Operational Resilience: Traversing the Path to Success

In 1985, Italian mountaineer Reinhold Messner ascended up the northwest face of the Annapurna mountain range, becoming the first person on record to climb all fourteen 8,000m summits in the world. With reduced visibility and a 3 km-long ridge to contend with, researchers now allege that Messner failed to reach the summit. 38 years later Messner’s records were stripped, his legacy tarnished, and history was rewritten.

Messner’s challenges can be likened to meeting the upcoming Operational Resilience requirements in the UK and Europe. An unclear path must be navigated extremely efficiently  to meet regulatory deadlines on the horizon in early 2025, keeping compliant now whilst laying the foundations for continued success.

This article compares some of the key requirements under the FCA’s Operational Resilience regime and ESMA’s Digital Operational Resilience Act (DORA), casting a light on areas of divergence and providing key considerations for firms in the lead up to go-live.

The end of the 3-year transition period for the UK Operational Resilience ‘trek’ is looming, and as Messner found out, the final stretch is often the hardest! As we look ahead to the end of the implementation period in March 2025, we see some priority activities:

• Process Mapping: Conduct detailed mapping exercises for all ‘Important Business Services’ (IBS) with the aim of remediating vulnerabilities identified as well as enabling firms to conduct scenario testing. Processes should be updated in line with IBS reviews, including new IBS that have been identified since March 2022.
• Scenario testing: Implement a robust testing programme and evidence detailed scenario testing of all IBS. The regulator is expecting firms to consider evolving risk scenarios and any vulnerabilities identified should be addressed before March 2025.

By now, firms should have clear policies and procedures around Operational Resilience with dedicated resource for ongoing maintenance of the firm’s programme.

ESMA have recently published their first set of rules under DORA, relating to Information and Communication Technology (ICT) and third-party risk management and classification of major ICT incidents. With a 17^th January 2025 go-live, European entities are gearing up for compliance. Whilst some alignment exists with UK’s Operational Resilience IBS requirements, DORA is more focused on ICT and Cyber Risk. Firms will need to review all Technology and Cyber resilience controls and manage the implementation of these new requirements:

• ICT Risk Management: Including mapping of ICT-related functions, roles and responsibilities, risk tolerances and associated policies and procedures
• ICT-related Major Incident Reporting: Classification and logging of ICT-related incidents including communication arrangements and monitoring controls
• Digital Operational Resilience Testing: Annual testing of ICT systems and applications covering a wide range of test types
• ICT 3rd Party Risk Management: Outsourcing requirements with critical ICT third-party service providers including documentation of contractual arrangements, due diligence and management of subcontracting risk
• Information sharing Arrangements: Information exchange amongst firms in relation to cyber threats and vulnerabilities

With under 300 days until the European regulatory deadline, there are several activities firms should consider as they prepare for the final ascent (Exhibit 1):

1. Impact Assessment: Under both UK and EU regimes, firms must understand their in-scope services and functions, how these should be classified, and which critical 3^rd parties are considered in-scope. Firms are grappling with finding the right level of granularity to define services, and how to treat complex legal structures with intra-group arrangements and dependencies.
2. Process Mapping, Tolerance Setting, and Test Planning: Firms should process map critical services: documenting these appropriately, setting tolerances benchmarked against industry best-practice and executing scenario test plans.
3. Review of Documentation: DORA alone references over 35 policy, procedures and framework documents as part of the overall Risk Management Framework. Firms should assess whether their existing documentation is fit for purpose. Technology can help; and new solutions are in the market which automate compliance assessment and maintenance.
4. Establish Effective Governance: Firms have historically struggled to find appropriate owners for Operational Resilience initiatives and firms are facing challenges in establishing where these programmes should sit. In the UK, the SMF24 holds accountability over Operational Resilience, whilst DORA specifies the management body is ultimately responsible. Senior Management must also be engaged and be aware of supporting documentation and test outputs.
5. Delivery & Implementation: Firms should have established projects and consider whether both the project and BAU teams have sufficient expertise to carry out not only the initial implementation, but also the ongoing monitoring required to remain compliant.

Messner’s lifetime of accolades demonstrates an unwavering resilience that firms can certainly aspire to. But his mishap on Annapurna illustrates that without the right level of precision, those efforts can be undone. Like seasoned climbers, firms need to meticulously plan their Operational Resilience programmes and weather the storm of future regulatory change, to truly reach the (compliant) summit of success!