In the years following the 2020 COVID-19 pandemic, many companies revisited their operational resilience scenarios and adopted a new mantra: "Building is easy. Running is hard."
From geopolitical instability to climate disruption, supply chain fragility, cybercrime and the weaponization of information, today's global risk environment is increasingly non-linear and unpredictable. Institutions no longer face isolated events, but, rather, a convergence of stressors that can cascade across systems, borders and business lines. Scenarios, moreover, are layered and often concurrent.
Tania Badea-Nirin
Considering all these factors, resilience today is less about resisting shocks and more about absorbing them and recovering with purpose – especially in the financial sector. So, what will be the resilience mantra for the next decade?
That’s hard to say, but it’s obvious that conventional linear frameworks are no longer sufficient. Financial institutions clearly must move beyond risk controls and key performance indicators, and should instead look at complex operational risks through a systemic, multi-layered prism.
When developing a comprehensive operational resilience framework, the second line of defense at your organization should keep three truths in mind:
1. Resilience Requires Context
Before defining impacts, tolerances or testing failover, organizations should place resilience in its specific business context. Understanding your company’s assets and their interdependencies will shape your risk exposure: internal, external, digital and geopolitical.
Operational teams often drown in the complexity and urgency of day-to-day requests, incident management or the rollout of new programs. These challenges will vary, depending on the type of business you are running.
For example, while a private bank is likely to prioritize data confidentiality and customer accessibility, a high-volume car leasing company needs to ensure real-time vehicle availability and billing. Resilience goals should therefore be anchored in the business in which you operate and your promise to customers.
It’s important to remember that a service can be disrupted not just by a technical failure but also by a combination of cloud dependency, local regulatory restrictions and regional instability. Consequently, firms need to map how resilience expectations differ or may evolve across jurisdictions and regulators. A retail bank headquartered in Europe, for example, needs to meet the requirements of the EU’s Digital Operational Resilience Act (DORA) – while facing different regulatory expectations from local regulators for its Asian or American subsidiaries.
Complicating matters further are emerging risks and geopolitical fragility, which must be integrated into day-to-day risk analysis and decision making. Geopolitical fragmentation increases exposure to a range of disruptions, including sanctions, supply chain decoupling and regulatory divergence across jurisdictions.
When building resilience, technology and climate change are among the other factors that need to be considered. AI and autonomous systems have introduced new risk vectors with blurred accountability. The climate crisis, meanwhile, has yielded more frequent and severe events, disrupting infrastructure, mobility and resource availability.
Overlapping disruptions can be anticipated with the help of horizon scanning – a wide-ranging operational tool that can take the form of a stacked group of operational stress tests, monthly reporting to the board, critical events analysis, or a weekly review of “weak signals/ operational impacts” shared by a cross-functional units – like risk, IT, purchasing or production.
2. Business Unit and Group Differences Must be Reconciled
Large groups that operate multiple business lines and geographies often struggle to reconcile global consistency with local adaptability. Resilience should therefore be navigated through two simultaneous prisms: the macro (group) level and the micro (business unit) level.
Both layers come with unique regulatory exposures, risk appetites, risk dynamics and operational realities. Whereas the group may seek harmonization, a business unit operating in a high-risk region, or a fast-evolving market, may require a more agile, scenario-driven resilience posture.
These tensions are coexisting forces that must be reconciled. This can be achieved with the help of clarification of the resilience governance model – i.e., who decides, who owns, who tests, and who reports? Toward this end, firms must set up clear lines of responsibility for challenge and escalation across the three lines of defense – 1LOD, 2LOD and 3LOD. Moreover, they must recognize the need for two narratives: one at the group level for oversight and another at the BU level for operational execution.
Coordination of this scale, however, is no easy task. Consider, for example, the varied consequences of the Russia-Ukraine war. Prompted by this event, international companies have simultaneously had to navigate global sanctions (group), national regulations (business units), supply chain breakdowns (operations), and local workforce displacement (human resources).
As you develop your playbooks and perform your crisis exercises, keep in mind that a working resilience governance model is not about perfection. Rather, it’s about coordination under stress, feedback loops and, most importantly, trust.
If the 2LOD is perceived as an administrative control, rather than as a strategic partner, it may be seen as lacking substance – and its recommendations may be ignored. Indeed, if the 1LOD is afraid of losing its grip, it either won't escalate issues or will only do so when it is too late. Without trust, no matrix works.
3. The Operating Model Must be Multi-Layered, with Support from Both Humans and Technology
There is no single, flawless operational resilience methodology. Technology and third parties are often in the resilience spotlight – but the weak link it seems to be the operating model: i.e., who does what, where, and under what assumptions?
The shift from "business continuity" to "operational resilience" requires moving from process silos to critical business service chains, including all supporting assets. IT capabilities should be aligned with the business needs, and the focus should be on how your business operates under degraded conditions – not just how it restarts. Payment systems, for instance, should be co-prioritized with business leads and IT, balancing risk tolerance with customer expectations.
Speaking of clients, a firm must consider whether its customer service group can operate without full customer relationship management (CRM) access during a cyber incident. Under such a scenario, do your customer service agents have access to alternative solutions (e.g., local client files, manual playbooks and paper procedures) to maintain a minimum level of service? And would your solutions pass an end-to-end testing approach?
To ensure an effective operational risk framework, clearly define your manual fallback options and avoid over-reliance on automation. Do not simply depend, however, on just a few team members – or so-called "resilience champions." Instead, invest in human readiness on a large scale. Remember, technology is essential and at the heart of resilience planning, but no digital platform can replicate people.
Lastly, governance should be used to operationalize accountability, not just document it. For example, major incident or crisis escalation paths should be tested quarterly and integrated into executive key performance indicators.
Parting Thoughts
Many operational resilience plans are perfect on paper, but fragile in execution. They may initially be developed in controlled environments, assuming optimal behaviors, full resource availability and a linear progression of incidents. But today’s operational risk scenarios are stacked, not linear. A holistic response to systemic stress is therefore needed.
The challenge now is to move beyond, "We passed the test, but failed the crisis."
Tania Badea–Nirin is a resilience and crisis management expert in the European banking industry, second line of defense. She has a background in international relations and risk management and is PECB-certified in business continuity (ISO 22301) and risk management (ISO 31000).
Topics: Resilience
