Aspida Insights

Creating Operational Resilience – A Core Board level responsibility

How can we best crystalise risk? Our Business Analyst and Corporate Governance Professional Jessica Regnard provides an insight into understanding and enhancing your Operational Resilience and how we can best create resilient businesses in todays environment.

Jessica Regnard

With the end of quarter three fast approaching and year end on the horizon, buzz words in the Boardroom are changing to adapt with the seasons. Remaining high on agendas are topics such as Operational Resilience- the ability of financial institutions to prevent, respond, adapt, recover and learn from disruptions to their core business services.

This year the GFSC implemented a more robust approach to internal audit. The regime builds on the existing regulation whilst focusing on putting boards and senior management at the heart of their firms’ operational resilience enhancement programmes and the second line of defence.  

It is clear that the regulators expect to see increasing evidence of truly operational resilience programmes, particularly around how vulnerabilities together with risks & threats to firms’ resources are managed, with a required focused engagement from senior management and the board. This also includes where any relevant resource is provided by a third party. Meaning that operational resilience and outsourcing should be regular items on senior management’s corporate governance agendas.

Meanwhile, client expectations have also increased with the entry of FinTech challengers, so clients are looking for providers to always be available. As institutions tackle the operational issues that arise from complexity, they change and adapt how they use technology and as such turn to outsourcing to meet consumer needs and grow their business whilst increasing efficiency. Under the regulation, boards are specifically required to approve the core (‘important’) business services together with the impact tolerances that accompany these, identified by senior management.

It is comforting to see the regulation moving toward a risk-based approach by ensuring the operational resilience ties back to the corporate strategy. Whilst risk appetite is the amount of risk an entity is willing to take to achieve its objectives, an impact tolerance is ultimately the maximum amount of harm that can be imposed before becoming intolerable to the firm or its clients. Impact tolerances are based upon severe but plausible events that create an environment exceeding the risk appetite. Perhaps more importantly, impact tolerances can measure vulnerabilities and test key resources such as processes, people, technology, information and facilities that all support a firm’s ‘important’ business.

Internal Assurance

As with most regulatory programmes a key starting point is an internal audit, in this case a business must map its key resources and their interdependencies, document the identified vulnerabilities, record compliance with the operational resilience requirements and detail planned remediation activity. Much like all other regulatory assessments the assessment report should be reviewed regularly and maintained as a live document until the next one. Boards must then pay attention to the new issues and challenges that will have inevitably emerged from the internal assurance process. When mitigating these issues, boards must consider the regulators expectations of prioritising investment and culture change as this will likely be the first major schedule of operational resilience activities that boards and senior management will oversee so future proofing it is key, not only for the business but for regulatory engagement.

Board Understanding

So how are regulators ensuring boards hold sufficient understanding of operational resilience? By insisting on proactive and ‘regular’ reviews of progress against their operational resilience programmes to ensure that important business services, impact tolerances and related documentation remain ‘fit for purpose’.


In order to fulfil this obligation, boards must have access to appropriate management information (MI) which should be consistent, clear, timely and robust. Firms may consider building on existing data and applying a resilience lens although new MI may still need to be developed. It is subsequently critical that the board has the relevant knowledge, skills and experience to read and understand the MI enabling them to constructively challenge senior management where appropriate and make informed decisions with the firms best operational resilience requirements in mind.

Although the regulation focuses on senior management and the board, they are allowing flexibility on how to structure operational resilience governance. This could mean repurposing committees or establishing new ones. A committee structure is something we would always recommend when considering governance and structuring, committees enable increased flexibility, diversity, consistency and efficiency.


Boards need to ensure that there are appropriate and effective risk management systems and strategies in place to manage their third-party providers from the board level down but what does this look like? It is evidenced via a firm’s internal governance documentation such as policies on outsourcing, cyber security, and operational resilience. Establishing tight policies and procedures that are informed by other policies and strategies present within the business is key to addressing the effective management of outsourcing.

Ultimately this is a huge opportunity for businesses to act and maintain momentum from their initial internal audits. Regular MI should be forthcoming in every firm and Company Secretaries can play a key role in supporting senior management and the board to allocate sufficient time and focus to operational resilience discussions and reporting at meetings.

Building the sophistication of a firm’s operational resilience is no small simple task but the benefits of creating a resilient business are worth it.

At Aspida, our Governance, Compliance and Risk Management & Assurance services are built around highly qualified and skilled staff providing multi-jurisdictional support tailored to fit your needs. You’ll find a wide range of services designed to help businesses comply and manage risk in the now, combined with innovative solutions designed to help mitigate and manage future risks (and the unexpected, such as Cyber Risk and global pandemics).

Contact us today to find out more on how Aspida can assist you with understanding and enhancing your business’s operational resilience, from internal audit to occasional compliance and governance health checks, we can support you to give you the assurance and peace of mind, to help you define, mitigate, manage and monitor your risks, whilst you focus on growing your business.

FATF publishes new guidance document

Michael Calleja | Senior Compliance Services Executive | Malta In March 2024, the FATF published risk-based guidance to support the application of FATF Recommendation 25 ...
Read More »

Mastering Compliance: Navigating Risks & Regulatory Returns with Aspida’s Expertise

Michael Calleja | Senior Compliance Services Executive | Malta As we find ourselves in that pivotal time of year where subject persons traditionally undertake the ...
Read More »

The Intricacies of Sanctions: A Legal Perspective

Michael Calleja | Senior Compliance Services Executive | Malta Introduction Sanctions serve as a pivotal instrument in the international legal arsenal, utilized by nations and ...
Read More »

Navigating Compliance: Insights from the FIAU’s 2021/2022 Enforcement Factsheet

On the 15th of January 2024, the Financial Intelligence Analysis Unit (FIAU) released a pivotal document titled ‘Enforcement Factsheet: A Compilation of Regulatory Actions – ...
Read More »

Your partner in protecting and growing your business

Subscribe to receive our latest news, views and event information

Scroll to Top