Sunday, March 1, 2026
EV StoriesSmart City

Risk and Resilience: A Call For Further Integration

By Elena Pykhova, Director and Founder, The Op Risk Company

A Case Study of Practices in Financial Services Sector

Business Continuity (BCP) and Disaster Recovery (DR) planning are important components of Operational resilience, defined by the Basel Committee as the ability to ‘deliver critical operations through disruption’, which enables a firm to ‘identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events’1. Equally, they form part of the sound practices for the management of Operational risk, which concerns itself with losses related to people, systems, processes and external events. It can easily be argued that Operational risk management supports the operational (as well as financial) resilience of an institution. The identification and protection aspects, in particular, are based on prudent and proactive risk management: recognizing, examining and mitigating threats and vulnerabilities. By assuming that disruptions are inevitable and will eventually occur, post-event detective and corrective controls help firms to respond, recover and learn from incidents. Resilience implies building strength, not just the ability to continue as before. And, as noted by the Basel Committee in its Principles for Operational Resilience:2 Operational resilience is the outcome of Operational risk management.

So, the topics of Risk and Resilience are interconnected. But, are Operational risk and Operational resilience professionals collaborating effectively, or rather, working in their own siloes, and to their own methodologies?

Indeed, the latest poll taken by The Best Practice Operational Risk Forum, international forum comprised of senior risk experts from over 50 financial services firms, demonstrates that Operational risk and Resilience professionals appear to be struggling to find their optimum collaboration model:

Only a minority (4%) of respondents noted meaningful integration, alignment of efforts and methodologies. It is important to explore potential touch points further, with the aim to increase integration, reduce inefficiencies and enhance organisational resilience.

Defining What is Critical

While the terminology may differ, mission critical services (referred to here as critical operations) are the essential core services of the firm, the disruption of which would have a material impact on the operation of the firm, its customers, or even the economy more broadly. A key collaboration point is in the task of defining critical operations and mapping their dependencies, such as people, facilities, technology, information and third-parties. This can be approached with the help of a core risk management tool, Risk and Control Self-Assessments (RCSA). If RCSAs are structured by process / service and include process maps which clearly identify dependencies, not only a laborious task of defining critical operations is nearly complete; but also, crucially, risk and control data can be viewed through the critical operations lens.

Good practices: RCSAs are structured by critical process / service (rather than by department, missing end-to-end process inter-connectedness). Risk data is available for each critical operation and used for both risk management and resilience purposes. BC and DR planning is enriched with understanding of existing risks and effectiveness of mitigating controls.

Addressing Cultural Aspect of Resilience

In addition to formal process maps, the topic of resilience has an equally (if not more) important softer aspect. An organization needs to achieve a shift in its mindset, developing a view of the firm from ‘outside-in’, in other words how a customer would see it. From the client’s perspective, when an expected service is not delivered or a commitment is not met, the question of whether the process broke down within the firm’s operations, technology or due to third-party failure is neither important nor visible. It is only the availability of the end product – the fact of the failure – that matters. In this light, employees on the ground need to improve their understanding of how what they do impacts the whole critical operations supply chain and the firm’s external customers. This necessitates harnessing an end-to-end customer-centric mentality; one in which employees look out beyond their own narrow silos to the overall impact on the end-client.

Good practices: Executive owner is assigned for each critical operation, supporting customer-centric mentality and culture of accountability. Goal setting and performance management incorporate risk and resilience parameters. Joint Risk and Resilience education for staff and briefing for the board are carried out. There is cross-functional engagement in the development of BC and DR plans, to understand and incorporate end-to-end process dependencies.

Setting and Testing Tolerance for Disruption

Another opportunity for collaboration presents itself when setting tolerances for disruption and testing resilience capabilities. Tolerances articulate the maximum level of disruption the organization is willing to accept, including the duration of the disruption, and need to be determined in connection to the firm’s risk appetite. Setting and testing tolerances requires firms to think through a range of severe but plausible scenarios. This creates a meaningful overlap between the Operational risk and Resilience universes of scenario story lines, such as:

  • Cyber-attacks, leading to data theft, corruption or system unavailability;
  • Third-party failures;
  • People unavailability;
  • The E component of ESG, for example climate-driven disasters resulting in the destruction of premises; and
  • Legacy technology failures.

Despite Risk and Resilience scenarios aiming for different outputs (expected financial loss in the case of Operational risk; and estimated disruption in terms of (for example) duration in the case of Operational resilience, by working together, the two teams can align their scenario story lines, enriching the whole experience on both sides and providing benefits for the firm overall.

Good practices: A continuous, dynamic, joint Risk and Resilience testing programme, comprising scenario workshops, simulations and recovery testing. Test program includes critical suppliers. Emerging risk horizon scanning is carried out for new threats to resilience, resulting in creation of new scenarios.

In Conclusion: Call For Action

In conclusion, this is a call for action for Operational risk and Operational resilience professionals to:

  • Treat Operational resilience as an outcome of Operational risk management, recognizing the strong links between the two disciplines;
  • Collaborate on all aspects of the resilience lifecycle to ensure alignment;
  • Enrich BC and DR planning with risk management data; develop, plan and carry out joint exercises;
  • Engage with the board to deliver a transparent view on resilience and assist in prioritizing and targeting investments to enhance it; and
  • Continue to jointly develop the culture of accountability and customer-centric mentality throughout the organization.
Previous article
Medical Device Manufacturing & R&D Leaders to Convene in Boston for Exclusive 2026 Summit
Next article
Smart Cities Have a Trust Gap, Not a Technology Gap

Latest

About Us

Creating quality content that help to improve your business is at the heart of what ‘EV’ is. We aim provide a comprehensive platform that support the growth of young and ambitious entrepreneurs through unique insights and valuable networks.

Follow Us

© Enterprise Viewpoint, LLC. All rights reserved.