AJC’s SWIFT CSP 2025 Season: A...
As another SWIFT Customer Security Programme (CSP) season draws to a close, AJC reflects on a dynamic and successful year...
Read More
Operational resilience goes beyond traditional business continuity or disaster recovery. While business continuity focuses on reacting to disruptions and restoring services, operational resilience emphasises anticipation, adaptation, response, recovery and learning. It demands an understanding of how services are delivered, what dependencies they have, and how disruptions affect customers and markets.
In the UK financial sector, firms in scope of the Financial Conduct Authority’s rules were required to identify their important business services, set impact tolerances and test their ability to remain within those tolerances by March 2025. These requirements reflect an expectation that firms will demonstrate their resilience with concrete evidence rather than assumptions.
This regulatory approach aligns with the Bank of England’s macroprudential perspective. In its analysis on operational resilience, the Bank highlights that timely access to accurate and trustworthy data is critical to preventing, detecting and recovering from operational incidents that could threaten financial stability. Loss of data integrity or access, the Bank notes, can not only prolong recovery but also amplify the impact of a disruption across interconnected firms.
Many organisations build resilience plans that look robust on paper yet do not reflect the realities of how systems, people and processes behave under stress. The danger of this approach is that it creates confidence without evidence.
Data backup is a foundational part of operational resilience. Yet reporting on UK organisations’ backup practices paints a concerning picture. A recent analysis found that a third of organisations do not back up all sensitive data, while nearly half fail to secure all workloads consistently. Fewer than half follow the widely recommended 3-2-1 backup rule, where organisations maintain three copies of data on two types of media, with one copy held off-site.
Without immutable or tamper-proof backups, the ability to recover data after an incident is far from assured. Assumptions about recovery time and capability therefore become fragile and untested.
Resilience planning often centres on hypothetical scenarios built around broad threats such as cyber attacks or system outages. While scenario planning has value, ignoring actual incident data means overlooking how services and teams have performed in real events.
Historical incident data highlights where systems fail, how long recovery took, which dependencies were overlooked and how people reacted under pressure. Without this evidence, resilience exercises risk being disconnected from lived experience.
Recent high-profile outages in the UK financial sector illustrate this disconnect. Major banks have suffered repeated system failures in recent years, with some institutions experiencing more than thirty separate incidents over a two-year period. These outages have not only disrupted customers but also placed sustained pressure on incident response teams and attracted regulatory scrutiny.
Scenario testing becomes significantly more valuable when it starts from a baseline of real data. Organisations that incorporate incident trends into their resilience metrics are better positioned to measure progress, assess remediation actions and challenge assumptions about recovery capability.
Regulators are increasingly emphasising data quality, consistency and comparability as part of resilience regimes. For example, the Bank of England’s consultations on operational incident and third-party reporting propose requirements designed to standardise how firms report incidents and material third-party arrangements.
This is not about creating additional red tape. It reflects the need for robust, reliable data to help both firms and supervisors understand vulnerabilities more effectively and identify risks that could have systemic implications.
These reporting requirements underline why resilience without data is insufficient. Regulators expect clear, standardised and high-quality information that demonstrates how firms experience, manage and recover from operational events and third-party disruptions.
Good governance requires more than assurance statements. Boards and executives need data that supports effective decision-making. This includes metrics on scenario testing outcomes, incident recurrence, dependency mapping, third-party risk and recovery performance.
When risk reporting relies primarily on high-level narrative with limited measurable indicators, governance becomes superficial. Resilience claims risk being repeated without being tested.
By contrast, a data-driven resilience programme enables leaders to ask the right questions, prioritise investment based on evidence and challenge complacency. It also creates a clear line of sight between regulatory expectations, operational performance and continuous improvement.
To move beyond storytelling, organisations must treat data as a strategic asset within resilience planning rather than as a reporting obligation. This requires investment in systems and processes that capture accurate data on service dependencies, incidents, testing and recovery actions.
That data should be analysed and reflected in resilience dashboards that show actual performance rather than idealised outcomes. Data-driven resilience does not eliminate risk, but it does reduce uncertainty, expose hidden weaknesses and ensure organisations have a grounded understanding of how they operate when disruption occurs.
In a world of increasing complexity, interconnected services and evolving threats, resilience built on data is no longer optional. It is the foundation that enables organisations to navigate disruption with confidence and protect the people and services that depend on them.
AJC supports organisations in moving from narrative-led resilience frameworks to evidence-based, regulator-ready programmes. We work with firms across financial services and beyond to embed data at the heart of operational resilience.
Our support includes:
By grounding resilience in accurate, trusted data, we help organisations demonstrate compliance, strengthen governance and build genuine operational resilience that stands up under scrutiny.
Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.
Sources:
https://www.fca.org.uk/firms/operational-resilience
https://www.fca.org.uk/firms/operational-resilience/insights-observations
Image accreditation: Mohamed Nohassi (February 2025) from Unsplash.com+. Last accessed on 19th January 2026. Available at:https://unsplash.com/photos/a-room-filled-with-lots-of-monitors-and-lights-A4asLqmwmmc
As another SWIFT Customer Security Programme (CSP) season draws to a close, AJC reflects on a dynamic and successful year...
Read More
January 2026 has shaped up to be a month that reinforces the importance of taking time to ensure personal and...
Read More
In January 2026, Instagram users worldwide reported receiving unexpected password reset emails from what appeared to be Instagram’s official security...
Read More