Building Operational Resilience in Financial Services

Operational resilience within the financial services industry helps to mitigate financial risk and ensure organizational viability.


Predicting operational risk in our interconnected global economy is becoming increasingly difficult, if not downright impossible. And this is particularly true in the financial services sector, which is why operational resilience in financial services has become such a hot topic. 

The global economic environment is uncertain and volatile, with slower economic growth and declining margins. Strategic financial risks such as capital adequacy and liquidity are increasing under external pressures. The geopolitical environment and associated financial impacts are changing day-to-day. And fraud and cyber crimes remain on the rise. 

To counteract this environment, we need to turn our focus away from “predictions” and towards “expectations”, accepting that now and into the future there will be disruptions to operations in the financial services sector. And though we continue to struggle to see what those disruptions may look like, we can still prepare a robust operational resilience strategy to help us manage and overcome any negative impacts.


What is operational resilience in Financial Services?

The UK Financial Conduct Authority (FCA) has defined operational resilience as “the ability of firms and financial market infrastructures, and the financial sector as a whole, to prevent, adapt, respond to, recover and learn from operational disruptions.” 

Let’s look at what this means in practice.

Changing regulatory requirements

Financial regulators, particularly in the UK, are well aware of the importance of a robust approach to operational resilience, especially in light of growing global connections and increasing financial sector complexity. While operational resilience is a relatively new term, regulators now see it as essential because its failure alone could lead to extreme financial volatility.

Because of this, the Prudential Regulation Authority (PRA) and the FCA have been forming an extensive regulatory framework around operational resilience. This new framework, which has been approved and came into force on 31 March 2022, allows operational resilience to be analyzed in a holistic manner. For example, the following can be assessed:

  • Connections between functions, operations and third-party providers that could pose operational risks
  • Cyberattacks and financial frauds that could potentially disrupt financial services organizations, banks, or entire industries or markets
  • Commercial pressures around climate change and the global sustainability agenda
  • Risks arising from the concentration of the market around favored providers

New operational resilience framework

The first year of the new framework, March 2022 through March 2023, is an implementation period where organizations who fall under the framework will be able to start actioning the elements. The ultimate goal is that by 31 March 2025, each organization must be able to ensure that in the event of a disruption, they have the processes, procedures, and strategies in place to ensure their important business services remain within their impact tolerances to operational disruption. As part of that process each organization will need to identify both their “important business services” and their “impact tolerances”.

Defining “Important Business Services”

“Important business services” are a vital part of the regulatory requirements, and are the services that, if disrupted, could cause intolerable harm to a client or clients of that organization or risk the stability, resilience, or orderly operation of the UK financial system or financial markets.

Defining “Impact Tolerances”

The Bank of England defines impact tolerance as, “the maximum tolerable level of disruption to an important business service.” 

This definition accepts that disruptive events will happen to and within an organization. These disruptions then need to be analyzed and quantified to determine the severity and duration of that particular disruption the organization can tolerate. This analysis includes three main steps:

Step 1: Identify the key business services, products, and systems to understand how the particular disruption will impact the overall business viability and the larger market.

Step 2: Set the maximum acceptable downtime for key business services, products, and systems (this is your organization’s tolerance).

Step 3: Implement a process to ensure you can continue to provide core services and stay within your impact tolerances when you face severe disruption. 


Importance of operational resilience in Financial Services

Increasing regulatory activities within the industry, competitive pressure to switch to digital-first business models, transformative technology, and digital tools that are introducing efficiency, but also creating avenues for greater risk, digitized banking and financial operations – these factors all have an impact on an organization’s ability to adjust and recuperate from operational disruptions. 

Forward-looking organizations are focusing on operational resilience with a greater sense of urgency, particularly in light of the key role that the industry plays globally, and the devastating impacts it could have should the industry fail to function well.

Here are a few reasons why banks and financial services organizations should be focusing on operational resilience:

To prepare for inevitable security threats

Rapid digitization and an increasing reliance on third parties, means that financial services organizations are more vulnerable to cyber attacks and frauds, which are on the rise.

To eliminate risks and mitigate their impacts

Building an operational resilience framework helps to protect vulnerable core business functions. Organizations can shift from the traditional “recovery” model and move towards the “mitigation” model, where operational resilience serves to both eliminate and mitigate continuity and disaster risks. 

To integrate a market-wide operational resilience net

When integrated with other actors in the financial services sector and third-party partners, operational resilience becomes a market-wide net that is continuously on the watch for disruptions or shocks, leading to a more agile and reactive system overall. 


How to build operational resilience in the Financial Services sector

Building operational resilience in the financial services sector operates in much the same way as in any other sector, except that the regulatory framework must also be followed:

Step 1: Define your “important business services”

As discussed above, you’ll need to define the “important business services” (IBS) to the operation of your business. This is the first step in undertaking holistic business mapping that aligns your IBS with your overall business objectives, your organization’s risk appetite and your impact tolerances (which you’ll define in the next step). 

A GRC compliance software system, such as TriLine GRC by Ansarada can help you to identify and analyze relational data so you can define your important business services.

Step 2: Define impact tolerances

Defining your impact tolerances is the next step, and as discussed previously, this is a required element of the regulatory framework. From a purely operational standpoint, it also helps you to understand the risks and disruption levels that your organization is equipped to handle and so will inform every subsequent element of your resilience strategy as well as your operational risk strategy in general. 

A strong software solution like TriLine GRC can bring all of these elements together in a compliant, efficient, and effective way. 

Step 3: Map your dependencies 

The financial services sector is highly dependent on third-party suppliers, providers, and outsourcers, as well as on other members of the industry. Mapping these interlocking dependencies is critical to building a resilient business model.

Step 4: Wide-ranging scenario testing

Scenario testing is the next step in developing your operational resilience. In order to have a robust scenario-based testing protocol you need to ensure that you are gathering data from every level within your organization and getting cross-organizational information. This information will allow your risk management teams to understand the weak links in their resilience plan and set protocols to better respond to possible disruptions. 

Step 5: Communication plan

As an organization, you must be able to effectively communicate to both internal and external stakeholders, as well as to the wider industry, in times of crisis, change, or disruption making this an essential part of your operational resilience strategy. To accomplish this, you’ll need to map your stakeholders, so you understand where to focus and how to frame your communications. 

Importantly in the financial services industry, you need to include regulators who will want to understand your impact tolerances and mitigation efforts, which should be included in your plan.

See also: Examples of Operational Resilience



A note on the importance of digital transformation for robust operational resilience

Digital transformation is part of the financial services environment. Banks and other lending and financial institutions are pressured by competition to find new, easier, tech-forward integrations to please customers, and interlocking systems to create more seamless funds dissemination is becoming a central element of the industry. This means new partnerships and new technologies are being introduced every day.

Financial institutions must ensure that all new technologies, partnerships, or digital initiatives are analyzed and reviewed for risk to ensure that the right controls and protocols are in place. These risks could include cyber, information security, business continuity, anti-corruption, and more.

See also: Operational Resilience vs Business Continuity


How a GRC platform helps build operational resilience in Financial Services

Operational resilience in financial services must integrate the management of operational risk with the requirements of the regulatory framework. The TriLine GRC platform helps you do that by:

  • Ensuring you have accurate and timely data visibility to define your important business services
  • Improving the way governance, risk and compliance data is gathered, stored, curated and linked, and then compiling it into a single source for the entire organization
  • Providing you with the data necessary to accurately define your impact tolerances and ensure you’re meeting your regulatory framework requirements
  • Enabling rich scenario testing 
  • Mapping external and internal stakeholders, including all required regulator 
  • Enhancing your communications via fast and accurate reactions to data flows 


Protect your firm from non-compliance

Book a demo of TriLine GRC's Operational Resilience software today.
Book a demo