Operational resilience regulation: It’s a mindset, not a checklist

Operational resilience regulation: workers collaborating around a conference table

Operational resilience has been a growing focus for ServiceNow customers in many industries. The rise in regulations in this area is being driven by the increasing complexity of risks—from growing cyber threats to disruptions in global supply chains to geopolitical tensions.

The introduction of operational resilience regulations and frameworks in the past decade has been designed to address these challenges around the globe.

Some of these new regulations, such as FINMA 2023/1, the UK’s Operational Resilience Framework, Digital Operational Resilience Act (DORA), and the Monetary Authority of Singapore’s Technology Risk Management Guidelines, are about more than just compliance—they’re part of a broader movement towards safeguarding critical operations in a world that’s becoming more interconnected and, as a result, more vulnerable.

Let’s explore how to unlock opportunities through driving a transformative approach to operational resilience.

The regulatory landscape

Regulations have been coming into force to shape the activities of organisations at both national and international levels through guidance and sanctions where necessary. Effective 17 January 2025, the EU-wide DORA applies to all financial entities and suppliers within the European Union. It aims to ensure greater protection for customers and the broader stability of the financial market.

Likewise, at a country level, a new Swiss regulation for insurance intermediaries took effect in January 2024, designed to ensure strengthen approaches to managing risk and resilience. This required registered companies to submit documentation to FINMA—the country’s independent financial markets regulator responsible for ensuring they function effectively—to provide evidence of compliance.

Further regulations come into effect this year. Financial institutions in the UK, for instance, have until 31 March to implement the UK’s Operational Resilience Framework. Doing so requires demonstrating comprehensive operational resilience—from risk identification to business continuity planning to incident response.

Organisations need to meet a range of requirements, from prescriptive measures like DORA to guidance that’s principles based and requires institutions to apply some degree of interpretation (e.g., UK Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA)). There are always opportunities to use compliance to improve business performance.

How to unlock opportunities through resilience

It’s common to use a reporting framework to ensure compliance with regulations. But this can encourage a compliance ‘checklist mindset’—where it’s easy to lose sight of the intention of the initiative and focus solely on meeting the requirements of a regulatory body. This often drives duplication within the organisation as multiple teams are created to address regulations with a common goal.

Organisations that are ready to go further can reap significant resilience and efficacy benefits by answering key questions, such as:

Shifting the emphasis from ticking boxes to helping ensure the business can withstand uncertainty—while serving customers more effectively—can allow organisations to benefit from operational resilience regulation.

Here are three tips to transition to a mindset that extends beyond checklist adherence.

Reframe the approach to focus on impact

Reframing compliance and focusing on the impact of resilient operations can create growth through opportunities such as improving processes and driving efficiencies.

If customers are offered a turnaround time of two days for a mortgage application, for example, maintaining that delivery time is paramount for customer satisfaction.

Start by assessing your product or service alongside users to understand how long they can reasonably go without it. The answer will provide an acceptable time frame for your customers—whether that’s for planned maintenance or combatting unexpected outages. For example, defining an impact tolerance should not be done just because of regulation requirements; it should be done to ensure optimal customer service—reducing the risk of customer dissatisfaction and loss.

Create a united, cross-departmental approach

Some organisations make regulatory compliance the responsibility of one individual or team, such as a regulation lead or a DORA department. Others assign the role to their IT team or chief financial officer, depending on the regulation’s remit.

This can quickly become a data gathering exercise—with those in charge collecting and standardising information from the rest of the business to distribute to the regulator.

When considering how resilience needs to function across a business—with each department knowing how and when to respond—it’s clear that all areas need to be responsible for remediation.

From unifying teams to securing stakeholder involvement, communication across all levels is fundamental to achieving operational resilience. It’s not the task of one person or team; it’s the responsibility of every employee to ensure the organisation is resilient.

Assess the structure of your business

How organisational structure impacts resilience is a critical element of future-proofing operations.

Which workflows interact with one another, and where? Could a process be updated to allow for more efficient remediation during an incident? Are the right departments connected to keep products or services available to your customers? Have we documented and understood the investments required to drive greater resilience in the organisation?

While changing the structure of a business is far from simple, it’s a vital step in improving operational resilience. And you don’t have to go it alone. Third parties can help provide a different lens and offer counsel for enhancements.

Find out how ServiceNow can help your organisation unlock opportunities through operational resilience.