Operational Resilience: First Stage Complete – Looking to What’s Next

Operational Resilience
4 min read


When I started to write this blog, my first thoughts were on the changing regulatory landscape and how it continues to evolve. I felt that the words I was writing echoed a lot of the things we were reading. I’m here to tell you that no matter how predictable my words are, I can concur that statement is 100% true. Even as someone in the industry, it still is amazing what things you come across in your day-to-day life that validate it.

This was my sentiment when I found out about the proposed Financial Services and Markets Bill in the Queen’s speech 2022. While it’s not entirely surprising that the UK may have an equivalent to the Digital Operational Resilience Act (DORA), this comes just as firms were required to outline operational resilience steps. This also revokes the EU law and provides a regulation that is specifically designed for the UK.

The purpose for the new legislation is to allow companies to take advantage of ‘the opportunities of innovative technologies in financial services, including supporting the safe adoption of cryptocurrencies and resilient outsourcing to technology providers’. True management of operational risks and resilience require more than just a tick box exercise.

Anyway…back to what we do know and what’s changed. A few months back on March 31st we saw the first hurdle for Operational Resilience come and go—regulated firms needed to identify their important business services and set appropriate impact tolerances. The next deadline in 2025 will require firms to prove they can comply with their impact tolerances and continue to quality test these to ensure sustained compliance. Put simply, operational resilience is the ability for a company to bounce back from disruptions and continue to serve customers, supply products and services, and protect their workforce.

The 2025 deadline for the FCA operational resilience framework applies to all banks, building societies, PRA-designated investment firms, insurers, recognised investment exchanges, enhanced scope SM&CR firms, and entities that are authorised and registered under the Payment Services. Organizations in the above categories should now have an operational resilience strategy in place.

Is Risk Management and Operational Resilience the Same Thing?

Organizations can have a certain level of preparedness around cyber-attacks, system failures and other vulnerabilities. Risk management has some element of predictability. Data and other sources can help us further understand exactly what exposures we have and weaknesses in our process. Operational resilience requires organizations to expect disruption to third-party supply chains and other processes. This is where mapping and understanding your risk beyond your immediate organization is so important.

Why is it Important?

There will always be an element of unpredictability with risk – however organizations can be better prepared for disruption to catastrophic events such as fires, storms, pandemics, network outages, and network disruptions. But you can’t predict the exact time of when an item of hardware may have a fault that the manufacturer was not aware of, the exact time of a cyber-attack, or some sort of event that causes a power outage to your entire office.

Download Infographic: Operational Resilience: 5 Things You Can do to Become Ready for What’s Next

Read the Article: Prepare for What’s Next with Operational Resilience

True Risk Quantification Will Play a Major Role

The current risk environment includes elevated cyber threats, geopolitical uncertainties, supply chain disruptions and sustainability challenges. As organizations continue to adjust to the new ways of doing business, adopting a connected and holistic approach to governance, risk, and compliance (GRC) has become mission critical. These form strong pillars for operational resilience and provide true understanding of your organization's risk management strategy.

I’m sure we can all agree that outdated software applications that don’t speak the same language and point solutions for GRC processes only create more work when trying to understand 1. What data you’re looking at, 2. What does it mean, 3. How to improve/solve the problem.

When working with a siloed approach there is a direct impact on risk visibility and foresight. From what we’ve been hearing from our customers, qualitative risk assessments, such as red, yellow, green heatmaps, also fall short of meeting stakeholder expectations. There’s a need to have all data points brought together in a unified way that can provide decision makers with the tools they need in real-time to drive organisational efficiencies as well as manage their overall operational resilience.

Stay Prepared for What’s Next

Built as an intelligent and interconnected GRC solution MetricStream ConnectedGRC products—BusinessGRC, CyberGRC, and ESGRC empower organizations to take a proactive approach to risk management. This enables them to build and strengthen operational resilience by:

  • Quantifying risk in monetary terms
  • Continuously monitoring controls to check their effectiveness
  • Aggregating cyber risk at the enterprise level
  • Performing financial risk assessments of third parties using Dun & Bradstreet (D&B) content
  • Leveraging the TCFD framework to disclose climate related financial risks, and more

Build your organisation-wide strategy for operational resilience with MetricStream

Interested in knowing how we can help you specifically? Contact us for a custom demo.

Learn more on how you can advance on your GRC journey with MetricStream. Explore Danube—our latest software release.