Operational Resilience: How to Build a Program that Works Globally and Protects Your Business

Operational resilience has become more than just a regulatory requirement—it's become a business necessity. As financial firms and corporations face growing threats, from cyberattacks to supply chain disruptions, the need to build resilience across the entire organization has never been clearer. The challenge? Regulations are piling up, and they aren’t the same everywhere.

If you’re operating across borders, you’re likely grappling with a patchwork of frameworks—DORA in the EU, the Basel Committee’s principles, and guidelines from regulators in the US, UK, Canada, Singapore, Australia, and beyond. But here’s the thing: while the details differ, the core message is universal. Resilience is about protecting critical services, minimizing harm to customers, and keeping operations running no matter what comes your way.

So, how can businesses create a resilience program that checks all the boxes, aligns with global standards, and delivers real value? Let’s break it down.

The Big Picture: Key Regulations Driving Resilience

Before we dive into the how-to, here’s a quick overview of the regulations shaping operational resilience around the world:

• DORA (EU): Europe’s Digital Operational Resilience Act focuses heavily on managing ICT risks, reporting incidents, and ensuring resilience across third-party tech providers.
• Basel Committee on Banking Supervision (Global): Their principles highlight governance, incident response, and the need to test vulnerabilities regularly.
• UK (BoE, FCA, PRA): The UK framework introduces the concept of “impact tolerances”—defining the maximum disruption firms can withstand without causing serious harm.
• Canada (E-21 Guidelines): These guidelines cover operational risk management, scenario testing, and governance.
• US (Federal Reserve, OCC, FDIC): American regulators focus on cyber resilience, vendor risk, and stress testing.
• Ireland (Central Bank of Ireland): The CBI’s cross-industry guidance pushes firms to map dependencies and assess how disruptions cascade across their services.
• Australia (APRA CPS 230): APRA emphasizes operational risk and managing third-party vulnerabilities.
• Singapore (MAS): The Monetary Authority of Singapore requires firms to stress test systems and ensure operational continuity.
• Hong Kong (HKMA): The HKMA’s guidelines highlight protecting critical services and ensuring governance is solid from the top down.

While the nuances vary, the message is loud and clear: resilience must stretch across departments, suppliers, and technology ecosystems.

How to Build a Strong Operational Resilience Program

1. Identify Critical Business Services

Step one is figuring out what matters most. Not every process or product is critical, but certain services—like payment processing, trading platforms, or customer data management—are essential. If they go down, the ripple effects can be massive.

What to Do: Map out your most important services from end to end. This means identifying the technology, people, and third parties involved at every stage. The Bank of England calls these “important business services,” but the principle applies everywhere.

2. Set Impact Tolerances

Operational resilience isn’t about preventing every disruption—it’s about understanding what you can (and can’t) afford to lose. Impact tolerances define how long a service can be offline before it causes serious harm to customers or the market.

What to Do: Develop clear metrics around downtime, data loss, and customer disruption. How long can you operate with reduced functionality? What’s the tipping point? Regulators, like the FCA, want firms to quantify this risk and set hard limits.

3. Run Scenarios and Stress Tests

You won’t know how resilient you are until you put your systems to the test. Regulators across the board—whether it’s APRA, MAS, or the Federal Reserve—expect firms to simulate disruptions and evaluate their response.

What to Do: Design scenarios that test your ability to handle severe but plausible events. Think cyberattacks, third-party outages, or a natural disaster wiping out a data center. Regularly run these tests and adjust based on the results. Pro tip: leverage software to automate this process and help you identify any issues.

4. Manage Third-Party Risk

Firms increasingly depend on third parties for everything from cloud services to payment processing. This is a major vulnerability. DORA, APRA, and the PRA all emphasize managing third-party risks as part of the broader resilience strategy.

What to Do: Review your key vendors and map how their disruptions could affect your operations. Build resilience into contracts and conduct regular audits to ensure their capabilities align with your impact tolerances.

5. Strengthen Governance

Resilience starts at the top. Regulators like the Basel Committee and HKMA want boards and senior leadership to take accountability for operational resilience. Without that, efforts can fizzle out at the departmental level.

What to Do: Establish clear governance structures with designated roles and responsibilities. Ensure operational resilience is a recurring agenda item for senior leadership and board meetings. Pro tip: Establish a governance committee and work group of key stakeholders to ensure ongoing engagement and buy-in. Pro tip: Design a program that is flexible enough with minimum standard requirements, enterprise or firm-wide, that can pivot to fit the needs of specific regulators.

6. Embed Resilience into Technology

Resilience shouldn’t be something you bolt on after the fact. Firms need to bake it into their technology from the ground up. DORA mandates robust ICT risk management, while Singapore and Hong Kong focus on resilience by design.

What to Do: Build redundancy into critical systems, ensure data is backed up across regions, and develop failover strategies. Cyber resilience must be part of your tech DNA, not an afterthought.

7. Communicate with Customers

When things go wrong, silence isn’t an option. Transparency can protect your reputation and prevent a customer exodus. The PRA explicitly encourages firms to prioritize customer communication during disruptions.

What to Do: Develop communication plans outlining how to notify customers, regulators, and stakeholders during a disruption. Be clear, be honest, and update regularly. Pro tip: Partner with your internal communications team and external crisis communications vendor, if available, to develop targeted messaging for various scenario types.

8. Commit to Continuous Improvement

Operational resilience isn’t a one-and-done deal. The threat landscape changes constantly, and so should your resilience framework.

What to Do: Revisit and revise your resilience strategy at least once a year. Learn from past incidents and update impact tolerances as your business grows. Pro tip: Shift your BCM's BIA and tech's AIA to a yearly cadence if it's not already to maximize risk assessment and dependency data availalbity.

Why This Matters Beyond Compliance

Operational resilience is a regulatory requirement, but it’s also a competitive advantage. Customers trust organizations that can weather disruptions, and investors favor organizations with robust risk management frameworks. Going beyond the bare minimum, you position your company as a leader—not just a survivor.

The Bottom Line: Operational resilience protects more than just your systems—it safeguards your reputation, customer trust, and long-term growth. And that might be the best investment you can make in today's volatile environment.

For more insights on crisis management and resilience, follow me on LinkedIn. Together, we can build a stronger, more secure future for your enterprise.