By Tejas Katwala, Co-Founder, CLDigital
Following the recent Investment Association (IA) webinar, “From Regulation to Reinvention,” the momentum around DORA and UK Operational Resilience has clearly shifted from planning to execution. Our audience—compliance leaders, resilience professionals, and regulators—posed sharp, practical questions, signaling a shared shift toward operationalizing Day 2 resilience.
Here are some of the most important takeaways from the session, including answers to the most pressing audience questions.
What KPIs Should Firms Use to Measure Operational Resilience?
Operational resilience has matured beyond static documentation and into a measurable, evidence-based discipline. Here are 10 KPIs that leading firms are starting to adopt:
- Service-Level Recovery Gap – Measures actual vs. tolerated disruption time for each IBS
- Dependency Volatility Index – Monitors how frequently critical service dependencies change
- Control Effectiveness Rate – Percentage of controls tested that operate as designed under stress
- Incident-to-Resolution Time – Time taken to mitigate and fully close IBS-impacting events
- Testing Coverage Ratio – Percent of IBS, scenarios, vendors, and tech dependencies tested in the last 12 months
- Third-Party Risk Alignment Score – How well third-party contracts and SLAs reflect IBS impact tolerances
- Impact Tolerance Breach Rate – Frequency of test results or live events exceeding set impact tolerances
- Scenario Test Maturity Index – Tracks the completeness, complexity, and learning from scenario libraries
- Resilience Heat Map Accuracy – Precision of operational resilience dashboards in identifying risk clusters
- Executive Engagement Frequency – Number of times resilience KPIs are reviewed at governance or board level
How Should Proportionality Be Applied to Non-Enhanced Scope Firms?
For firms outside the Enhanced scope, proportionality isn’t about doing less—it’s about doing what’s defensible and effective. Key considerations:
- Start with what matters: Identify your truly critical services. Document the rationale
- Focus on relevance over rigor: Instead of exhaustive mapping, use targeted dependencies that impact those services
- Scale testing to your risk profile: Begin with tabletop or walkthroughs before jumping into complex simulations
- Simplify governance: Lean structures can still be documented and reviewed quarterly
The PRA expects smaller firms to be smart, not bloated. The mantra: clarity > complexity
How Often Should Scenario Libraries Be Updated—and Can We Build Them as an Industry?
Scenario testing needs to reflect the changing threat landscape. A good rhythm looks like this:
- Quarterly additions for top-risk services
- Annual refresh of the full library
- Real-time scenario additions triggered by external events or threat intel
As for open-source collaboration:
- Templates could be published by trade bodies (e.g. IA, UK Finance)
- Contribution could be anonymized and aggregated by RegTech platforms
- AI could cluster and de-duplicate scenarios by service, dependency, or threat vector
A shared testing baseline improves sector resilience and speeds response maturity across firms.
Final Thoughts
The direction is clear: regulators want proof that operational resilience is embedded in business-as-usual. That means less policy theater and more live telemetry, tested tolerances, and continuous controls monitoring.
Whether you’re regulated under DORA, PRA, or both, the next phase is about building a repeatable, data-driven resilience engine.
At CLDigital, we’re helping firms move beyond compliance checklists toward integrated, real-time operational resilience. Reach out if you’d like to see how.
