By Tejas Katwala
Operational resilience is no longer a niche control discipline sitting quietly beside compliance, cyber, and business continuity. It is becoming a defining measure of whether an organisation can continue delivering critical services, protect customers from harm, and sustain trust when disruption occurs. In financial services especially, resilience is no longer judged by whether firms have policies, playbooks, and governance forums in place. It is judged by whether they can keep the things that matter most running, or recover them quickly enough when they fail.
That shift matters because the debate has moved on. The question is no longer whether operational resilience belongs on the regulatory agenda; it clearly does. The more important question is what kind of resilience firms are actually building. Some are still approaching it primarily as a compliance exercise: mapping services, documenting dependencies, setting tolerances, and preparing evidence for supervisors. Those steps are necessary, but they are not the destination. The real objective is to build resilience as an enterprise capability, embedded in how the organisation is designed, governed, funded, and run.
This is the difference between compliance-led resilience and capability-led resilience. Compliance-led resilience focuses on demonstrating that the framework exists. Capability-led resilience focuses on whether the organisation can absorb disruption, adapt under pressure, continue serving customers, and recover with discipline. One is centred on regulatory sufficiency. The other is centred on operational reality.
Current state: four regulatory models, one direction
In the UK, operational resilience is already in its supervisory execution phase. The FCA defines it as the ability to prevent, adapt and respond to, and recover and learn from operational disruption. In-scope firms had until 31 March 2025 to complete the mapping, testing, remediation, communications planning, and investment needed to remain within impact tolerances for important business services. The UK has also gone beyond firm-level obligations into direct oversight of critical third parties, with the new CTP rules effective from 1 January 2025 and designed to apply once HM Treasury designates the providers in scope.
The EU has taken the clearest statutory route through DORA. The regime has applied since 17 January 2025, requires firms to strengthen ICT risk management and continuity, and makes the management body responsible for defining, approving, overseeing, and ultimately bearing responsibility for ICT risk. DORA also extends the resilience conversation beyond the firm by creating an EU-wide oversight framework for critical ICT providers. That oversight is now live: the ESAs designated the first critical ICT third-party providers in November 2025 and continue to coordinate supervisory activity across the Union.
Canada is moving in a similarly serious direction, but with a broader operational lens. OSFI’s Guideline E-21 says operational resilience assumes disruption will happen and focuses on response and recovery across critical operations end to end. The final guideline was published in August 2024, with full adherence and operationalisation expected by 1 September 2026. By that point, institutions are expected to have completed identification, mapping, and tolerances for disruption of critical operations, and they are expected to complete testing of all critical operations by 1 September 2027. Just as importantly, OSFI is now pushing accountability more explicitly upward: in January 2026 it consulted on a senior leader regime built around responsibility maps, board-approved accountability frameworks, and senior attestations.
Compared with the UK and EU, the US approach remains more guidance-led and distributed across supervisory guidance, third-party risk management, and public-company governance requirements. The Federal Reserve defines operational resilience as the ability to deliver operations, including critical operations and core business lines, through a disruption from any hazard. Interagency third-party guidance applies stronger oversight where a relationship supports critical activities, including activities that could create significant customer impacts. And for public companies, SEC rules now require disclosure of management’s role in managing material cybersecurity risks and the board’s oversight of those risks. That does not create a single DORA-style regime, but it still pulls resilience into governance, customer impact, and third-party oversight.
Taken together, these four models point in the same direction. Operational resilience is no longer being treated as a narrow business continuity problem or a second-line documentation exercise. It is increasingly being tied to governance, customer outcomes, third-party dependencies, live testing, and the ability to prove that critical services can survive real disruption.
What operational resilience should mean to leadership, boards, and customers
For leadership, operational resilience should mean protecting the firm’s ability to continue delivering its most important services under stress. That makes it a strategic and capital-allocation issue, not just a control issue. DORA ties resilience directly to management-body responsibility and budget. The UK rules required firms not just to map and test but to make the necessary investments to operate consistently within impact tolerances. OSFI makes senior management ultimately accountable for establishing the resilience approach, resourcing it, and reporting to the board. In other words, leadership should not be asking only whether the framework exists. It should be asking where the firm is fragile, what dependencies are concentrated, what can fail without intolerable harm, and what needs to be funded now so a disruption does not become a customer event later.
For boards, operational resilience should mean governing trade-offs. Boards do not need to run incidents, but they do need to challenge whether tolerances are credible, whether management information is usable, whether substitutions and exit routes really exist, and whether the organisation is investing early enough in resilience rather than paying for fragility after failure. That direction is becoming explicit across jurisdictions: DORA puts ultimate ICT-risk responsibility on the management body; OSFI’s proposed accountability framework would require board approval and annual assurance; and SEC rules make cybersecurity governance and board oversight a visible part of public-company disclosure.
For customers, operational resilience is much simpler than the regulatory language suggests. It means access to accounts, payments, claims, servicing, and support when systems are under pressure. The FCA is explicit that disruption to important business services can leave customers unable to access accounts or pay bills, and it expects firms to plan how they will communicate with customers when services are disrupted. That is why resilience is not really measured in frameworks. It is measured in whether the customer experiences continuity, clarity, and workable alternatives when the organisation is under stress.
Where operational resilience is headed
The first clear trend is that resilience is moving from implementation to evidence. In the UK, the transition period is over and the FCA has said its supervisory focus is shifting toward resilience by design, learning from incidents, and ongoing scenario testing. In the EU, DORA has moved from rulebook to live oversight. In Canada, the next milestones are full operationalisation and testing. The broad supervisory direction is unmistakable: do not just show that a framework exists; show that the service can stay within tolerance or recover fast enough when a severe but plausible disruption actually happens.
The second trend is that resilience is moving from firm-level control to ecosystem oversight. The Bank of England’s own toolkit now spans collective action, sector-wide exercises, third-party oversight, and cyber and operational resilience stress testing. It is explicit that some third parties become so critical that no single firm can adequately monitor or manage the systemic risk alone. The January 2026 UK-EU memorandum on critical third-party oversight points the same way, as does DORA’s EU-wide oversight framework for critical ICT providers: shared dependencies require shared supervision and stronger cross-border coordination.
The third trend is that AI is becoming a resilience issue, not just an innovation, conduct, or model-risk issue. The FCA has already clarified that operational resilience requirements include a firm’s use of AI where AI supports an important business service. The Bank of England is now monitoring the systemic implications of wider AI use, including common model weaknesses, cyber threats, service loss, and the possibility of future operational resilience stress testing focused on AI-enabled threats. In the US, New York DFS has warned that AI can intensify cyber risk, social engineering, and third-party supply-chain vulnerabilities. And in Canada, an OSFI-sponsored financial stability workshop in December 2025 highlighted third-party concentration of AI service providers as a significant threat to operational resilience.
Where it needs to head
The next leap should be from regulatory architecture to operating architecture. Real resilience is not just a map of dependencies or a completed self-assessment. It is degraded-mode operations that actually work, manual workarounds people can really use, credible exit strategies, clear crisis decision rights, and testing that exposes design weakness rather than validating a script. Regulators are already pointing in that direction. DORA requires continuity, recovery, testing, auditability, and exit arrangements for ICT services that support critical or important functions. OSFI expects institutions to view critical operations end to end across people, technology, processes, information, facilities, and third parties. US interagency guidance expects contingency planning for transitions where critical third-party arrangements fail.
It also needs to move from ownership by risk and compliance alone to shared ownership across business leadership, operations, technology, procurement, and customer-facing functions. OSFI explicitly assigns accountability not only to senior management but also to business and central functions. The FCA has described the strongest firms as those whose boards engage with resilience as a strategic priority and whose product design incorporates resilience from the beginning rather than bolting it on at the end. That is the right model. Risk and compliance should orchestrate, challenge, and evidence. But resilience itself is built through service design, architecture, staffing, vendor choices, and incident leadership.
That is why the real distinction is not between compliance and non-compliance. It is between compliance-led resilience and capability-led resilience. The first produces documentation. The second produces continuity. The first asks whether the framework meets the rule. The second asks whether the organisation can withstand disruption without failing its customers, its obligations, or its own strategy.
And that is where the future debate really sits. Operational resilience may begin as a regulatory requirement, but it is increasingly being framed by regulators themselves as something bigger: a driver of trust, customer service, competitiveness, financial stability, and even strategic advantage. The FCA now says operational resilience is more than a regulatory requirement and fundamental to competitiveness, customer service, and financial stability. OSFI has gone further and described resilience as a strategic advantage that can support growth. Compliance may start the journey. It should not define the destination.
Selected Sources
United Kingdom – Operational Resilience
- Financial Conduct Authority. Operational Resilience for Firms.
https://www.fca.org.uk/firms/operational-resilience - Financial Conduct Authority. Building Operational Resilience – Policy Statement PS21/3.
https://www.fca.org.uk/publication/policy/ps21-3.pdf - Bank of England. Operational Resilience of the Financial Sector.
https://www.bankofengland.co.uk/financial-stability/operational-resilience-of-the-financial-sector - Financial Conduct Authority. Operational Resilience Beyond Regulatory Raincoats (Blog).
https://www.fca.org.uk/news/blogs/operational-resilience-beyond-regulatory-raincoats
European Union – Digital Operational Resilience
- Digital Operational Resilience Act (DORA).
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554 - European Securities and Markets Authority. Digital Operational Resilience Act (DORA) Implementation.
https://www.esma.europa.eu/esmas-activities/digital-finance-and-innovation/digital-operational-resilience-act-dora - European Supervisory Authorities. Oversight Framework for Critical ICT Third‑Party Providers.
Canada – Operational Risk and Resilience
- Office of the Superintendent of Financial Institutions. Guideline E‑21: Operational Risk Management and Resilience.
https://www.osfi-bsif.gc.ca/en/guidance/guidance-library/operational-risk-management-resilience-guideline - Office of the Superintendent of Financial Institutions. Backgrounder – Operational Risk and Resilience (Guideline E‑21).
https://www.osfi-bsif.gc.ca/en/news/backgrounder-guideline-e-21-operational-risk-resilience
United States – Operational Resilience & Cyber Governance
- Federal Reserve. Operational Resilience Supervision and Regulation Resources.
https://www.federalreserve.gov/supervisionreg/topics/operational-resilience.htm - U.S. Securities and Exchange Commission. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules.
- Federal Reserve, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation.
Interagency Guidance on Third‑Party Risk Management.
Cross‑cutting Topics Referenced
- AI governance and operational resilience considerations – Financial Conduct Authority AI Update Papers.
- Cyber and systemic operational resilience – Bank of England Financial Stability work on operational resilience.
- AI risk in financial services – New York State Department of Financial Services guidance and supervisory insights.
