Bend without breaking: operational resilience in 2025

February 2025  |  COVER STORY | RISK MANAGEMENT

Financier Worldwide Magazine

February 2025 Issue

The ability to bend without breaking is an ineffable quality that some organisations possess in abundance. In a world of disruption, operational resilience can allow companies to weather almost any storm.

Across sectors and industries, operational resilience – generally defined as the capacity to withstand, adapt and recover from disruptive events – is certainly desirable, particularly given the range of shocks and disruptions that organisations are routinely required to respond to and recover from.

To be operationally resilient, organisations need to have countermeasures in place to deliver essential services, no matter the source of the disruption, whether it be man-made threats such as physical and cyber attacks, IT system outages, third-party supplier failure, or natural hazards such as fire, flood, severe weather and pandemics.

Moreover, the business costs of disruption – whether the result of IT downtime or supply disruptions, among other factors – are considerable. Indeed, a 2023 study by Accenture found that disruptions caused organisations to miss 7.4 to 11 percent revenue growth opportunities, equating to $1.6 trillion.

While natural hazards (which can be prepared for but are largely unpredictable) are significant, it is threats of the man-made variety which organisations must chiefly contend with at the outset of 2025.

According to Surya Vedula, a managing director at Nagarro, the threats facing organisations are evolving and multifaceted, with the four key risk scenarios outlined below requiring immediate and sustained attention.

First, cyber security threats. With increased digitalisation, cyber threats have intensified. Organisations must focus on cyber security resilience as breaches can disrupt core services, compromise data and erode customer trust.

Second, third party and supply chain risks. FIs are more dependent on third-party providers for essential services, from data storage to payments processing. Global tensions can jeopardise supply chains, increasing the cost of delivering services and bringing a risk to business continuity.

Third, geopolitical risks. In a world marred by global conflicts, organisations have to protect their operational and credit risks. This involves deep risk assessments, impact asset valuations, disruption market stability and the ability to operate globally.

Fourth, artificial intelligence (AI) and emerging technology risks. With AI and machine learning tools becoming integral to operations, data governance, ethical AI use and technology risk management are now front and centre. This also involves managing the risks around decision-making biases, data privacy and model robustness.

Additional risks identified by Janna Garcia, senior risk advisory manager at Norton Rose Fulbright LLP, include governance and senior management arrangements, organisational understanding of end to end critical operations and associated resources and dependencies, as well as the management of a broad range of third-party interactions and contractual arrangements.

“These risk areas point to a common challenge for organisations in an environment of increasing interconnectedness through reliance on technology,” believes Ms Garcia. “Underlying systems, tools, controls and processes can often be developed in siloes, which can lead to underestimated risk tolerances and difficulties managing disruptions that have impacts further than the initial affected service, product or function.”

The importance of operational resilience

Operational resilience is an essential priority in navigating an environment marked by rapid change, stringent compliance standards and high customer expectations. It is a key foundation pillar that empowers organisations to operate seamlessly, manage risks proactively and deliver experiences that are secure, compliant and innovative.

Ultimately, through embedding resilience into every aspect of their operations, organisations can proactively manage risks, swiftly adapt to disruptions and uphold the trust of their customers.

“Together, these areas build a strategic framework that enables organisations not only to meet the dynamic needs of customers but also to stay ahead of regulatory demands and emerging risks,” says Mr Vedula. “By prioritising resilience in product development, leveraging advanced technology for scalability and security, and maintaining disciplined programme management, organisations can adapt swiftly to change, ensuring agility, foresight and continuity in all aspects of their operations.”

That said, despite the impact the risk landscape may have on their operations, a recent report by Everbridge and Atos Unify – ‘The Research Behind Resilience: Why Prioritizing and Investing in Resilience Matters’– reveals that only 50 percent of organisations’ resilience decision makers felt even moderately prepared to deal with the threats they face.

The report also states that “money is not everything in resilience”, with underperforming organisations almost always spending more on risk and resilience measures than top performing organisations. Top performers spend an average of 10 percent of revenue per year on resilience and risk measures, while the least resilient spend over 18 percent. Thus, it pays for organisations to find a unified solution rather than investing in piecemeal solutions every time a critical event occurs.

“Modern organisations are built on complex business and technology architectures and have multiple interdependencies,” explains Mr Vedula. “The reality is that failures are inevitable and organisations cannot afford to go down in this era of immediacy. Operational resilience ensures that they are equipped to manage disruptions.”

In the experience of Haney Saadah, managing director of risk advisory for Europe, Middle East and Asia at Norton Rose Fulbright LLP, organisations should implement an operational resilience framework that is scalable to achieve continuous improvement across their systems, processes and capabilities.

“People are a key enabler, so deploying a continuous training programme and ramping-up recruitment of skilled personnel as needs require will be critical to long-term success,” explains Mr Saadah. “Organisations should focus on both understanding individual systems and processes, as well as backup plans and recovery options, as they are both important elements of a feedback loop that will drive an effective operational resilience programme.”

Implementing operational resilience

According to Mr Vedula, an effective operational resilience programme encompasses robust risk assessment, interdepartmental coordination and contingency planning. “It is essential to evaluate both individual systems and interconnected processes, as a failure in one area can cascade across others,” he says. “Effective backup and recovery options, such as geographic redundancy and cloud-enabled solutions, help maintain core functions during disruptions.

“Testing and scenario planning are equally critical, ensuring that response programmes are resilient enough to address real-world scenarios,” he adds.

According to Agility Recovery’s ‘Achieving Operational Resilience in the Financial Sector’ report, there are five factors that organisations should focus on when creating a detailed operational resilience programme, as outlined below.

First, IT upgrades. The best way to ensure systems are secure and efficient is by upgrading technology without any delay. Also, it is essential to migrate existing systems to the latest platforms whenever it is necessary. While these upgrades carry their own risks, organisations will stay safer in an unpredictable digital world.

Second, effectively executed digital transformation. It is essential that all organisations effectively execute their digital transformation efforts. Any new system initiatives should undergo risk assessment, and with set risk controls in place. For the best results, companies should consider partnering with a technology-focused business continuity solutions provider.

Third, timely board involvement. An organisation’s board needs to be informed immediately when an issue occurs. Communication is the key to a powerful operational resilience strategy. The faster the board knows about the problem, the faster it can set a solution in place.

Fourth, learning opportunities. Unfortunately, many organisations do not have time to learn from a digital mistake. They also do not have a chance to improve their reputation. However, organisations should use the digital landscape as an opportunity to learn the digital systems and what downtime could mean for their business.

Lastly, conducting a tabletop exercise. This is an effective way of ensuring that everyone in the organisation knows their role and how to act in a different scenario. With planning and training capabilities, employees know exactly how to respond in an emergency, and management can make sure everything is in place to handle the next incident.

“The introduction of an operational resilience regime is the first step to improving operational resilience within organisations, as well as the market more broadly,” adds Mr Saadah. “The journey toward a mature and resilient framework is therefore iterative and likely to evolve, with time, to become more nuanced and prescriptive, as new threats emerge.”

Regulatory expectations

From a regulatory perspective, agencies have shifted their focus toward operational resilience and a stream of regulations have been issued – spearheaded by renowned institutions such as the Financial Conduct Authority, the Central Bank of Ireland, the Hong Kong Monetary Authority, the Monetary Authority of Singapore and the Australian Prudential Regulation Authority – many of which have multiple phases and different effective dates across 2025.

These regulatory efforts are expected to align with the Basel Committee on Banking Supervision’s (BSB’s) ‘Principles for Operational Resilience’ – a widely recognised framework published in March 2021 – and pave the way for organisations to navigate uncertainties, gain stakeholder trust and thrive in a rapidly evolving landscape.

However, despite these guidelines emphasising the need for organisations to prioritise critical business services during disruptions, significant challenges persist, including competing regulatory priorities, resource constraints, contract challenges and difficulties in building a compelling business case for resilience-type investment into systems and controls.

“Regulators are expecting organisations to be able to demonstrate robust planning – including clear documentation of priorities and areas of most challenge, with a set of steps to mitigate potential delays,” suggests Ms Garcia. “Our view is that operational resilience maturity will take time.”

Although in some jurisdictions, specific guidance on certain areas is still outstanding, organisations are expected to make a start by reviewing their operations landscape and building a comprehensive understanding of the resources and dependencies of each critical service, and what vulnerabilities might exist.

“Organisations with cross-border clients and operations will often be looking for opportunities to correlate various regulatory standards into an efficient, cohesive global operating framework,” adds Ms Garcia. “While this has clear advantages, it cannot be achieved without recognition and documentation of the specific jurisdictional change requirements, along with what actions will need to be taken to comply. These changes will also need to be reflected in updated polices, procedures, and supporting technology and infrastructure.”

Championed from the top

Given it touches on all core areas of an organisation’s business, in the view of many, including the BSB, operational resilience must be championed from the top. Companies need a guiding hand responsible for reviewing and approving the organisation’s approach to operational resilience, taking into consideration its risk appetite and tolerance for disruption.

“Boards and senior management are pivotal in setting the culture for operational resilience,” concurs Mr Saadah. “Often referred to as ‘tone from the top’, senior leadership will need to communicate operational resilience as a key priority within their risk appetite measurements.

“Some regulators have identified board functions such as a chief operating officer as having a leading role,” he continues. “But it will be up to everyone within senior leadership to play a part in embedding a strong operational resilience culture within the organisation and with external stakeholders, which includes ensuring lessons learned are used to refine the framework.”

Practical steps for an organisation’s upper echelons include informal working groups, specific projects, and allocating sponsors and dedicated staff to assume responsibility for operational resilience and champion it across the organisation, reporting back to the board on a routine basis.

2025 and beyond

At the outset of 2025, the challenges facing organisations, both operational and regulatory, are increasingly stringent. In a world of disruption, operational resilience is the weapon of choice for responding quickly and effectively to evolving risks.

“In the face of increasing global challenges and the complexity of our technological landscape, organisations need to adapt to a variety of unforeseen operational threats,” contends Mr Saadah. “These include supply chain disruptions, workplace reconfigurations and cyber security threats, among others.

“New operational resilience regulations also present an opportunity for organisations,” he continues. “They allow for a more holistic view of risk frameworks and operational arrangements, both internal and external, and to implement measures that can help them thrive in an uncertain and volatile commercial landscape.”

Ultimately, through embedding resilience into every aspect of their operations, organisations can proactively manage risks, swiftly adapt to disruptions and uphold the trust of their customers.

“A comprehensive approach not only enhances the ability of organisations to comply with regulatory requirements, it also positions them for sustainable growth,” concludes Mr Vedula. “As we move forward, the commitment to operational resilience will be a defining factor in their success, enabling them to thrive amid uncertainty and continuously deliver value to their stakeholders.”

© Financier Worldwide

BY

Fraser Tennant

©2001-2025 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.