Article

The age of disruption is here. Resilience by design holds the key

Priya Prakash
By:
team work image
Operational resilience is now part of business as usual for the financial services sector. Priya Prakash explains how to look beyond compliance and embed resilience by design while evolving in line with market and regulatory change.
Contents

Disruption has become the norm, requiring financial institutions to evolve from reactive crisis management to proactive resilience. From cyber threats and system failures to geopolitical shocks and climate events, the ability to withstand and adapt to disruption is no longer optional – it's essential. 

For example, earlier this year a large retailer suffered from a major data breach after attackers gained entry through a compromised third-party vendor. The attackers remained undetected for months, using stolen credentials to infiltrate the network and then deploying ransomware. This resulted in a complete shutdown of digital operations, delayed shipments, and hundreds of millions in estimated financial losses. This organisation was by no means alone, with up to 50% of UK businesses experiencing a cyber breach or attack last year, with every cyber incident bringing potential for widespread disruption. 

Such events serve highlight the importance and reinforce the need for effective operational resilience processes – noting that’s it’s no longer just about recovery, it's about continuity through disruption. This is where resilience by design comes into play. This is a forward-looking approach that embeds operational resilience into the fabric of your organisation. It shifts the mindset from ‘respond and recover’ to ‘anticipate and adapt’.

What is resilience by design?

Resilience by design is the practice of intentionally building operational resilience into the core of a firm’s operations, culture, and technology. It’s not about having a backup plan, it’s about ensuring that important business services can continue to meet impact tolerances – even in the face of a severe disruption.

Building on operational resilience principles that service outages and failures will happen. But resilience by design doesn’t focus solely on recovery. It emphasises continuity, adaptability, and learning. Crucially, these elements are incorporated from the early stages of any new processes, systems or policies, including change or transformation programmes.

Operational resilience as a strategic differentiator

While operational resilience is a regulatory requirement under FCA and PRA rules, they’re by no means the only regulators or standard setters with concerns in this space. The Basel Committee for Banking Supervision published principles for operational resilience in 2021, setting global standards. There’s also the EBA, which is leading work in the EU (including the Digital Operational Resilience Act or DORA), in addition to new and emerging rules in the US, Australia and Hong Kong, among others.

These moves underscore the importance of operational resilience as a strategic differentiator to support the UK Government’s growth agenda and recent Industry Strategy. The Government aims to boost the financial services sector as a key export, which relies on good international alignment. Also, in a globally connected financial ecosystem, disruptions in one region can quickly cascade across borders, amplifying the impact and urgency of building effective operational resilience.

Operational resilience is also a big differentiator in terms of customer trust. Customers expect greater connectivity and convenience over how they access financial services – but they also need seamless, uninterrupted services. This raises the stakes for operational continuity. Financial institutions must be able to modernise their systems, but increasing digital complexity has made systems more interconnected, which also heightens their vulnerability to disruptions. A single failure can significantly damage an institution’s reputation, potentially undoing years of trust.

Areas of challenge and common pitfalls

As organisations continue to develop their operational resilience programmes beyond the 2025 regulatory deadlines, there are recurring challenges to a successful transition to business-as-usual (BAU) operations. For example, many financial services firms don’t have a robust governance structure to support operational resilience implementation. Others lack sufficient oversight from key committees and fail to maintain well-documented governance frameworks – both of which are critical for informed decision-making and accountability.

Effective scenario testing

Scenario testing is another area of concern. Despite the significant regulatory focus, scenario testing is often limited to basic tabletop exercises, with minimal use of sophisticated simulations or stress testing. Scenario libraries also frequently lack clear risk prioritisation and structured testing methodologies.

Third-party risk frameworks

There are also significant gaps in integration between operational resilience and third-party risk management. For example, outsourcing dependencies and vulnerabilities related to important business services (IBS) are often overlooked. Furthermore, many third-party contracts don't include formal exit strategies, leaving organisations exposed in the event of supplier failure. While some progress has been made, third-party resilience remains a critical area requiring stronger integration and more comprehensive contractual safeguards.

These common challenges underscore why embedding resilience by design is so essential. Rather than treating operational resilience as a reactive or compliance-driven initiative, organisations should proactively integrate components such as governance, scenario testing, and third-party risk management into their operational architecture. This ensures that resilience is not just maintained but inherently built into the way the business functions, enabling more agile, informed, and sustainable responses to disruption.

Evolving operational resilience by design

With the regulatory deadlines of March 2025 now behind us, firms’ focus has shifted from compliance to sustained implementation and continuous improvement. To maximise business efficiency and resilience, it's essential to maintain a coordinated approach that aligns regulatory requirements with good practice across the firm.

Five steps to evolve your approach:

1 Move operational resilience to BAU

To embed resilience into BAU, you need to integrate it into your core processes, governance structures, and cultural mindset. This requires clear accountability across the three lines of defence and you need to embed resilience metrics into your performance monitoring. It’s also important to make sure that teams systemically feed back lessons from scenario testing and incidents into business planning and control environments.

2 Harmonise and deepen integration across key risk domains

As the risk and regulatory environment evolves, a growing number of resilience-related regulations are being introduced at both national and international levels. To navigate this complex landscape effectively, you should identify all relevant regulatory requirements and establish baseline resilience standards. This will help prevent redundant efforts and ensure compliance. It’s also essential to embed operational resilience across interconnected areas, such as cyber resilience, third-party risk, business continuity, Consumer Duty, cloud services, and data resilience, to establish a unified and robust approach.

3 Advance recovery capabilities and scenario testing

You should continue to assess your overall recovery capabilities to ensure they don’t breach impact tolerances. This includes sophisticated scenario testing as a strategic tool to help you explore plausible future disruptions before they occur. Using a combination of trend analysis, expert judgement, and stress-testing to simulate complex, high-impact events will help you take a forward-looking approach, rather than relying solely on historical data.

4 Enhance data quality and governance

Accurate and complete data remains critical. You must ensure you consistently maintain operational resilience data, reflecting any material changes in annual reviews or regular updates.

5 Effective incident management and response

Rather than being a purely reactive function, effective incident management provides critical insights into systemic vulnerabilities, control weaknesses, and operational areas that may have been overlooked. By embedding structured post-incident reviews and root cause analysis into the design of business processes, you can proactively adapt and evolve your controls, systems, and behaviours.  This continuous feedback loop ensures that resilience is not bolted on after the fact, but is intentionally built into the fabric of operations.

Focusing on these areas can help you move beyond compliance and embed resilience by design as a strategic, future-ready capability – ensuring you're not only prepared for disruption but positioned to thrive through it.

Most importantly, it’s crucial to remember that resilience by design is not a one-time project – it’s a mindset and a continuous journey. For financial institutions, it offers a path to not only surviving disruption but to emerge stronger, more trusted, and more agile. In a future defined by uncertainty, resilience is the foundation of long-term success.

For insight and guidance, contact Priya Prakash.