Skip to main content

Beyond compliance: Future-ready with Op Res 2.0

Eight considerations for financial services firms and Operational Resilience professionals looking beyond March 2025.

Introduction

As firms operating in the UK approach – and move past – the 31 March 2025 regulatory deadline, an opportunity emerges to reflect on progress to date and consider what comes next for their firm amidst the landscape of international Operational Resilience regulations.

Following the publication of the Basel Committee on Banking Supervision’s (BCBS) guidelines for Operational Resilience and the Bank of England’s SS1/21 supervisory statement, firms headquartered (and those with significant operations) in the UK established Operational Resilience Programmes to achieve compliance and meet deadlines.

As other international jurisdictions introduce their own Operational Resilience requirements, firms with global operations face a choice: mobilise compliance-focused, local programmes or establish a forward-looking global framework and operating model for Operational Resilience.

International resilience-related regulations have a common purpose: to develop resilient financial services sectors focused on preserving firm safety and soundness, maintaining market stability and avoiding intolerable impacts to customers and clients. There are local nuances and specific requirements across the global landscape, but these primary objectives are consistent.

So it is that, in a context of constrained resources and industry-wide focus on efficiency and productivity, the global approach makes sense for firms.

A globally-consistent Operational Resilience operating model requires an “outcome-focused” approach as a means to address the variety of regulatory requirements, and embed consistency and standardisation.

We have identified eight areas that will set an organisation up for success, whilst enabling flexibility to respond to new and emerging Operational Resilience regulations.

The regulatory view

To thrive beyond March 2025, global regulators expect financial institutions to embrace a holistic approach to Operational Resilience.

That means seamlessly connecting into existing risk and resilience systems (e.g. Business Continuity, Crisis Management, Cyber, Third Party Risk Management) and aligning them with Important Business Services (IBS) or critical functions / essential operations. It also means sector and industry collaboration, including greater focus on third parties (and beyond), to improve overall system resilience.

Regulators have always been clear. Operational resilience was never about regulatory compliance for the sake of compliance; it is about building a more resilient organization and industry – and ultimately providing reliable services to customers while avoiding market and firm failures. That will remain true beyond 31 March 2025 in the UK and globally. 

Op Res 2.0 – 8 Principles for the Operating Model
 
  1. “Outcome-led” global approach, with a local touch. For firms whose operations span geographies and regulatory regimes, a singular, global Operational Resilience framework drives consistency and standardisation. This should be supported by a common operating model and centred around key framework “outcomes” which account for regulatory nuances.

    For example, regulators require firms to define a range of objectives for recovery and continuity during disruption (e.g. the impact tolerance, service recovery time objective, minimum service level, and maximum data loss among others). A global framework can translate regulators’ requirements into a firm-wide common lexicon, often using a global taxonomy or glossary.

    Focusing on the outcomes that regulators intend and translating that into “how we do things” allows firms to balance competing requirements and stay in line with the spirit of the regulations.
  2. Embed Operational Resilience into the “Business”, with oversight and challenge mechanisms. Operational Resilience operating models are most effective where they i) empower sufficiently senior managers within the business with the authority and insight to influence and make strategic decisions on resilience, and ii) have Operational Resilience ‘champions’ embedded within the business.

    Resilience should be perceived as a business-enabler, a means to ensure the firm will be there for its clients and be a responsible market participant during business as usual – and crucially during disruption. Engaging senior business, first line of defence stakeholders helps to smooth the way – as a sponsor for investment into resilience-enhancing activities and, critically, into the personnel required to deliver those activities before, during and after disruption. Equally as important is an effective second line of defence, acting as the framework and policy-owning function, supported by an engaged and informed third line providing independent assurance.
  3. Harmonise governance across Regions and Divisions. Globally-consistent governance structures drive simplicity and standardisation. These need to account for, and be flexible to, local entity requirements and of the firm’s own operating and organisational complexities. Firms differ in their approaches, some leveraging existing governance and risk committees to consider Operational Resilience matters, others creating a standalone Operational Resilience forum, committee or council to provide Board-level oversight. What really matters is that governance structures generate insight and drive decision-making to enable a firm to make strategic and purposeful investment and building resilience in the areas that matter most.
  4. Integrate resilience with other risk management systems. As firms move beyond March 2025, an area of focus for many is incorporating Operational Resilience considerations into existing risk management activities.

    Taking the TPRM lifecycle as an example, firms are using the Sourcing stage to consider supplier redundancy or supplier interoperability for critical third party engagements; or using Due Diligence to explore in greater detail their suppliers’ resilience provisioning through enhanced, resilience-focused questionnaires; or incorporating requirements for joint or shared testing during Contracting.

    Identifying areas of cooperation between resilience and risk systems helps to mitigate disruption before it occurs, whilst continuing to plan on the basis that disruption is inevitable.1
  5. Refocus planning and testing on the things that matter most. Many firms, while progressing and planning for their important business services have simultaneously been maintaining Business Continuity Management programmes and Crisis Management processes to, respectively, help the firm plan for and respond to operational (and other types of) disruption.2 For some firms, there may be an opportunity to reorientate and simplify resilience planning activity (such as plan development and testing) primarily, if not exclusively, around the services identified by the Operational Resilience programme.

    Practically, the firm might be able to re-focus the Business Impact Analysis (BIA) and Business Continuity Plan (BCP) around those external – and other necessary internal/enabling – services. Consequently, the firm might redirect scarce resources towards advancing their scenario testing (e.g. through digitisation) and preparing plans for those services that are truly important.
  6. Develop meaningful metrics. Consistent and repeatable reporting informs effective investment decision-making for resilience. The best reporting gathers a range of indicators to provide insight into decision-making, and avoids compliance-focused commentary of the progress of services through the identification, mapping, recovery objectives, testing lifecycle.

    As an example, senior managers are more concerned with the findings of scenario stress testing than with knowing the percentage of services subjected to testing. Similarly, reporting that illustrates where a firm is ‘resilient by design’ (or, alternatively, where it has potential vulnerabilities) is more valuable than knowing that all services have been mapped. Metrics and reporting should paint a picture of the ‘state of resilience’ against which senior managers and the Board can take informed decisions about investment, change programmes and overall business strategy.
  7. Leverage technology, whilst recognising its limitations. Technology and tooling can reduce administrative overheads. It can also, in places, be used to digitise and automate particular activities – particularly around mapping and testing important services – or to report on the firm’s Operational Resilience posture. Tooling cannot, however, wholly replace the need for critical thinking by experienced and knowledgeable people who understand how their firm operates and delivers services to clients and customers.

    Operational Resilience was intended to improve the compliance-focused, “tick-box” processes which tooling can, occasionally, inadvertently foster. Firms should use tooling for its benefits and to enable skilled and knowledgeable teams to think critically and challenge assumptions.
  8. Communicate the value.3 Operational Resilience programmes are most effective where the organisation understands and embraces the benefits of a unified approach to resilience.4 Firms that embed a culture of resilience often do so by engaging a broad range of colleagues using meaningful metrics, targeted communications, and engaging training and awareness material. These firms will be best placed to deliver on the regulatory requirements but also to react, respond and recover in the event of disruption.

    In the same vein, the ability to communicate externally a clear and consistent narrative on the firm’s approach to, and current state of, resilience will position a firm well. Clients, vendors, third parties and regulators expect firms to transparently communicate before, during and after disruption. Doing so reinforces trust and protects a firm’s reputation during business as usual, but also helps to mitigate negative impacts during disruption.

As we noted in our 2022 article, firms that continually review their programme are those that are best able to sustain momentum and keep Operational Resilience ‘living and breathing’.5

31 March 2025 will be a moment to recognise the distance covered to date. It also presents an opportunity for reflection as the implementation period ends and firms seek to embed Operational Resilience into business as usual.

If you’d like to discuss any of the topics covered in this article, please get in touch with the team below.

___________________________________________________________

References:

1. ‘Risk and resilience: bringing risk management and resilience closer together’, Deloitte (February 2025)
2. The services a firm provides which, if disrupted, could pose a risk to a firm’s safety and soundness or the financial stability of the UK.
‘Operational resilience: Impact tolerances for important business services - Supervisory Statement SS1/21’ ,PRA (March 2022)
3. 'Resilience Dividends’, Deloitte (November 2024)
4. ‘Moving toward true organizational resilience’, Deloitte (January 2023)
5. ‘Next steps in building operational resilience in financial services firms’, Deloitte (June 2022)  

Did you find this useful?

Thanks for your feedback