Operational Resilience

Operational Resilience
Operational Resilience


In today’s environment of rapid digital change, growing cyber concerns and outages impacting the financial sector, operational resilience continues to be top of mind for industry executives around the world. It’s not just the firms within the industry that are focused on the topic. With the issuance of the Discussion Paper on Operational Resilience by regulators in the UK this summer and the recent issuance of a similarly themed paper by the Monetary Authority of Singapore, the regulators have sent a clear message that this will be an area of increased focus in the coming years.
Protiviti’s financial services industry subject matter experts developed a framework with which firms can approach and evaluate operational resilience. This framework provides a structure that can be leveraged to help understand, prevent, and recover from extreme-but-plausible events that may impact critical business services provided by the organisation.


Providing smart, proactive solutions throughout a firm’s journey to operational resilience

  1. Identify Critical Business Services. Understand your business services and formalise those that are critical. Critical business services are those that have been identified through separate regulatory obligations, or meet established criteria that demonstrate a broader economic importance beyond the firm.
  2. Establish Impact Tolerance. Establish impact tolerances for critical business services. Extending beyond traditional recovery time, impact tolerance represents the point at which an interruption (or resilience event) threatens the viability of business services.
  3. Understand Economic Impact. Understand the impact of an operational resilience event on the financial sector and the broader economy. Create processes and procedures to minimise any negative impact.
  4. Implement Appropriate Governance. Establish proper governance functions and implement a resilience programme based upon the needs of the organisation’s critical business services.
  5. Test & Improve. Test the “extreme but plausible” scenarios to better understand realistic recovery times versus established impact tolerance. Testing will indicate where investment in technology or processes is needed in order to stay within tolerances.
  6. Continue to Evolve Foundational Elements. Continue to improve business, cyber, third-party and technology resilience — foundational elements of a solid resilience programme that should be supported with the appropriate “tone from the top.”


Since each financial institution is unique, we tailor operational resilience programmes to fit your organisational strengths and needs. Our dedicated professionals consider industry standards and leading practices as they work directly with your team to develop a custom solution that can accelerate your organisation’s assessment, implementation and sustainability of Operational Resilience, while gaining efficiencies throughout the process. 


Resilience Assessment

Assess the firm’s current practices with regard to operational resilience, including an assessment of the foundational elements.

Business Services Formalisation

Analyse existing business services to determine criticality, establish initial impact tolerance methodology and create economic impact scenarios for business services defined as critical.

Resilience Programme Implementation

Design and implement a resilience programme leveraging Protiviti’s framework, with a focus on governance and alignment with foundational elements.

Maturing Foundational Elements

Address known deficiencies in foundational elements of operational resilience: Business Resilience, Cyber Resilience, Third-Party Resilience, Technology Resilience.

Resilience Scenario Testing

Challenge existing resilience practices through enterprisewide scenario testing to simulate “extreme but plausible” scenarios impacting critical business services of the firm.

Resilience Assurance

Develop overall operational resilience internal audit plans, ingrain operational resilience into existing audits and provide assurance over the operational resilience programme.


Access Our Blogs On Operational Resilience