Operational Resilience Is Now Being Read Backwards

 

This paper shows how regulatory supervisors assess harm, evidence and governance after a disruption.

 

Operational resilience has moved into a new supervisory phase where the focus is no longer on whether firms have completed mapping, impact tolerances and scenario testing but on whether those materials are fit for purpose when read after an incident.

Recent supervisory engagement shows an expectation that resilience frameworks need to demonstrate credible anticipation of harm, not just formal compliance. In practice, supervisors are asking whether a reasonable reader, with the benefit of hindsight, can understand why the harm that occurred was not reasonably preventable.

For asset managers, trading firms and payment firms, this materially changes how resilience documentation is interpreted.

 

From planning framework to evidential record

Impact tolerances, scenario testing and mapping were originally designed as forward-looking management tools. But increasingly, they are being used as backward-looking evidence.

Regulatory supervisors are now reading these documents to assess:

• What the firm believed could go wrong
• Which harms were foreseeable
• Whether risks were consciously accepted
• How decisions aligned with stated tolerances

Detail and completeness are no longer sufficient. Supervisors are looking for frameworks that clearly explain how judgements were made, how trade-offs were assessed and why residual risk was considered proportionate.

 

Real example – TSB IT migration failure (2018–2019)

The TSB migration failure is well documented, including regulatory outcomes and remediation. What is relevant today is how supervisors use this case as a reference point in ongoing engagements.

The supervisory lesson now routinely drawn is that technical recovery metrics alone do not demonstrate anticipation of harm. Systems may be restored quickly while customer detriment remains severe and prolonged.

Supervisors are now probing whether impact tolerances are framed around system recovery rather than client impact, whether they embed an unacknowledged acceptance of severe harm and whether outcomes that remain within tolerance can still fall short of credible anticipation of harm. This approach is now applied across the market, including to firms without a history of major incidents.

 

Scenario testing, mapping and hindsight

Scenario testing is now being assessed for substance rather than coverage. Supervisors are increasingly sceptical of scenarios that appear calibrated to confirm resilience rather than expose failure modes.

Mapping is no longer treated as an inventory exercise. Identified single points of failure and third-party dependencies are being used to ask why risks persisted and how boards satisfied themselves that tolerances would hold if those risks crystallised.

A recurring supervisory theme is internal consistency. Supervisors are comparing:

• Scenario severity against known incidents
• Mapping outputs against remediation decisions
• Tolerances against actual incident response

Where documents lack internal coherence, the emerging supervisory view is that the framework evidences compliance with requirements but not a credible understanding of how harm could arise.

 

Real example 2 – UK payments and card scheme outages (2018–2024)

Recent years have seen a number of publicly acknowledged disruptions affecting UK payments and card schemes, reflected in industry communications and regulatory commentary.

Supervisory challenge is now directed at firms whose scenario testing assumed isolated outages, whose mapping exposed concentrated dependencies without credible alternatives, or whose disruptions exceeded stated tolerances despite formal compliance. For payment and e-money firms, operational resilience is now inseparable from consumer harm and conduct considerations.

 

Governance is the fault line

Boards and senior committees are now central to how resilience frameworks are judged.

Supervisors are paying close attention to:

• How impact tolerances and scenarios were challenged
• How decisions to defer remediation were justified
• Whether interim controls were genuinely sufficient
• How escalation and decision-making operated in practice

Well documented governance is expected. However, records that show awareness of vulnerability without a clear rationale for accepting residual risk are increasingly likely to increase scrutiny rather than reduce it.

Board and Committee minutes are now read not just as evidence of oversight, but as evidence of judgement.

 

The supervisory direction of travel

This approach aligns with the supervisory direction taken by the FCA and the PRA. The emphasis is increasingly on outcomes, decision making and coherence rather than checklist completion.

Operational resilience should therefore be treated as a future supervisory and litigation record, not merely a regulatory requirement.

 

What firms can do now

As supervisory expectations continue to harden, the key question is no longer whether disruption can be avoided, but whether the firm’s own documentation credibly explains its decisions when disruption occurs.

Objectivus can support firms by:

• Delivering a focused short General Counsel or Board briefing on how operational resilience is currently being assessed in supervisory engagement
• Reviewing existing resilience systems and controls to identify supervisory pressure points, including tolerances, scenario design and governance records

Axiol is designed to help firms operationalise resilience on an ongoing basis by:

• Documenting and controlling operational and technology risks in a structured, auditable way
• Supporting the production of incident reports aligned with supervisory expectations
• Helping firms develop clear, defensible remediation action plans following disruption

Taken together, this helps ensure that operational resilience frameworks do not merely meet regulatory requirements but stand up to the scrutiny that follows real world incidents.

Please Contact us at info@objectivus.com if you would like to discuss how this applies to your firm’s operating model, we would be happy to arrange a short, practical discussion.