Are you confident in meeting financial services operational resilience demands?

With 2025 regulatory deadlines looming, firms need to present a clear picture of their resilience capabilities – but do they have the technology to achieve this?

?

Financial services firms face significant threats from cyber-attacks, system outages, and supplier failures, as well as natural hazards such as severe weather and pandemics.

Operational resilience, or recovering and maintaining services despite disruption, has become an essential capability high on boards’ priorities. And, with global regulations around operational resilience continuing to evolve, demonstrating that resilience has also risen on firms’ agendas.?

In the UK, firms must comply with PS21/3: Building operational resilience?by 31 March 2025, while the EU’s digital operational resilience act (DORA) comes into effect even sooner on 17 January 2025. And, more regulations are on the way across the world.

The immediate challenge for firms in meeting these compliance deadlines is to gather and present resilience data from across multiple functions of their organisations – often on a global basis.?

The current resilience technology landscape

Regulations demand a holistic approach to resilience. DORA, for example, expects companies to follow rules for the protection, detection, containment, recovery and repair capabilities against incidents, including incident reporting, operational resilience testing and third-party risk monitoring.

Yet software tools tend to reside in different parts of the firm, such as risk management, service mapping, business continuity management, third-party risk management or crisis management. These tools are typically not integrated, preventing firms from gaining a complete and accurate picture of their strengths, and importantly, gaps.?

Firms have been proactive in testing various approaches to address lack of interoperability, including manual spreadsheets, building in-house tools, or partnering with vendors. However, these tactics are not enough to enable the level of data sharing and analysis needed to meet current and evolving regulations.

We see three key technology challenges to overcome:

1.??? Varied regulatory terminology: Although regulators are broadly aligned around desired resilience outcomes, terminology can vary. For instance, DORA uses the expression “critical or important functions”, the UK’s PS21/3 refers to “important business services”, and APRA (The Australian Prudential Regulation Authority) talks about “critical operations”. This hinders tools from capturing and presenting data in a way that satisfies different regulatory requirements.

2.??? Fragmented data model: In many firms, data is fragmented across different systems, with varying levels of quality. These systems lack a common data source, and have multiple fields for entering data, which differ from each other. Consequently, the data model struggles to achieve consistent resilience data, and lacks a clear view of how firms detect, manage, and report on incidents.?

3.??? Interoperability of multiple systems: Almost every tool on the market can connect to the rest of the technology environment through application programming interfaces (APIs). But, when different parts of the firm use different tools, they are likely to duplicate each other as part of competing data ecosystems, which can add unnecessary costs and inefficiencies.

What should firms look for in resilience tools?

Software tool providers are starting to design their platforms in similar ways, with a central lifecycle for end-to-end resilience requirements, and accompanying dashboarding, governance and audit trails. When selecting a tool, firms should be looking for enhanced “modules” to address specific requirements and challenges, notably:

1.??? Digitally-enabled scenario testing: To gain confidence in resilience programmes, regulators are seeking an increased number of scenario tests, which are more sophisticated and involve the wider ecosystem. This requires resources that can access, gather and analyse the data, and complete the tests on an ongoing basis. Tools and ‘golden source’ (accurate and reliable) data should make testing simpler, faster, and more effective. They also help enable ‘humans in the loop’ testing (a blend of machine learning and human algorithm training), to drive simulation exercises and identify issues or vulnerabilities.

2.??? The register of information: Tools are well suited to this DORA-specific requirement – effectively a data repository of 15 templates. A tool lets users gather the data from anywhere, regardless of terminology, and mirror it within a bespoke area, with appropriate controls and oversight to help ensure its accuracy.

3.??? Incident reporting: Another DORA requirement is to swiftly report on notifiable events during a disruption. Firms must monitor and collect specific data, which likely resides in multiple locations. The data should then be managed within a workflow to ensure it can be analysed within required reporting windows and issues are identified.

Compliance as a foundation for improved resilience

Given the immediacy of the deadlines, firms may be tempted to meet regulatory demands through a short-term, tactical, manual approach. However, automated tools offer a more sustainable and effective solution, providing a solid platform for future reporting, integrating data collection and analysis across the entire firm.?

The business case for tools should include an initial capital investment, forecasted reduced operating expenditure, and improved outcomes. But tools are much more than a route to compliance – they can also enhance data quality and produce a single, up-to-date view of the truth. This means tools can help enable firms quickly identify and recover from disruptive shocks and maintain services to customers, ultimately delivering value and preserving their reputation.

Disclaimer: The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organisation or its member firms.