Making Resilience Core to Your Operational Risk Strategy - A Guide for Chief Risk Officers
- Operational Resilience
- 31 January 24
Introduction
Banks and financial institutions are on the cusp of a new operational risk paradigm. Technological breakthroughs, new business models, changing customer expectations, macroeconomic conditions, geopolitical developments, and evolving risks and regulations have brought a tectonic shift in the way banks and financial services organizations operate – particularly in the post-COVID-19 era.
The scale of exposure is significant and growing. According to the European Banking Authority’s Risk Assessment Report published in December 2025, operational risk drove an increase of more than €300 billion, or 30%, in EU banks’ total risk-weighted assets over the past year, pushing total RWAs to €10.1 trillion as of Q2 2025. For CROs, this is a direct signal that operational risk is no longer a secondary concern. It is now a primary driver of capital requirements and institutional resilience across the EU banking sector.
How can chief risk officers (CROs) and risk managers rethink ORM to ensure its relevance and effectiveness? How can they revise their approach to best tackle competing risks and priorities? How can they improve organizational preparedness and resilience for what’s next?
Before we explore that, let’s look at how the scope of ORM itself is evolving.
Making Resilience Integral to Operational Risk Management
ORM is not a new concept. It emerged as a formal discipline in the early 2000s when the Basel Committee on Banking Supervision (BCBS) published the Sound Practices for the Management and Supervision of Operational Risk. Over the course of the past two decades, ORM has steadily gained importance as a conventional practice with financial institutions actively identifying and managing operational risks.
Traditionally, ORM involved the process of identifying and assessing risks, defining risk mitigation and remediation strategies, implementing controls, and reporting to the top management and the board. However, with the evolving business environment and fast-moving risks, banks and financial services organizations today are expected to not only manage risks but also ensure operational resilience.
Operational resilience is the ability of an organization to protect and sustain critical business competencies when faced with major operational disruptions. It requires going beyond risk management and business continuity and building the ability to not just prevent and mitigate risks, but to respond to and recover from risk events and also learn from them. The focus is growing on risk preparedness and business continuity, both from regulators’ and organizations’ perspectives. From a practical standpoint, CROs need not undertake a radically different strategy - they can build upon the traditional ORM approach:
- Identify critical functions, tools, and operations
- Record risks related to critical services and set impact tolerances
- Identify, assess, and prioritize risks
- Define risk mitigation and remediation strategies
- Implement controls and assess their effectiveness
- Define resilient business continuity programs and response strategies
- Set operational risk capital requirements as required by relevant regulations
- Continuously assess the effectiveness of the entire program
The Regulatory Perspective
We’ve come a long way since the financial crisis of 2008. The COVID-19 pandemic and the most recent banking crisis served as real-world tests of the risk management programs and operational capabilities of the banking and financial services industry. The post-2008 regulatory efforts have helped the sector establish necessary controls to effectively mitigate risks and stop them from becoming systemic. But there’s still room for more.
From the regulatory standpoint, the line between operational risk and resilience appears to be blurring. Some of the notable developments include the EU’s Digital Operational Resilience Act (DORA), UK BoE/FCA/PRA Discussion Paper “Operational resilience: Critical third parties to the UK financial sector”, Australia’s new prudential standard aimed at managing operational risks and responding to business disruptions, Hong Kong’s Supervisory Policy Manual (SPM) module on Operational Resilience, among others.
In an interagency paper, titled “Sound Practices to Strengthen Operational Resilience,” U.S. financial regulatory authorities, including the Board of Governors of the Federal Reserve System, the OCC, and the FDIC describe operational resilience as an “outcome” of an effective ORM program:
“Operational resilience is the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. It is the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.”
In its “Principles for Operational Resilience,” the BCBS has organized the principles in seven categories – governance, operational risk management, business continuity planning and testing, mapping of interconnections and interdependencies of critical operations, third-party dependency management, incident management, and resilient information and communication technology (ICT), including cyber security.
Modernizing the ORM Approach
Today, CROs are not only tasked with risk management activities in the traditional sense but also expected to be abreast of market trends, industry best practices, and regulatory developments, and align their risk and resilience strategy accordingly. It’s time for CROs to rethink their operational risk management program so that it is agile, forward-looking, and resilient.
Here are the key considerations for modernizing the ORM approach:
- Going Beyond the Traditional Risk Types
It's important to go beyond the traditional risk types to include more relevant, recent, and emerging risks, such as economic uncertainty, digital risks, human-factor risks, environmental risks, geopolitical instability, and liquidity crises, among others. Equally important is to understand the interconnectedness among these risks to ensure a holistic and all-encompassing approach.
- Using Predictive Analytics
CROs today can leverage artificial intelligence, machine learning, and advanced analytics for predictive risk intelligence. The data-driven insights can help to quickly identify trends, patterns, and correlations, enabling organizations to effectively mitigate risks and reduce operational losses.
- Leveraging Risk Quantification
Risk quantification, i.e., quantifying risk in monetary terms, can help assess the risk exposure and impact, enabling risk teams to effectively prioritize risks for appropriate mitigation and remediation strategies. It also enables CROs to effectively communicate the risk posture with the executive management and board.
- Creating and Maintaining an Incident Response Playbook
It is also advisable to maintain a playbook that details the response strategy pertaining to different risk scenarios. When faced with a high-velocity risk event, having pre-defined roles and responsibilities, knowing the corrective action and how to respond can go a long way to improve organizational readiness and reduce the severity of impact.
- Implementing Technology-Based Solutions
Today’s fast-moving risks warrant an agile risk and resilience strategy. Technology-based software solutions can support CROs in driving such a program by automating and integrating risk management processes, transforming risk reporting with advanced risk analytics, incorporating autonomous assessments based on asset value and business impact, and providing actionable insights in a timely manner. These tools also help create bandwidth for risk teams to focus on more critical tasks.
Achieving Resilience with Operational Risk Management from MetricStream
Managing operational risks needs to be in line with today’s dynamic risk, regulatory, and economic environment, technological advancements, as well as an organization’s strategic business goals and objectives. An agile and holistic operational risk and resilience strategy requires time, investment, management’s attention, and continuous monitoring. But when done properly, it can transform an adverse situation into an organization’s strategic advantage, enabling them to drive business value.
The MetricStream Operational Resilience solution is purpose-built to support CROs in their efforts to effectively manage operational risks and prepare for potential disruptions. It helps organizations meet complex business needs by automating workflows, driving integration and collaboration, and enabling real-time reporting. By embedding risk management best practices into business continuity planning, it helps boost organizational readiness and resilience.
Request a personalized MetricStream Operational Resilience solution demo to learn how it can help your organization.
Frequently Asked Questions
Operational resilience in financial services is the ability of an institution to deliver critical operations through disruptions of any kind, not just to prevent them.
Where traditional ORM focuses on identifying, assessing, and mitigating risks before they materialize, operational resilience addresses what happens when disruptions occur despite those controls.
Regulatory focus on operational resilience has intensified because risk prevention alone is insufficient against escalating cyber threats, expanding third-party dependencies, and deepening digital interconnectedness.
Emerging risks that operational risk strategies must now address include economic uncertainty, digital and technology risks, geopolitical instability, environmental exposures, human-factor risks, and liquidity stress. Regulators have identified failure to invest in new technologies as a material risk to long-term institutional viability in its own right, placing technology governance firmly within the scope of operational risk rather than treating it as a separate IT concern.
Predictive analytics improves operational risk management by enabling organizations to identify emerging risk patterns before losses materialize, rather than analyzing them after the fact. AI and machine learning applied to operational risk data surface correlations that manual review cannot detect, supporting earlier intervention and more targeted control deployment.
Risk quantification translates operational exposures into financial terms, giving risk teams a defensible basis for prioritizing mitigation investment and communicating risk posture to boards and executive leadership.
An incident response playbook ensures that roles, responsibilities, and corrective actions are established before a disruption occurs rather than improvised under pressure. A maintained and tested playbook reduces response time, limits operational damage, and supports the regulatory reporting obligations that now apply across major jurisdictions.
Technology-based solutions support operational resilience programs by automating risk monitoring, integrating control assessment workflows, and delivering real-time analytics that manual processes cannot replicate at scale.
Regulatory frameworks for operational resilience include the BCBS Principles for Operational Resilience, the EU's Digital Operational Resilience Act, covering approximately 22,000 financial institutions across Europe since January 2025, and the US interagency guidance on Sound Practices to Strengthen Operational Resilience. The UK, Australia, and Hong Kong have issued parallel standards, creating a globally convergent but jurisdiction-specific landscape that CROs must actively track.
Chief risk officers should build ORM programs that are continuous, integrated, and forward-looking rather than periodic and siloed. This requires expanding the risk taxonomy to cover emerging risk types, deploying predictive analytics and risk quantification tools, maintaining tested incident response playbooks, and implementing technology platforms that support real-time visibility.
