RegTech Intelligence 
Despite various regulatory initiatives, the road to robust operational resilience is far from clear. We are still very much in the “foothills” of creating effective, adaptable resilience frameworks.
Firms and their suppliers should view the Digital Operational Resilience Act (DORA) as the foothills of the Operational Resilience (OpRes) mountain, not the gold standard. By the end of the decade, we’ll need to go way beyond DORA.
The 17 January 2025 EU and 31 March 2025 UK deadlines are looming large on both sides of the channel. How you set your basecamp now matters!
The Growing Importance of Operational Resilience
In an era where financial systems are increasingly vulnerable to cyberattacks and supply chain disruptions, operational resilience is no longer an afterthought—it is a top priority. Recent events such as the CrowdStrike incident and sanctions-related failures, like the collapse of the Amsterdam Trade Bank in 2022, have underscored the importance of maintaining robust IT and risk management frameworks. These incidents revealed that even firms with strong financial risk controls could still fail due to operational vulnerabilities.
Accordingly, these new regulatory mandates recognize that financial resilience is a necessary but not sufficient condition to weather operational headwinds.
“You can have ample capital and liquidity but still … fail” Frank Elderson, Member of the Executive Board of the ECB has noted in a recent speech which offered new insight into the 2022 bankruptcy of Amsterdam Trade Bank which lost access to its IT systems.
Industry experts on JWG’s RegCast Season 5: Winning the OpRes marathon have pointed out that this regulatory pivot to controlling the risk of technology underpinning the financial system has far reaching consequences.
It means:
- Better strategies, and better ‘ships’ to weather storms
- Better perspective as it is a 180-degree reorientation of risk management
- More accountability within firms
- More accountability across the supply chain
- RegTech to overcome legacy attitudes towards technology.
Financial services need global OpRes standards and “kitemarks”, so where will they come from and how do you navigate this terrain now?
The European “Gold Standard”?
DORA represents a highly prescriptive approach, mandating that financial institutions adopt specific technical standards to manage and mitigate risks related to information and communication technology (ICT).
This includes strict guidelines for third-party vendor risk management, continuous IT testing, and incident reporting. The Act also places significant accountability on senior management, ensuring that executives are directly responsible for their firm’s resilience strategies.
Internationally, the Financial Stability Board has taken steps to harmonise some aspects of OpRes via an ‘Enhancing Third-Party Risk Management and Oversight’ toolkit in 2023 and the release of an international standard for incident management data (FIRE) on 17 October 2024.
JWG research shows that while international regulations are broadly aligned, Europe sets a high bar for the industry. Clearly, DORA provides a “gold standard” for operational resilience across the EU.
Source: JWG analysis, OpRes RegDelta October 2024
However, while the framework offers an unprecedented level of detail, it raises questions about:
- The interaction with other regulatory regimes
- Its ability to keep pace with the rapid advancements in technology and
- The growing sophistication of threats.
The UK’s Principles-Based Approach
In contrast to DORA’s 20,000 paragraphs, the UK has opted for a more principles-based approach to operational resilience.
As JWG has described in our ‘EU vs UK OpRes: ready, set resilient’ analysis here, this regime, spearheaded by the Financial Conduct Authority (FCA) and Bank of England, encourages financial institutions to focus on the outcome—specifically, their ability to recover from major disruptions—rather than adherence to a rigid set of rules.
The UK’s rationale is rooted in the idea that resilience is not just about preventing incidents but also about how quickly and effectively firms can bounce back. This approach recognizes the impossibility of eliminating all risks in an increasingly interconnected financial system. Instead, the focus is on flexibility, allowing firms to tailor their resilience strategies to their specific risk profiles and operational structures
However, this flexibility can also be a double-edged sword. Without clear, specific rules, the sector may struggle to interpret the principles and implement adequate safeguards.
It will also struggle to marry additional Cyber, AI and Quantum management practices which will pose even more challenges to rationalise globally.
This highlights a key question: where to pitch OpRes standards basecamp?
To address this, greater industry-wide collaboration and information sharing are essential. By working together, firms can better manage systemic risks, share best practices, and enhance the resilience of the financial ecosystem as a whole
Evolving Landscape and the “Foothills”
Despite the progress made in recent years, the development of effective operational resilience standards remains in the “foothills” of this RegTech mountain.
Operational resilience is not a “once and done” regulatory exercise. As the landscape evolves, so too must the standards and practices that govern financial firms’ operations. Regulators are aware of this, and many, like the UK’s Financial Conduct Authority (FCA), have built flexibility into their frameworks to allow for ongoing adaptation
The frameworks that exist today, whether prescriptive or principles-based, will need to evolve continuously as new risks and technologies emerge. The sector requires adaptable, forward-looking frameworks that can respond to unforeseen threats.
Additionally, regulators and firms must avoid the temptation to assume that any current framework represents the final solution. Rather, operational resilience should be viewed as an ongoing effort—a work in progress that requires constant reassessment and adaptation.
The Road Ahead
Looking forward, there are several key priorities that firms and regulators must address to ensure that operational resilience frameworks remain effective and relevant:
- Developing More Robust Data and Metrics: To effectively assess resilience, firms need access to reliable, real-time data on their operations and third-party dependencies. This data can inform risk assessments, allowing firms to identify vulnerabilities before they lead to major disruptions.
- Fostering Cross-Industry Coordination: Firms should work through enlightened trade associations not only share best practices but also to develop business-led common resilience standards that transcend regional regulatory differences.
- Maintaining Flexibility to Evolve Standards: Given the rapidly changing threat landscape, regulatory frameworks must remain flexible and adaptable. As new technologies and risks emerge, both regulators and firms will need to continuously update their resilience strategies to stay ahead of potential disruptions.
Listen to the experts in RegCast Season 5:
Episode 4 – The OpRes Standards Mountain
Show notes here; Spotify here; and Apple here
Conclusion
As we continue the climb up the OpRes mountain, it is clear that we are still in the early stages of developing comprehensive operational resilience standards.
Ultimately, the journey toward operational resilience is an ongoing effort that requires close collaboration between regulators, financial institutions, and their suppliers. Only through continuous adaptation and shared learning can the industry hope to navigate the complex and evolving risks of the digital age.
Navigating compliance requires an upgrade to your policies, procedures, contracts and controls. JWG’s OpRes RegDelta accelerator enables safe and efficient alignment between your business, controls, and ever-changing regulation.
This only gets more complicated from here. Cyber, AI, and Quantum rules will create even more hills to climb.
So don’t wait any longer – talk to us today about how we can help you be confident with your position at OpRes basecamp and ready for the journey ahead.
Upgrade your OpRes with RegDelta
RegTech is at the forefront of better, faster, cheaper, and safer OpRes solutions for 2025 change programmes.
JWG’s OpRes RegDelta enables evergreen linkage with your policies, procedures, and contracts, boosted by our LLM partners, which your teams can interrogate, saving time in spotting and closing your gaps.
Learn how in our new 2-minute video.
Want to arrange a demo? Please contact Corrina.stokes@jwg-it.eu.