Global Regulators Unite: Operational Resilience Takes Center Stage

Regulatory agencies across Europe, Asia, and Australia have issued guidelines on Operational Resilience with implementation dates between 2023 and 2025. Spearheaded by renowned institutions such as the Financial Conduct Authority, Central Bank of Ireland, Hong Kong Monetary Authority, Monetary Authority of Singapore, and Australian Prudential Regulation Authority, these guidelines emphasize the need for companies to prioritize critical business services during disruptions.

The objective is to identify critical business services and their points of failure, and devise recovery strategies that prevent intolerable harm to customers, firms, and the market.

Notably, the European Union introduced the Digital Operational Resiliency Act in December 2022, further underscoring the importance of operational resilience. Canada's Office of the Superintendent of Financial Institutions is also expected to align its operational risk guidelines with global standards in 2023.

These regulatory efforts are expected to align with Basel's Principles for Operational Resilience, a widely recognized framework published in March 2021.

This concerted global effort paves the way for businesses to navigate uncertainties, gain stakeholder trust, and thrive in a rapidly evolving landscape.

Resiliency executives now have a unique opportunity to lead transformative changes, ensuring the future resilience of their organizations. The era of operational resilience has arrived, demanding their expertise and unwavering commitment.

What's New?

Global regulators are aligning on operational resilience, introducing a customer and market-centric business service view of resiliency that integrates the traditionally siloed foundations of resiliency (e.g., enterprise risk management, business continuity, crisis and incident management, and disaster recovery).

Regulations emphasize the board of directors' responsibility in owning firms' operational resilience programs through oversight, integrating resilience into strategic decision-making, and prioritizing investments to enhance the resilience of critical services.

Three Areas of Focus for Operational Resilience

Prioritize Critical Business Services

• Shift focus from individual processes to critical services that are essential for customers and markets
• Allocate investments strategically to enhance and strengthen these services
• Integrate risks associated with critical business services into enterprise risk management

Map assets and vulnerabilities

• Identify and map people, processes, information, technology, facilities, third-party service providers, and critical points of failure related to critical business services
• Gain a comprehensive understanding of dependencies and interdependencies among different business processes and systems
• Highlight areas of vulnerability, such as third-party risk management

Foster Integration and Interoperability

• Ensure integration of Business Continuity, Disaster Recovery, and Communication Plans within the Operational Resilience framework
• Define response plans specific to selected critical business services
  Establish a cohesive overarching framework that promotes interoperability across all plans 

What Does This Mean for Your Organization?

This customer-centric approach, supported by regulatory guidance, empowers executives to make informed decisions, prioritize investments, and safeguard critical business services, thereby strengthening the organization’s ability to withstand disruptions and thrive in an ever-changing landscape.

What Should Your Organization Start Doing?

Operational resilience has become a top priority for global regulators, signaling a shift toward a customer-centric approach. Rather than focusing solely on business continuity and incident management, the emphasis is now on ensuring the resilience of critical business services and their impact on the market.

For executives, this regulatory shift carries important implications:

• Customer-Centric Focus — Executives must prioritize investments to strengthen and enhance these services, aligning their strategies accordingly
• Board Responsibility — Executives must work closely with the board to ensure resilience is embedded in the organization's priorities and investments
• Holistic Perspective — Executives should adopt a holistic view of operational resilience, mapping assets, vulnerabilities, and dependencies across critical business services

How Guidehouse Can Help

As global regulators continue to prioritize operational resilience in the financial sector, it’s crucial for organizations to develop or enhance their programs to comply with regulations and unlock the value of a robust framework. However, this process can be complex and challenging.  

Guidehouse is here to support you on this journey. Our expertise lies in partnering with banks and fintechs to build and refine operational resilience programs. Whether you have questions or need assistance in any of the following areas, we are ready to help:

• Developing program governance — establishing effective governance structures to oversee and drive operational resilience programs and ensuring alignment with regulatory requirements and best practices
• Establishing program foundational elements — building the necessary foundational elements of your operational resilience program (e.g., defining critical business services, mapping dependencies, and identifying points of failure)
• Completing end-to-end service testing — conducting comprehensive testing of critical business services across their end-to-end life cycle
• Considering enabling technology — Exploring technology solutions and tools that can support and streamline your operational resilience efforts 

Don’t navigate the complexities of operational resilience alone. Contact Guidehouse today for expert guidance and support. Together, we can ensure your organization is well-prepared, compliant, and resilient in the face of disruptions. 

This article is co-authored by Dana Caldwell and Luis Tamara.