Operational risk programs have long emphasized prevention and detection. But the conversation is shifting toward operational resiliency—building the capability to keep delivering critical services through disruptions and recover quickly when the unexpected happens.
Members of ProSight’s RMA Toronto Chapter and Canada’s Office of the Superintendent of Financial Institutions (OSFI) co-authored a paper on how banks can strengthen operational resiliency in an era of increasing disruption—and ProSight recently gathered three of the authors to expand on the ideas. Bryan Tamblyn, chief compliance officer at Cidel Bank Canada, set the tone, saying resiliency starts with “assuming that disruptions will occur like we saw with AWS. You need to plan and prepare for disruptions. They will occur. It’s just a matter of when.”
A few practical takeaways from the authors (whose comments do not necessarily reflect the views of their institutions):
Adopt a broader lens than traditional operational risk. “Organizations have moved from the journey of operational risk to operational resiliency,” said Sandeep Dani, RMA Toronto vice president. That shift includes an “integrated approach across several risk programs,” because resiliency is “about our stakeholders and customers, about our business.” Dani also emphasized that resiliency involves “several external factors in addition to being internally facing,” which means mapping external and internal interdependencies.
Make resiliency an enterprise effort—driven from the top. The paper highlights the importance of senior management and the board setting the tone. Marlene Lenarduzzi, RMA Toronto president and Equitable Bank chief risk officer, said a risk management function can’t build an operational-resiliency framework alone.” A resiliency mindset, she added, “should permeate across the organization [and] across all three lines of defense.”
Define what’s critical, map it, and set disruption tolerances. Banks need to identify critical services—those that, if interrupted, could jeopardize customer trust, safety, or financial stability. “That’s what the Canadian regulators are focused on now,” Tamblyn said. “Once you’ve done that, you can look across the organization, identify where they’re mapped, and begin setting tolerances for disruption.” He suggested using a client-centered approach: “Is it OK for that [disruption] to occur for one hour or two hours? Or two days?”
Practice scenarios and test what you think will work. Lenarduzzi cautioned that resiliency takes more than plans on paper. If an outage hits, “What are you going to do? Are you going to execute a failover to your redundant system? If you do have a redundant system, test that it actually worked properly. Playing it out live helps to shape how you would react.” Tamblyn said the thinking has to get concrete: “Are our clients going to be able to access their money” and “see their accounts”?
Treat resiliency as competitive advantage, not just hygiene. Lenarduzzi noted that strong execution can become a differentiator: “Faster system recovery than your competitors”—and a chance to show customers “the bank is well managed and organized” while competitors “might be struggling to figure out their playbook.” Dani underscored the stakes: “The customer tolerance to poor service is low.”
