Operational resilience: Meaning, Criticisms & Real-World Uses

What Is Operational Resilience?

Operational resilience refers to an entity's ability to deliver critical operations through disruption. Within the broader field of risk management, it emphasizes maintaining essential business services even when faced with adverse events such as cyberattacks, natural disasters, or technology failures. Unlike traditional approaches focused solely on preventing risks, operational resilience acknowledges that disruptions are inevitable. Its primary objective is to minimize the impact of such events on an organization's functions, customers, and the wider financial system, ensuring that key services can continue or be restored quickly. Effective operational resilience is crucial for financial institutions to absorb, adapt to, and recover from shocks, distinguishing it from simply managing operational risk.

History and Origin

The concept of operational resilience has evolved significantly, particularly within the financial sector, driven by a series of major disruptions and the increasing interconnectedness of global markets. Historically, focus was largely on individual firm stability through mechanisms like robust capital requirements and siloed disaster recovery plans. However, the global financial crisis of 2008 and subsequent high-profile operational incidents, including significant IT outages and cyberattacks, highlighted the systemic impact that failures at one institution could have across the entire financial system.

This growing awareness led international bodies and national regulators to develop more comprehensive frameworks. In March 2021, the Basel Committee on Banking Supervision (BCBS) published its "Principles for Operational Resilience," which aimed to strengthen banks' ability to absorb operational shocks and operate effectively through disruptive events. BCBS Principles ¹¹, ¹², ¹³. Concurrently, the Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) in the United States released interagency guidance in October 2020 on "Sound Practices to Strengthen Operational Resilience," applicable to large and complex domestic firms. Federal Reserve Guidance ⁹, ¹⁰. Similarly, the Financial Conduct Authority (FCA) in the UK introduced comprehensive operational resilience policies, with a transition period for firms to implement requirements by March 2025. FCA Policy Statement ⁷, ⁸. These initiatives underscore a shift from mere prevention to building the inherent capacity for organizations to withstand, adapt to, and recover from unforeseen events, reinforcing the importance of robust governance structures.

Key Takeaways

Proactive Preparedness: Operational resilience involves actively preparing for disruptions rather than solely reacting to them.
Critical Services Focus: The emphasis is on identifying and protecting essential business services that, if disrupted, would cause intolerable harm to customers or financial markets.
Holistic Approach: It integrates various elements like people, processes, technology, and third-party dependencies into a cohesive strategy.
Impact Tolerance: Organizations define the maximum acceptable level of disruption to their critical operations.
Continuous Improvement: Operational resilience is an ongoing process of testing, learning, and adapting to new threats and vulnerabilities.

Formula and Calculation

Operational resilience is a qualitative concept rather than a quantitative measure with a single, universally accepted formula. It focuses on capabilities and outcomes rather than a specific numerical calculation. Instead of a formula, organizations assess their operational resilience through a combination of qualitative evaluations, scenario testing, and adherence to regulatory frameworks.

The key components typically involve:

Identification of Important Business Services (IBSs): Pinpointing the core services whose disruption would cause significant harm.
Setting Impact Tolerances: Defining the maximum tolerable duration and extent of disruption for each IBS. This is often expressed in time (e.g., "service must be restored within 4 hours").
Mapping: Understanding the people, processes, technology, facilities, and third-party risk dependencies required to deliver each IBS.
Scenario Testing: Conducting severe but plausible scenario analysis to test the firm's ability to remain within impact tolerances.

While no single formula exists, metrics that might be tracked to gauge aspects of operational resilience include:

Recovery Time Objective (RTO): The maximum tolerable duration of time in which a service or system can be unavailable.
Recovery Point Objective (RPO): The maximum tolerable period in which data might be lost from an IT service due to a major incident.
Mean Time To Recover (MTTR): The average time it takes to repair a failed system or component.
Mean Time Between Failures (MTBF): The average time between system failures.

These metrics, while not forming a single "operational resilience formula," contribute to evaluating an organization's capacity to meet its impact tolerances.

Interpreting Operational Resilience

Interpreting operational resilience involves understanding an organization's inherent capacity to maintain essential functions during times of stress. It's not about achieving zero failures, but about managing the consequences when failures inevitably occur. A highly resilient organization can swiftly respond to, adapt to, and recover from disruptions, ensuring minimal impact on its critical services. This often means having redundant systems, diversified supply chains, clear communication protocols, and well-rehearsed recovery plans.

For example, if a financial firm has an impact tolerance of four hours for a critical payment processing service, its operational resilience is interpreted by its ability to restore that service within or well under that four-hour window during a severe disruption. This involves more than just having a disaster recovery site; it encompasses the people, processes, and information technology infrastructure that enable continuous operation. Effective interpretation also considers how well the organization meets regulatory compliance expectations, as regulators increasingly mandate robust operational resilience frameworks to protect consumers and maintain financial stability.

Hypothetical Example

Consider "Horizon Financial Services," a large investment firm. Horizon identifies its critical trading platform as an important business service (IBS) because its disruption would cause significant financial losses for clients and impact market operations. Horizon sets an impact tolerance for this platform: it must be fully operational within two hours of any severe disruption.

To test its operational resilience, Horizon conducts a scenario analysis simulating a major regional power outage combined with a targeted cyberattack. During the simulation:

Initial Impact: The primary data center loses power, and simultaneously, the trading platform experiences a distributed denial-of-service (DDoS) attack.
Automated Failover: Horizon's systems automatically initiate a failover to a geographically distant secondary data center. This process is designed to take 30 minutes.
DDoS Mitigation: The cybersecurity team deploys countermeasures to deflect the DDoS attack, which takes 45 minutes to bring under control.
Team Response: The operational resilience team, already trained for such events, coordinates with IT and business units. They verify the integrity of the migrated systems and data.
Service Restoration: The trading platform is fully restored and accessible to clients within 1 hour and 15 minutes.

In this example, Horizon Financial Services demonstrates strong operational resilience by recovering its critical trading platform well within its two-hour impact tolerance, showcasing the effectiveness of its planning and response capabilities.

Practical Applications

Operational resilience is a critical concern across various sectors, especially in finance, due to the interconnectedness and systemic importance of financial institutions. Its practical applications include:

Regulatory Frameworks: Regulators worldwide, such as the UK's Financial Conduct Authority (FCA), the Bank of England, and the Prudential Regulation Authority (PRA), have implemented specific rules and guidance requiring firms to enhance their operational resilience. These frameworks mandate identifying important business services, setting impact tolerances, and conducting rigorous scenario analysis and testing. The FCA, for instance, has closely scrutinized how firms responded to recent widespread disruptions, such as the July 2024 CrowdStrike outage, to assess the effectiveness of their operational resilience plans. CrowdStrike Outage Analysis ⁵, ⁶.
Cybersecurity and IT Risk Management: With the increasing frequency and sophistication of cyberattacks, operational resilience strategies integrate robust cybersecurity measures. This includes protecting critical systems, data, and communication channels to ensure continuity of services even during a breach. The New York Department of Financial Services (NYDFS) has updated its cybersecurity regulations to include explicit requirements for firms to maintain incident response plans that ensure operational resilience.¹, ², ³, ⁴.
Third-Party Risk Management: As organizations increasingly rely on external vendors for critical services (e.g., cloud computing, payment processing), managing third-party dependencies becomes vital for operational resilience. Firms must assess and monitor the resilience capabilities of their key suppliers to prevent single points of failure that could impact their own critical operations.
Maintaining Market Integrity: For exchanges, clearinghouses, and other financial market infrastructures, operational resilience is paramount to prevent disruptions that could destabilize markets, undermine investor confidence, and pose systemic risks.
Business Continuity Planning Integration: Operational resilience frameworks often build upon and enhance existing business continuity plans, ensuring they are outcomes-focused and directly support the delivery of important business services within defined impact tolerances.

Limitations and Criticisms

While operational resilience offers a significant advancement in managing disruptions, it has certain limitations and faces criticisms:

Defining "Critical": Identifying "important business services" and setting appropriate "impact tolerances" can be subjective and challenging, especially for complex, interconnected organizations. An oversight in this initial phase can undermine the entire operational resilience framework.
Resource Intensity: Implementing and maintaining a robust operational resilience program requires substantial investment in technology, skilled personnel, and continuous testing. Smaller firms, or those with limited budgets, may struggle to meet the stringent requirements set by regulators.
Testing Complexity: Conducting realistic and severe enough scenario analysis to truly test operational resilience is difficult. Simulating complex, multi-faceted disruptions (e.g., simultaneous cyberattack and supply chain failure) can be technically challenging and resource-intensive, potentially leading to a false sense of security.
Systemic Interdependencies: Even if an individual firm is highly resilient, it can still be impacted by the failure of interconnected entities or broader market infrastructure. The concept of operational resilience at a systemic level, encompassing the entire financial ecosystem, is still evolving. Managing contagion risks, such as those related to liquidity risk cascading through the system, remains a complex challenge.
"Set and Forget" Mentality: There's a risk that organizations might view operational resilience as a one-time compliance exercise rather than an ongoing, adaptive process. Without continuous monitoring, review, and adaptation to evolving threats, the effectiveness of the framework can diminish.

Operational Resilience vs. Business Continuity

Operational resilience and business continuity are related but distinct concepts, often confused due to their shared goal of minimizing disruption.

Feature	Operational Resilience	Business Continuity
Primary Focus	Outcome-based: Ensuring delivery of critical services.	Process-based: Restoring organizational operations.
Scope	Holistic; spans people, processes, technology, third parties. Focus on "important business services."	Broader; aims to keep the entire organization running.
Emphasis	Withstanding, adapting to, and recovering from disruptions. Assumes disruption will occur.	Preventing disruptions and recovering from adverse events.
Measurement	Impact tolerances (maximum tolerable disruption duration/extent).	Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
Regulatory Driver	Newer, driven by systemic risk and financial stability concerns.	Established practice for organizational stability and risk management.

While business continuity planning traditionally focuses on restoring an organization's internal functions after an event, operational resilience takes a broader view. It asks: "Regardless of what happens, how do we ensure our most important services continue to reach our customers and maintain market functions?" This makes operational resilience a more strategic, outcomes-focused approach that integrates and builds upon elements of business continuity, disaster recovery, and cybersecurity.

FAQs

What is the main difference between operational resilience and traditional disaster recovery?

Traditional disaster recovery primarily focuses on restoring specific IT systems and data after a disruption. Operational resilience, on the other hand, is a broader concept that focuses on the continuity of critical business services, regardless of the underlying cause of disruption, and involves people, processes, and third parties, not just technology.

Why is operational resilience particularly important for financial institutions?

Financial institutions are critical to the economy. A significant operational disruption at one firm can have widespread consequences, affecting customers, other businesses, and potentially threatening financial stability. Regulators are increasingly mandating operational resilience to protect consumers and the integrity of the financial system.

How do regulators measure a firm's operational resilience?

Regulators assess operational resilience by requiring firms to identify their "important business services," set "impact tolerances" (the maximum acceptable disruption time), map the resources supporting these services, and conduct rigorous scenario analysis and testing. Firms must demonstrate they can remain within these impact tolerances during severe but plausible events. This forms part of their broader regulatory compliance.

Does operational resilience mean an organization will never experience an outage?

No, operational resilience acknowledges that disruptions are inevitable. It's not about achieving zero outages, but about ensuring that when disruptions occur, the impact on critical services is minimized, and those services can be restored within defined "impact tolerances" to prevent intolerable harm.

What role does technology play in operational resilience?

Information technology is a crucial component of operational resilience. Robust, redundant, and secure IT systems are essential for supporting critical business services. However, operational resilience also considers the human element, processes, and reliance on external vendors, extending beyond just IT infrastructure.