What is operational resilience and how does it differ from traditional operational risk management?
For FRM Part II, the curriculum now includes operational resilience as a separate concept from operational risk. I thought they were the same thing — managing the risk of operational failures. How is resilience different, and what framework do regulators expect banks to follow?
Operational resilience is a paradigm shift from traditional operational risk management. While operational risk focuses on preventing failures and measuring losses, operational resilience assumes failures will happen and focuses on the organization's ability to continue delivering critical services through disruption.
The Key Difference
| Aspect | Operational Risk Management | Operational Resilience |
|---|---|---|
| Mindset | Prevent failures | Prepare for failures |
| Focus | Internal processes and controls | End-to-end service delivery |
| Metric | Loss data, risk indicators | Impact tolerances |
| Scope | Within the bank | Includes third parties and supply chains |
| Question | "What can go wrong?" | "Can we keep serving customers when things go wrong?" |
The Regulatory Framework
Post-pandemic, regulators globally have formalized operational resilience requirements:
Step 1: Identify Important Business Services (IBS)
These are services whose disruption would cause harm to consumers, market integrity, or financial stability. For Oakmont Federal Bank, examples might include:
- Retail payments processing
- Mortgage servicing
- Treasury settlement
- Fraud detection and response
Step 2: Set Impact Tolerances
For each IBS, the board sets the maximum tolerable duration and degree of disruption:
- Retail payments: Maximum 4-hour outage
- Mortgage servicing: Maximum 24-hour outage
- Treasury settlement: Maximum 2-hour outage
- Fraud detection: Zero tolerance (must always be operational)
Step 3: Map Dependencies
For each IBS, map every dependency: technology systems, data centers, third-party providers, key personnel, physical locations. This reveals single points of failure.
Step 4: Scenario Testing
Test severe but plausible scenarios against each IBS:
- Primary data center destroyed
- Key cloud provider outage for 72 hours
- Ransomware encrypts all internal systems
- Critical vendor becomes insolvent overnight
- Pandemic forces 100% remote operation
Practical Example:
Oakmont's retail payments service depends on:
- Core banking system (hosted on-premises)
- SWIFT gateway (third-party managed)
- Payment fraud engine (cloud-based SaaS)
Scenario test: Cloud provider experiences a 48-hour outage. The fraud engine is down. Can Oakmont process payments within its 4-hour impact tolerance without the fraud engine? If not, what fallback exists? (Manual fraud screening? Secondary provider?)
Exam Tip: The FRM may test the difference between operational risk (backward-looking, loss-focused) and operational resilience (forward-looking, service-continuity-focused). Also know that impact tolerances are set by the board, not by the risk function.
Learn more about operational resilience in our FRM Part II materials.
Master Part II with our FRM Course
64 lessons · 120+ hours· Expert instruction
Related Questions
How exactly do futures margin calls work, and what happens if I can't meet one?
How do you calculate the settlement amount on a Forward Rate Agreement (FRA)?
When should I use Monte Carlo simulation instead of parametric VaR, and how does it actually work?
Parametric VaR vs. Historical Simulation VaR — when does each method fail?
What are the core components of an Enterprise Risk Management (ERM) framework, and how does it differ from siloed risk management?
Join the Discussion
Ask questions and get expert answers.