Operational resilience is a strategic impreative

Operational resilience has emerged as an imperative for financial institutions facing rising technology and cyber risks. Regulators worldwide are prioritizing resilience to ensure continuity of critical economic functions. This regulatory focus accelerated with the EU’s new Digital Operational Resilience Act (DORA) coming into force in 2022.

DORA sets harmonized digital operational resilience standards for financial firms across the EU. Spanning governance, risk management, business continuity, incident response and information sharing, it aims to address the interconnectedness and third-party dependencies that contribute to systemic risks.

Operational resilience refers to an organization’s ability to prevent, adapt, respond to, recover and learn from operational disruptions. It enables maintaining critical operations and protecting stakeholders even amid adverse events.

The changing risk landscape is driving growing operational resilience imperatives:

• Digital dependencies on interconnected networks, systems and third-party providers increase exposure to outages and cyber-attacks.

• Extreme weather, civil disturbances and other external threats can inflict localized damage and widespread disruptions.

• Cost pressures lead to lean operations with minimal redundancy, increasing vulnerability.

• New regulations multiply quickly while legacy systems complicate compliance.

• Disruptive innovation and agile competitors threaten business models reliant on rigid operations.

DORA mandates EU financial firms implement resilience measures including:

• Identifying critical business services and setting maximum tolerable downtime.

• Mapping interdependencies supporting critical services.

• Implementing comprehensive ICT risk management frameworks.

• Carrying out testing to validate resilience capabilities.

• Establishing incident response, continuity and recovery arrangements.

• Sharing information across entities to identify systemic risks.

• Overseeing ICT third-parties through audits and contracts.

Beyond compliance, organizations can derive strategic advantages by focusing on three pillars:

1. Anticipate - Prioritize risks through business impact analysis, risk assessments and early warning indicator monitoring.

2. Prevent - Minimize likelihood of incidents through robust controls, training, and business continuity preparations.

3. Respond and Recover - Limit impact through response plans, redundancies, and fail-safes. Recover rapidly after disruptions.

Leading practices for embedding operational resilience include:

• Establishing operational risk governance under the board and risk committees.

• Fostering an operational risk and resilience culture through policies, training and incentives.

• Conducting resilience testing encompassing realistic company-wide scenarios.

• Implementing automated monitoring and control measures based on key risk indicators.

• Collaborating with regulators, industry forums and public-private partnerships on systemic risks.

• Incorporating resilience requirements into third-party contracts and oversight.

• Capturing and analyzing internal and external loss data to refine risk management.

• Reviewing and updating strategies and response capabilities regularly.

While demanding, making operational resilience core to the organizational culture will pay dividends in competitive advantage and stakeholder trust when the next crisis hits. Financial institutions that align investments to meet EU regulations can further position themselves at the frontier of resilience.

DecideWright is a UK-based consultancy that delivers solutions in the areas of Strategy Execution and Enterprise Performance Management, Enterprise and Operational Risk Management, Operational Resilience including DORA and Measurement & Metrics, including KPIs & OKRs.

Contact us to see if we are the right firm for your project.