Operational Resilience in 2026: The Board's New Accountability

Operational Resilience in 2026: The Board’s New Accountability

ByThe Informd Editorial Team

Operational resilience — the ability of an organisation to absorb disruption and continue delivering critical services — has moved from a business continuity concept to a regulatory obligation and board-level accountability. For UK financial services firms, the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have set binding operational resilience requirements that came fully into force in March 2025. For organisations outside financial services, the pressure is coming from a different direction: the EU’s Digital Operational Resilience Act (DORA), supply chain disruption, and a wave of high-profile cyber incidents that have demonstrated the systemic risks of inadequate resilience planning.

What Has Changed in the Regulatory Landscape?

The PRA and FCA’s operational resilience framework requires in-scope financial services firms to identify their important business services — the activities whose disruption would cause significant harm to customers or market integrity — and to demonstrate that they can remain within defined impact tolerances even under severe but plausible stress scenarios. This is a materially different requirement from traditional business continuity planning, which focused on recovery time. The new standard asks firms to prove they can stay operational throughout a disruption, not simply recover from it afterwards.

DORA, which applies to financial entities operating in the EU and their critical ICT third-party providers, adds a further layer of requirements around ICT risk management, incident reporting, digital operational resilience testing, and third-party risk oversight. UK firms with EU operations or EU-based counterparties need to understand their DORA obligations in parallel with domestic FCA/PRA requirements.

Why Is Operational Resilience a Board Issue, Not an IT Issue?

The instinct in many organisations is to treat operational resilience as a technology and operations problem — to be managed by the CTO, CISO, and business continuity teams. This instinct is understandable but insufficient. Operational resilience failures are, at their root, strategic failures: failures to identify which services matter most, to invest adequately in their protection, to manage third-party dependencies effectively, and to build organisations with the adaptability to respond when disruption occurs.

Boards must own the definition of important business services — because doing so requires a strategic judgement about what the organisation fundamentally exists to deliver. They must set impact tolerances — because doing so requires a value judgement about what level of disruption is acceptable to customers, regulators, and stakeholders. And they must hold management accountable for demonstrating resilience — because the consequence of failure falls ultimately on the organisation as a whole, not on any individual function.

The Third-Party Risk Blind Spot

One of the most significant vulnerabilities in most organisations’ resilience posture is third-party concentration risk — the degree to which critical operations depend on a small number of external suppliers, cloud providers, or technology platforms. The 2024 CrowdStrike incident, which caused widespread IT outages across industries globally, illustrated how a single vendor failure can cascade across thousands of organisations simultaneously. Many boards were confronted for the first time with the extent of their operational dependency on technology suppliers they had never directly considered a resilience risk.

Effective third-party resilience management requires boards to understand not just who their critical suppliers are, but what the concentration of dependency looks like across their supply chain — and whether viable alternatives exist. For financial services firms, both the FCA/PRA framework and DORA include specific requirements for third-party risk assessment and exit planning that boards need to be actively overseeing.

Executive Actions: Building Board-Level Resilience Oversight

  • Map your important business services. Conduct a structured exercise to identify which services, if disrupted, would cause the greatest harm to customers, revenue, or regulatory standing. This list should be owned and approved by the board.
  • Set and test impact tolerances. For each important business service, define the maximum tolerable disruption period and test whether the organisation can actually stay within it under a realistic stress scenario.
  • Audit third-party dependencies. Commission a complete mapping of critical third-party and fourth-party dependencies, with particular focus on single points of failure and technology concentration risk.
  • Review your cyber incident response plan. Ensure your board has rehearsed its role in a major cyber incident — not just the technical response, but the communications, regulatory notification, and strategic decision-making elements that senior leaders must own.

Frequently Asked Questions

Which organisations must comply with the FCA/PRA operational resilience rules?

The FCA and PRA operational resilience requirements apply to banks, building societies, PRA-designated investment firms, insurers, and FCA-regulated firms including major investment managers and payment institutions. Non-financial services organisations are not directly subject to these rules, but the framework provides a useful governance template for any organisation seeking to improve its resilience posture.

What is DORA and does it affect UK firms?

The Digital Operational Resilience Act (DORA) is an EU regulation that applies to financial entities operating in the EU and their critical ICT third-party providers. UK firms that have EU subsidiaries, EU-regulated operations, or provide ICT services to EU financial entities may be in scope. The UK government is developing its own Critical Third Party (CTP) regime, which will introduce analogous requirements for systemically important technology providers to the UK financial sector.

How is operational resilience different from business continuity?

Traditional business continuity planning focuses on recovery — how quickly can we restore normal operations after a disruption? Operational resilience focuses on continuity — how do we ensure critical services remain available throughout a disruption, not just after it? This distinction shifts the frame from reactive recovery to proactive design, requiring organisations to build resilience into their service architecture from the outset rather than bolting on contingency plans retrospectively.

What should a board resilience report include?

A good board resilience report should cover: the status of important business services against defined impact tolerances, results of the most recent resilience testing, a summary of third-party risk exposures and mitigations, any material incidents since the last report and lessons learned, and an assessment of emerging threats relevant to the organisation’s resilience posture.

Informd provides intelligence briefings for senior business leaders across technology, finance, strategy, and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Browse our full briefing library or get in touch to learn about our subscription service.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *