Operational Resilience

Operational resilience is defined by UK regulators as:


‘the ability of firms … to prevent, adapt, respond to, recover and learn from operational disruptions.’


In late 2019, the FCA, PRA and Bank of England published their joint Consultation Papers on Operational Resilience which set out the expectations for operational resilience in the financial sector.  Following an increase in operational and security incidents, regulators are requiring boards to look to identify potential operational disruption to important business services, including those arising from use of outsourcing.


What does this mean in practice and how can you ensure that your organisation implements a robust operational resilience framework?


Managing the operational resilience of a company is an ongoing activity that requires clear ownership, governance, documented processes and a joined-up approach across business operations, IT and risk management function.


Crescendo Advisors’ vast experience in designing, developing and adapting enterprise risk management frameworks makes us expertly placed to assist with building and implementing your operational resilience framework. We can support or manage your activities in every stage of the process.


The ongoing journey of operational resilience is a continuous process though the following stages:


  • Discovery – identify important business services, including underlying/supporting technology and mapping all inputs that support the important business services identified

  • Assessment –  set tolerances for failure/maximum tolerable disruption for each material business service identified

  • Testing –identify scenarios of severe but plausible disruption to material business services and test the ability to remain within impact tolerance

  • Remediation – develop a prioritised and funded plan to enhance the resilience of important business services that exceed the maximum tolerable disruption.


As with all regulatory change implementations, training of the Board, senior management and staff are paramount to ensure that the approaches are embedded.


The on-going Covid-19 has provided an opportunity for firms to test aspects of their operational resilience and learn lessons about operational resilience readiness.  We spoke with a range of risk professionals in the insurance industry.  A summary of the overall findings are here.  We have distilled the 5 most pertinent learnings for your implementation of operational resilience requirements:


  • Do not assume that you will get the same advance warning as for Covid-19 for the next operational resilience event that might impact your company

  • Invest in crisis management as part of operational resilience implementation;

  • Working from home is useful but challenges your potential back-up for the next operational resilience event

  • Think about scenarios and stress testing in an integrated manner to get the full value; and

  • Outsourcing of key activities is likely to be a challenge for operational resilience; review and enhance investments in oversight.


For more detailed information see our blog posts ‘Five Lessons for Operational Resilience from Covid-19: The Goldilocks Approach and ‘Operational Resilience: How Much to Learn From Covid-19


How Crescendo Advisors can help


A lessons learnt exercise is a key tool in the Enterprise Risk Management kit.  It identifies good practice, and the gaps between expectations and experience. Properly carried out and documented, the exercise enables you to implement enhancements, which in turn makes your business more robust when the next “unknown unknown” strikes.  Crescendo Advisors can assist your lessons learnt exercise using a series of structured tools which tease out the key messages, carry out qualitative benchmarking, and document both the findings and any resultant strategic or risk management changes.


The PRA has clarified that it does not expect firms to comply with Operational Resilience requirements before 2022.  Crescendo Advisors can support aspects of your company’s implementation including:

  • identification of important business services

  • mapping of processes in a meaningful way

  • approach to setting impact tolerances

  • design of scenarios to stress test resilience of important business services


  • design of governance and reporting approaches

  • training Board and senior management. 


If you would like to talk to us informally about how we can support your operational resilience implementation, including your board training, call us today on 07766 725315 or email isaac.alfon@crescendo-erm.com