By Ian Wilson, SVP, GRC Business Development, EMEA
If you work in financial services, “operational resilience” is no longer a slogan, it’s a standard with deadlines, board accountability, and measurable expectations.
What regulators want is increasingly clear. In the UK, the FCA and PRA require firms to identify important business services (IBS), set impact tolerances, and by 31 March 2025 demonstrate they can remain within those tolerances in severe but plausible scenarios, with board-approved plans to back it up. (FCA) The PRA’s SS1/21 further details how impact tolerances should be set at the point continued disruption threatens safety and soundness or, for insurers, policyholder protection.
Across the EU, DORA now applies (from 17 January 2025), raising the bar on ICT risk management, incident reporting, testing, and oversight of critical ICT third parties, including registers of information for vendor arrangements and forthcoming designation/oversight of critical providers. In the UK, a parallel regime gives regulators powers to oversee “critical third parties” to the sector.
That’s the regulatory side of the ledger. What organizations actually need to succeed and to turn resilience from compliance into value, is a little different.
1) From “Documents” to Decisions
Regulators want: impact tolerances, mapping, and testing.
Organizations need: the ability to make fast, confident decisions when the scenario is messy.
Static binders and fragmented spreadsheets don’t help an exec decide whether to throttle volumes on a payment rail, fail over a supplier, or invoke contingency headcount. To operate within a tolerance, you need live service dependency maps, current KRIs, and response playbooks tied to the same data fabric. That is what turns mapping and testing from artifacts into action.
Practical move: unify incidents, controls, KRIs, assets, and IBS dependencies so that a breach alert or supplier outage automatically shows who/what is impacted and how long until you hit the tolerance.
2) From “Severe but Plausible” to Probable and Repeatable
Regulators want: scenario tests that are severe but plausible.
Organizations need: a testing program which is lightweight, repeatable exercises that build muscle memory across the year.
One polished annual test checks a box; it doesn’t build capability. Blend tabletop exercises, targeted control walk-throughs, and automated checks (for contact trees, runbooks, supplier response SLAs). Make outcomes visible to the board in language they care about: time to detect, time to route, time to decision, time to recover; versus tolerance.
3) From “Registers of Information” to Supplier Visibility You Can Act On
Regulators want: inventories and registers of third-party arrangements (DORA), plus oversight of critical third parties (UK). (European Banking Authority)
Organizations need: practical supplier resilience tiering that reflects business criticality, tested failovers, and triggers that escalate when your exposure is rising.
This is where many programs stall. They collect contracts and SOC reports; they don’t model business-service impact if a clearinghouse, core banking provider, cloud region, or claims adjudication hub goes down. Build a supplier–IBS map, capture workarounds and capacity constraints, and rehearse the switch.
4) From “Root-Cause Labels” to Attack-Surface Reality
Regulators want: robust ICT controls and response.
Organizations need: to align resilience with how breaches actually start.
Recent data shows the picture is dynamic: exploitation of vulnerabilities surged dramatically in 2024, while phishing and credential abuse remain persistent pathways. Your resilience program should reflect that mix; patch velocity, exposure management, credential hygiene, and response orchestration matter as much as the incident playbook.
5) From “Ownership Ambiguity” to Clear Accountability
Regulators want: board sign-off and demonstrable oversight.
Organizations need: named owners for IBS, tolerances, scenarios, and playbooks and a cadence that keeps them honest.
Good programs establish a monthly rhythm: risk reviews for IBS health (KRIs and changes), supplier exposure updates, and a short, focused test with lessons logged and actions closed. When the board asks, “Are we inside tolerance today?” you can answer with evidence.
6) From “Tool Sprawl” to a Unified Platform
Regulators want: mapping, testing, reporting, vendor oversight, incident management.
Organizations need: one place to connect them.
Many vendors will pitch a checklist: a mapping module, a test tracker, a vendor portal, another dashboard. The result: disconnected data, duplicate work, and slow decisions. What teams tell us they need is a unified platform, not another point solution, that links IBS, dependencies, risk and control data, supplier tiers, exercises, and incident response so reporting is automatic and actions are coordinated.
What competitors will tell you, and what to look for
You’ll hear plenty about “AI,” “automation,” and “libraries of scenarios.” These can help, but ask three questions:
- Is mapping operational or ornamental? If you can’t click from an IBS to the teams, systems, and suppliers you’d mobilize in a disruption, you don’t have resilience, you have a diagram.
- Does testing change behavior? A strong platform turns test findings into actions with owners and dates, and it measures readiness the way a regulator, and a CEO, care about: are we inside tolerance today?
- Are vendors truly integrated? DORA’s registers and UK CTP oversight elevate third-party expectations. Can you see risk, performance, and failover posture in the same place you run your continuity and incident response?
Closing thought
Regulators are right to raise the bar. But resilience that endures isn’t created by checklists; it’s created by connected data, clear ownership, and regular practice. If you get that right, compliance follows, along with faster decisions, lower losses, and stronger trust.
That’s the work our customers are doing every day: turning regulatory intent into operational reality.
