Growing global momentum behind operational resilience as over 70% of organizations establish programmes
The BCI is proud to present the Operational Resilience Report 2025, sponsored by Riskonnect. This anticipated publication comes at a defining moment, as major regulatory frameworks including the EU’s Digital Operational Resilience Act (DORA), the UK’s FCA/PRA/Bank of England requirements, and the forthcoming APRA CPS 230 have transformed the way organizations approach resilience.
As organizations prepare to deal with increasingly numerous and complex threats, this report provides critical insights into operational resilience practices over the past 12 months. Drawing on original survey data, it delivers insights and analysis to help professionals assess and enhance their operational resilience.
Progress over the past 12 months
Research indicates a continued upward trend in the number of organizations with an operational resilience programme, reaching a record high of over 70%. Moreover, an extra 10% of organizations are in the process of developing one. While adherence to best practice is the most common driver for a programme, regulatory compliance ranks a close second. Encouragingly, growth is also evident among organizations not currently subject to regulation, underscoring the broadening recognition of operational resilience as an organizational priority.
The perennial issue of defining operational resilience continues, but this year, there is growing consensus on key activities needed for an effective operational resilience programme. Identifying critical business services and suppliers and establishing impact tolerances emerged as the most essential practices for building resilience.
Organizations also report merging their resilience efforts with areas like business continuity, risk management, and supply chain oversight, which were previously handled separately. Operational resilience is now addressed in dedicated committee meetings, held quarterly or more frequently, reflecting a more unified approach that recognises resilience as a shared responsibility across the organization.
In leadership, Chief Executive Officers (CEOs) and Chief Operating Officers (COOs) are most often responsible for operational resilience, consistent with last year's findings. However, day-to-day activities are managed by dedicated resilience roles. The Business Continuity Manager typically oversees programme maintenance, while roles such as Head of Resilience and Operational Resilience Manager are gaining prominence. The rise in specialised resilience positions is a growing trend in recent years.
The Influence of regulations
Despite the overall feeling that new regulations have strengthened the financial sector. Practitioners have struggled with achieving compliance. Most organizations reported being only partially compliant to the EU’s DORA regulations and nearly half of respondents feel that regulators have not provided them with sufficient support. Key issues include the lack of concrete examples for implementing effective resilience programmes and guidance over challenges related to third-party dependencies.
Competing sets of requirements and continued compliance challenges have also posed difficulties. Some practitioners must now align with more than five legal frameworks simultaneously and, although confidence in mapping and testing critical operations has improved compared to last year, this progress has not been matched by a corresponding increase in investment. This worrying development suggests that now main regulation deadlines have passed, or are due to very soon, management has changed its resource allocation priorities. Has Operational resilience become a tick box exercise?
Challenges over the past 12 months
While regulations have occupied practitioners over the past year, a trend that will continue as new rules and phases are implemented, other key concerns have presented hurdles. A shortage of dedicated resources to implement an effective resilience programme, difficulties in embedding resilience across various business functions, ensuring supplier compliance, and dealing with the challenges of outdated legacy infrastructure have all created ongoing challenges to the sector.
Maria Garcia, Thought Leadership Manager at the BCI, said “data shows that resilience is no longer just a compliance exercise, but a strategic imperative. As awareness of the importance of operational resilience practices grows, the role of resilience professionals evolves and cross-functional collaboration becomes the norm, we’re seeing the emergence of a more integrated, proactive approach to resilience.”
"Riskonnect is proud to sponsor The 2025 BCI’s Operational Resilience Report. This comprehensive report offers critical research and insights, demonstrating that operational resilience has transitioned from aspiration to actionable strategy. The core message emphasizes that businesses must be resilient not only to protect their operations but also to safeguard their customers and the broader market. It is encouraging to observe that resilience efforts are increasingly driven by best practices rather than mere compliance. We invite you to delve into the findings and consider where your own operational resilience journey stands. We trust you will find the insights as valuable as we do."
John Verdi, Senior Director, Professional Services, Riskonnect.
Download the Report
More on
