As deadlines approach for operational resilience adoption, universal adoption edges closer
BCI Operational Resilience Report 2024
The BCI is pleased to launch the BCI Operational Resilience Report 2024 in this critical year for the sector.
This highly anticipated report arrives as the financial services industry faces looming deadlines in January, March, and July 2025 for the EU Digital Operational Resilience Act (DORA), the UK FCA/PRA/Bank of England operational resilience requirements, and the Australian APRA CPS 230 standard, respectively.
Drivers for operational resilience programmes
Thankfully in this environment, the BCI Operational Resilience Report 2024 shows that most organizations in the UK finance and banking sector are confident of meeting regulatory targets, even if this confidence has declined slightly from last year with the clock now ticking towards 2025.
All of this highlights the importance of regulation in the adoption of operational resilience programmes, now the primary driver for adoption. However, with nearly 60% of organizations adopting operational resilience for good practice purposes, its remit beyond financial services is clearly expanding.
Some of the multi-sectoral expansion can be partially attributed to the incorporation of third-party guidance in operational resilience regulations. Last year, 40.3% of organizations reported that their motivation for having an operational resilience programme was due to their relationship with a stakeholder that follows regulation relating to third-party suppliers. This year, however, the number of organizations reporting this has surged to 47.3% — representing the largest swing in motivating factors.
The international landscape
The BCI Operational Resilience Report 2024 also demonstrates the volume of sectors outside of financial services which are complying with operational resilience guidance or regulation. Indeed, most organizations (66.2%) are impacted by regulations and are complying with between one and five regulatory schemes. The report finds that ongoing compliance with these different schemes requires an increasing number of resources, such as additional staff.
This is a particular challenge for organizations which operate across several counties, since it requires awareness and adoption of a growing number of regulatory schemes.
Of course, while there is still no consensus on a definition for operational resilience across these sectors and countries, the report finds that there are key features of an operational resilience programme which are almost universally agreed upon. For instance, the identification of important business services and the identification of critical suppliers are found to be essential process within operational resilience by 95.8% and 88.3% of organizations, respectively.
This year’s report is sponsored by Riskonnect.
Commenting on the report results, Rachael Elliott, Knowledge strategist, The BCI, said: “2024 was always going to be crunch year for financial services organizations with regulatory deadlines for 2025, but the primary story for me this year is the bedding down of a more formulaic structure for operational resilience. Although “definition confusion” persists, other sectors are now adopting many of the primary principles of operational resilience, often due to the perceived benefits of protecting customers and reputation. However, one of the greatest challenges for practitioners this year is that of ensuring critical third-party suppliers meet the same regulatory requirements as their financial services customers: an exercise which is proving costly and, in some cases, prohibitive for suppliers to meet.”
Jim Wetekamp, CEO of Riskonnect commented: "As regulatory deadlines loom in 2025, the BCI Operational Resilience Report 2024 reveals a pivotal shift: operational resilience is no longer confined to financial services but is expanding across sectors. While regulation remains the primary driver, a significant surge in adoption is also seen due to good practice and third-party relationships. The report underscores that the identification of critical business services and suppliers is almost universally essential. However, the challenge of aligning third-party suppliers with stringent regulatory standards remains a costly and complex hurdle for many organizations."