What We Can Learn about Resilience from the Financial Sector
May 10th, 2022 •
Matt Kelly • Reading Time: 5minutes
Disruption plagues today’s businesses, making resilience—the ability of an organization to withstand disruption and continue providing services to customers—more important than ever.
Of course, that’s easy to say, but putting the idea into practice is the tricky part. How, exactly, does a business go about developing resilience? What capabilities should the company foster? It’s especially difficult in a world where disruptive threats range from pandemics to cybersecurity to climate change to supply chain collapse, and much more. What reports does one give to the board?
With continuing economic uncertainty, especially inflationary and liquidity pressures, businesses are under more pressure than ever to remain resilient in the face of a multitude of challenges.
Compliance officers and risk managers need solutions. So many threats with the potential for severe disruption exist today that “operational resilience” is no longer just an esoteric term tossed around in a few highly regulated industries. It’s a business imperative. Every organization needs to get better at withstanding disruption.
One place to look for guidance on that journey is the financial sector.
What Is Operational Resilience in Finance?
Operational resiliency is an organization’s ability to prevent, respond to, recover from, and learn from operational disruptions. It ensures the continuity of vital services and protects stakeholders.
The financial sector, like all industries, must rise to meet the challenges presented in our constantly changing world. In order to maintain operational resilience, organizations must implement safeguarding systems and a variety of other strategies, including:
Regulators in the financial sector have been discussing operational resilience for the better part of a decade. That’s because banks and other financial firms play a crucial role in supporting the greater economy. They’re also enormously complex operations with a wide range of enterprise risks.
More to the point, those regulators learned painful lessons during the 2008 global financial crisis (and in subsequent mini-disasters, like the “flash crash” of 2010). They learned how much damage disruptions in this sector can cause. The agencies have closely watched financial firms’ ability to withstand disruption ever since and churned out numerous pieces of guidance about operational resilience along the way.
Examples of Detrimental Disruptions
Recent remarks from the 2024 Institute of International Bankers Annual Washington Conference discussed the importance of operational resilience in an era of ever-expanding potential for disruption. It was noted that the sheer magnitude of what can be disrupted has increased significantly.
Consider this statistic from the conference as an example: The ACH Network processed $18 billion in payments totaling $40 trillion in 2014. In 2023, those numbers skyrocketed to 31 billion payments processed, totaling $80 trillion.
In 2017, a Treasury Department reportflagged banks’ reliance on third technology providers as a potential risk that needed attention. If those tech providers failed or suffered a cybersecurity breach, the report said that could threaten the whole financial system. So, the banking sector needed some way to assure it could persevere through such failures.
FINRA, the regulator for broker-dealers, has published several pieces of guidance over the years explaining how firms should prepare for pandemics, weather disasters, and other disruptions. The advice all flows from FINRA Rule 4370, which requires broker-dealers to have an effective business continuity plan.
The Federal Reserve (and other banking regulators) published a paper in 2020 outlining several practices large banks can follow to strengthen operational resilience.
We could go on from there. Some of the guidance focuses more on vendor risk and how to manage it. Others talk about the duties financial firms have to keep providing services to customers. Most of the material is light on jargon and details specific to the financial world, so risk managers in any industry can give it a read and put it to good use.
Lessons in Resilience from the Financial Industry
The guidance provided by financial regulators enables organizations across all industries to analyze and improve their strategies for operational resilience.
While identifying areas of improvement and potential disruptions, it’s helpful to keep the lessons learned from the financial sector in mind. Several key themes can be identified from their guidance, including:
1. IT Risk Management
Especially in today’s world, where hybrid work environments are the norm and employees might need to isolate themselves at home on short notice, the ability to keep providing services amid disruption depends on technology.
So, a company’s ability tomanage its IT systems—for privacy, cybersecurity, data availability, and other reasons—is paramount.
2. Third-Party Governance
Since most corporate IT systems now depend on cloud-based technology providers, IT risk management and third-party governance have fused into a single challenge. That is, a company can’t keep its IT risks in check without effective third-party governance.
Your ability to identify and monitor third-party relationships is crucial to operational resilience because those third parties are crucial to the technology you use to provide customer services.
3. Business Continuity & Disaster Recovery
These plans need to consider how disruptions to your physical assets (say, a weather disaster shutting down offices and data centers) could pressure your IT assets (everyone working from home, handling confidential data with personal devices and unknown networks).
The plans should first address how to restore mission-critical services immediately and then resume normal services as soon as possible.
4. Cultural Change
Organizations must undergo a cultural shift to enable operational resilience. After all, resilience flows through all aspects of a company, and everyone needs to be on the same page. It’s essential to develop processes that allow an organization to maintain and train employees to follow a culture of resilience.
Taking the First Step Toward Operational Resiliency
As sensible as the above ideas may be, companies still need to turn them into an actual program that can improve operational resilience. We can break that down into one crucial decision to make several important capabilities to develop.
Regardless of who leads your resilience project, they will need plenty of help and input from compliance officers and leaders of the operating business units. If you already have an in-house risk committee that reviews risk management periodically, don’t be surprised if that committee evolves into a “resilience advisory committee.”
Essential Capabilities
The important capabilities you will need to develop revolve around understanding what data, processes, and third parties you have and how all those things relate to your operations and compliance obligations.
For example, you’ll need to identify the business processes that are mission-critical to your company and then map out the data and third parties necessary for those processes to run normally. This will help you understand which assets and third parties are critical to your company’s resilience and prioritize their availability.
This might involve:
Creating redundant data archives
Maintaining a list of emergency suppliers
Strengthening contract clauses with current suppliers
Regardless, resilience first depends on identifying your critical business processes and mapping out the assets that make them work.
Moving Forward with Resilience
Building operational resilience is no easy task. A company must first identify its critical business processes, data, and third parties and the relationships among all three. Then, it needs to catalog the threats to those mission-critical items and develop strategies to ensure that those critical processes can continue even when the threats come to pass.
That’s complicated work. To succeed, a large enterprise has to use a proven technology tool. There’s simply too much at stake (and too many details to track) to rely on spreadsheets, emails, and manual processes. A company should equip itself accordingly.
Organizations must then build operational resilience because the number of threats to modern businesses will only increase.
To read this article, and others focused on The Path to Organizational Resilience, visit and subscribe to Risk & Resilience Magazine!
Matt Kelly
Matt Kelly is the Founder of Radical Compliance, which provides consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also serves as the personal blog for Matt Kelly, the long-time (and now former) editor of Compliance Week. Kelly writes and speaks frequently on corporate compliance, audit, and governance, and now works with various private clients to understand those fields and to develop go-to-market strategies or provide other assistance in reaching audiences of compliance professionals.
Matt Kelly is a leading compliance industry analyst and consultant, who studies corporate compliance, governance, and risk management issues.
Matt Kelly is the Founder of Radical Compliance, which provides consulting and commentary on corporate compliance, audit, governance, and risk management. Radical Compliance also serves as the personal blog for Matt Kelly, the long-time (and now former) editor of Compliance Week. Kelly writes and speaks frequently on corporate compliance, audit, and governance, and now works with various private clients to understand those fields and to develop go-to-market strategies or provide other assistance in reaching audiences of compliance professionals.
Kelly was named a ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in the inaugural class of 2008 and was named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 and 2013.
Kelly was previously editor of Compliance Week from 2006 through 2015. He lives in Boston, Massachusetts.