Operational Resilience: are you doing all you can?

2019-12-03 |  Ruari Scullion

Change is the only constant in today’s digital era. To be successful, organisations need to be able to change often and change fast. Recognising this, regulators have responded, ensuring the pace of change is not to the detriment of markets and customers.

The term ‘Operational Resilience’ is still new and often gets misinterpreted and misused. The Bank of England coined the term in 2015 to describe a firms’ ability to protect or sustain its critical functions and assets during unexpected disruption to their business.

Financial services organisations have reported a 138% increase in tech-outages and an 18% rise in cyber incidents since 2018, with recent high-profile incidents resulting in material financial and reputational damage and harm to customers.

Demonstrating resilience is not a tick-box exercise. The regulator wants to see that you have a considered approach for managing the resilience of your most important customer-facing services. This blog gives you the 6 key steps to do just that.


We speak to many firms who ask us whether they need to be thinking about Operational Resilience or if it is only an issue for the banking sector.

They are right to ask the question. Regulators are now focusing on insurers and asset managers and how they will demonstrate the resilience of their most critical customer-facing services.

The regulator hopes to improve the way these firms respond to events that disrupt their critical business services and reduce the impact on their customers. However, as with the banking industry, insurers and asset managers have been set the task to determine which of their own services are ‘critical’ to their customers.

This could mean an insurer’s ability to provide emergency road-side support or responsiveness to a devastating flood. For asset managers, this could mean providing seamless, real-time access to investments when unforeseen outages strike.

But the regulator expects that each organisation is different, with different services and so there’s no one-size-fits-all approach that you can follow.


Here are 6 steps you can take to enhance your Operational Resilience:

1. Assess your resilience across all areas of your business.

A common mistake is to focus too narrowly on suppliers, technology and cyber-security while ignoring the importance of other critical areas such as change management, people & culture and strategy.

Many companies use a framework that allows them to assess all relevant areas of their business. The framework should enable you to identify your target resilience maturity and any problem areas that require focus.

To help you, here is our Operational Resilience assessment framework which sets out the key business areas that we recommend clients review to ensure they are as resilient as possible. 

2. Identify and articulate your critical business services to focus investment in the areas that need it most.

It’s easy to fall into the trap of focusing on areas that have traditionally been ‘hot topics’ such as cyber-security. But the regulator expects that your Operational Resilience activity and decisions should support any issues that affect your critical business services.

As such you will want to take the time to identify and map these out before deciding on which areas to focus your time and effort.

3. Prioritise and resolve the most material issues first

Your resilience assessment may highlight a number of areas that require focus and investment, so it’s important that you have a robust process to prioritise the issues that have the most material impact on your customers.

The prioritisation decisions should clearly link to your business-critical services.

4. Mobilise a dedicated team to focus on the right topics for fast and effective progress.

Organisations can often see Operational Resilience as an extension of existing activities in their business, but we’ve found that you’ll achieve the best results with a dedicated team, focused on Operational Resilience.

5. Continually assess and demonstrate your resilience.

Operational Resilience is a process of ongoing assessment, reporting and decision making, not a one-off project or programme.

Several organisations have included Operational Resilience as a standing agenda for their Boards to discuss.

6. Use the right metrics to track performance and enable effective decision making.

It’s important to identify a set of measurable and objective metrics to allow leadership to manage resilience and report progress to the regulator. Getting the right metrics in place and operational is crucial in allowing them to do so.

While there is no one size fits all approach when it comes to demonstrating Operational Resilience, by following these six steps you will be putting your firm in the best possible position to identify, prioritise, and address any resilience-related risks to your business.


As specialists in this space we’ve helped some of the UK’s largest financial services firms become more operationally resilient. Whether you’re at the start of your Operational Resilience journey, or deep into the delivery of your remediation programme, we can help give you the specialist support and guidance you need to ensure you get to the best outcome.

If you’d like to find out more about how we can help you to improve your Operational Resilience, simply get in touch with our consultants.