Operational Resilience: From Frameworks to Real-World Testing

Across the financial services sector, the message is clear: for in-scope firms, the focus has shifted from designing frameworks to proving they work under pressure. Regulators now expect organisations to move beyond compliance and into a phase of “Day 2 embedment and testing in anger.”

Many financial institutions have now established detailed frameworks, approaches and processes. But turning those frameworks into live, operational capabilities is proving harder than expected. The consensus across the conference was that true operationalisation will take years, not months, as firms learn what good looks like in practice and start to embed resilience as business-as-usual.

The challenges of embedding resilience

Several common pain points surfaced in the discussions:

• Data under stress: Many organisations still struggle to access accurate, timely data during a live disruption. Without that, it’s hard to make confident recovery decisions.
• Global accountability: In a cross-border stress scenario, accountability lines blur. Firms are re-examining decision rights and escalation paths under crisis conditions.
• Operating under stress: Recovery planning is maturing, but decision-making and prioritisation “in the moment” remain weak spots — particularly around data vaulting, service prioritisation, and communication. 
• Perception problem: Too many firms still treat operational resilience as an IT or risk discipline, rather than a core business capability. That mindset limits engagement and slows progress. 
• Lack of cross-sector learning: Financial services can learn much from sectors like energy, telecoms, and healthcare, yet few firms are drawing on those lessons.
• No industry-wide coordination: While firms are focused on their own scenarios and tolerances, there is still no robust collaboration model for managing a market-wide stress.
• Misunderstanding scope: Some continue to view operational resilience as “BCP+” or “DR+”. The regulation’s intent is far broader — it’s about maintaining critical services to customers and markets, not just restoring systems.

The reality check is still to come

It may sound pessimistic, but many delegates agreed: only a real market-wide stress will reveal what works and what doesn’t. Regulation can only go so far. Genuine resilience will be tested by events, not paperwork.

The supply chain dependency problem

Another area of growing concern is supply chain resilience. Firms are now being pushed to evidence not only their own robustness, but that of their critical third, fourth and even fifth-party providers.

Questions that are becoming routine include:

• How reliant are you on specific vendors?
• Can they demonstrate their resilience through data, evidence, or testing?
• How do you audit them effectively?
• Do you understand where concentrated risks sit in your technology supply chain?

Where firms go from here

The next phase of operational resilience will be defined by evidence, data, testing, and measurable outcomes. Firms that can demonstrate how resilience is embedded in their decision-making, supply chains, and recovery playbooks will be ahead of the curve.

Reply helps organisations move from compliance to capability, turning frameworks into live resilience. That means ensuring your data, technology, and governance structures are ready to perform under stress, not just on paper.

Is Your Technology Ready for Everything? Request a FREE, regulation-aligned Resilience Assessment Learn more