people working on laptop at night

Operational Resilience Focus Areas

Keegan Gwendu, Director, Consulting
04/07/2025
people working on laptop at night

In April, we hosted an operational resilience post-transition period, drawing a strong turnout and sparking thought-provoking discussions.

We kicked off by exploring why leading financial services firms are moving beyond simply ticking regulatory boxes. Instead, many are embedding resilience into their core strategies, making a compelling business case for long-term investment in this area.

Next, we examined the strategic considerations that can help shape and prioritise resilience programmes going forward. This opened a rich dialogue about how firms can evolve their approaches beyond the 31 March deadline.

A standout moment was our fireside chat with a regulatory subject matter expert, who shared invaluable insights into post-deadline expectations. The session wrapped up with a lively Q&A, where attendees raised some of their most pressing questions.

We also explored practical steps for shifting from framework development to real-world operational improvements, focusing on how to embed resilience into everyday business practices.

Overall, the seminar delivered timely, actionable insights and clear direction on where to focus next, particularly in the areas of resilience and supplier risk management.

As firms continue to deepen their resilience efforts, our work with clients has reinforced the importance of six focus areas. In the sections that follow, we explore each one in more detail.

Optimising operating models

Leading firms are building efficient operating models that embed the valuable progress made during the transition phase into day-to-day business operations.

Here's a summary of the characteristics of effective approaches we are observing leading firms adopting to optimise operating models and ways of working.

  1. Conduct an Operating Model Component Assessment
    Review each component of your standard operating model (e.g., governance, organisational structure, processes, people, technology, data, culture) with specific resilience-related questions tailored to your organisation.
    For example: What structure would best support and improve resilience given our business model and growth plans (centralised, federated, or hybrid)?
  2. Define an evidence-based future state
    Invest time to clearly articulate your target future state, providing a rationale for how it will enhance resilience capabilities and efficiency compared to the current state.
  3. Plan the transition
    Develop a phased implementation roadmap that facilitates a controlled migration to the future state while maintaining ongoing resilience capabilities.
  4. Integrate/Improve alignment of related disciplines
    Bring interrelated functions (business continuity, disaster recovery, cyber security, crisis management) closer together through shared processes, governance, and potentially organisational structure. This will support a shift towards organisational resilience with a common language and understanding.
Supplier Risk Management  (SRM)

There is an increasing focus on managing the risks associated with third-party suppliers and outsourcing arrangements. Shifting from framework development to risk management.

  1. Design a sustainable SRM framework
    Dig up the road once! Rather than bolting resilience onto supplier management processes developed prior to 2020, use this opportunity to develop comprehensive SRM frameworks that as resilience and risk at their core and accommodate existing and emerging regulatory requirements.
  2. Establish clear resilience ownership
    Assign explicit ownership of supplier resilience either through a dedicated resource or by expanding existing roles to take a holistic view of SRM with a resilience lens.
  3. Implement a targeted, risk-based assurance programme
    Develop a clear work programme focused on reducing supplier risk and obtaining required assurances, including collaborative testing and scenario exchanges.
  4. Leverage collective influence
    Explore industry collective bargaining power and pooled audit approaches to gain meaningful assurances from dominant providers who might be resistant to individual firm requests.
Metrics and reporting

Following March 2025, the emphasis shifts to maintaining tolerances, which necessitates refining metrics and reporting processes to effectively monitor and demonstrate operational resilience to both internal and external stakeholders.

Leading firms are focusing on several key areas to gather a broader range of metrics that support more effective monitoring of resilience.

  1. Important Business Services (IBS) performance
    The ability of important business services to operate within defined impact tolerances, measured through service availability.
  2. Resource pillar performance
    The effectiveness and adequacy of the people, processes, and technology supporting important business services, including capacity, capability, and resilience (holistic assessment).
  3. Third-party/ Supply resilience
    The resilience of critical third-party providers and the supply chain, including concentration risk management and provider performance.
  4. Testing outcomes
    The results and insights from testing programmes, including technical recovery tests, scenario exercises, and third-party resilience validation.
  5. Vulnerability management
    The effectiveness of identification, assessment, and remediation of vulnerabilities that could impact the ability to remain within impact tolerances
  6. Incident response effectiveness
    The capability of the organisation to detect, respond to, and recover from operational disruptions.

Technology and cyber security

The financial services sector has faced significant challenges over the past year, with failed technology upgrades and severe cyberattacks exposing ongoing vulnerabilities. Effective technology deployment and cyber risk management remain crucial for building resilience, highlighting the urgent need for strategic investment to prevent widening resilience gaps.

Leading firms through recent self-assessment submissions and ongoing board discussions are advocating for and securing the necessary investments. They recognise that sophisticated solutions and emerging technologies present opportunities to better predict, prevent, and respond effectively and cost-efficiently to disruptions. Coupled with the implementation of targeted cyber interventions to strengthen defences.

Based on insights from our work, leading firms are adopting some effective approaches to enhance their technology and cyber resilience.

  1. Transitioning to IT resilience by design
    Conducting thorough analysis to understand and deploy IT resilience principles and patterns required for their organisations, being clear on the balance between desired resilience, cost, and performance.
  2. Leveraging existing or new technology
    Identifying and implementing tools that can enhance resilience workflows, facilitate mapping, resilience monitoring, and streamline recovery processes to ensure a robust response to disruptions.
  3. Integrating threat intelligence into resilience frameworks
    Establishing mechanisms to translate cyber threat intelligence into practical resilience enhancements.
  4. Developing ransomware-specific response strategies
    Creating detailed playbooks for ransomware scenarios, including containment approaches, backup recovery processes, communication templates, and decision frameworks for ransom recovery.
  5. Engaging early with external cyber specialists
    Building relationships with external cyber security experts and forensic specialists before incidents occur, with pre-approved contracts and clear activation procedures.

Testing and refinement

At our recent operational resilience event, we posed the following questions to a key stakeholder from the regulator.

  • “As firms have conducted scenario tests for the past two - three years, what are your expectations regarding testing volume, frequency, and maturity going forward?"
  • “How should firms balance the necessity for fresh insights against the risk of 'testing fatigue'?”

We all initially hoped to hear confirmation that we had conducted enough testing to reduce our efforts in this area. However, as the discussion progressed and we listened to the responses to various questions, as well as further testing-related conversations throughout the day, it became clear that the sense of testing fatigue we currently experience, stems mainly from a few key issues. These issues include the repeated use of the same testing technique (i.e., tabletop exercises), conducting tests in isolation across interrelated disciplines while requiring the same stakeholders to participate, and limited external participation.

So, how are leading firms overcoming this challenge and mitigating the risk of testing fatigue? We have observed some practical approaches.

  1. Conducting integrated cross-disciplinary testing
    Moving beyond siloed testing to exercises that bring together all interrelated disciplines (cyber, business continuity, crisis management, third-party, risk management) in realistic scenarios that test end-to-end resilience.
  2. Incorporating external challenge
    Bringing in external specialists (e.g., cyber experts, testing SMEs) to observe tests and objectively evaluate response effectiveness and decision-making.
  3. Continuing to increase sophistication
    Transitioning from discussion-based exercises to more sophisticated simulation approaches that introduce real-time complications, communication challenges, and realistic decision pressure.
  4. Conducting joint third-party testing
    Establishing collaborative testing programmes with key third-party providers to validate end-to-end resilience across organisational boundaries.

Testing remains the most effective way to assess your response capabilities, and the more you invest in it, the greater assurance you will have that you can respond to disruptions and reduce the likelihood of breaching tolerances.

Dedicated remediation programme

Ensuring there is a dedicated and well-funded remediation programme that targets critical vulnerabilities to enhance the resilience posture, complete with a clear path to resolution.

  1. Risk-based prioritisation
    Develop clear criteria for ranking remediation activities based on business impact and likelihood.
  2. Resilience improvement tracking
    Implement transparent mechanisms to monitor and report on remediation status and effectiveness.
  3. Validation process
    Establish independent validation of completed remediation to confirm it effectively addresses identified vulnerabilities.
  4. Link to major IT change
    Implement mechanisms to assess major IT changes for potential resilience impacts, preventing the introduction of new vulnerabilities while existing ones are being addressed.

Key Takeaways

Building on the themes explored during the seminar, we continue to spotlight six core focus areas that have been consistently emerged through our work with leading firms across the industry. These areas remain central to helping organisations shift from regulatory compliance to building true operational capability.

We’re seeing a clear trend: forward-thinking organisations are doubling down on resilience, particularly in the six focus areas we covered during the session. Over the coming months, we’ll be hosting targeted webinars and working sessions to deep dive into each of these areas.

If you would like to explore how we can support your organisation, whether in one of the six focus areas or in other aspects of operational resilience, please don’t hesitate to get in touch. 

For more information, please contact Keegan Gwendu or your usual Crowe contact.

Contact us


Keegan Gwendu
Keegan Gwendu
Director, ConsultingLondon