical hygiene problem will find that resilience moves from a line item to be defended into an advantage to be exploited.
The boardroom conversation should move accordingly. Less about uptime and incident counts. More about revenue protected, premium captured, capital efficiently deployed, and the spread between ROIC and cost of capital ten years out.
Cover image: Andrea De Santis on Unsplash
Disclaimer: All information provided in this article is for general informational and positioning purposes only. It does not constitute legal, regulatory, tax, or financial advice, nor does it serve as an instruction or solicitation for any transaction. Content is provided “as-is” without warranties of accuracy or completeness. Any views or opinions expressed belong solely to the individual authors and do not necessarily reflect the official policy or position of the operator of this website, the authors’ past or current employers, or any affiliated organisations. Readers are solely responsible for conducting their own independent due diligence before taking any action.

