Setting the scene
Defining resilience
While resilience is addressed across a range of legislative and regulatory instruments, these requirements often apply narrowly to distinct aspects of an organisation’s broader resilience posture, for example:
- Internal or external facing services
- Single point-of-failure or end-to-end service delivery
- ICT-dependent services or non-ICT dependent services
To remain resilient in the face of more complex, interconnected and technology-dependent operating models, organisations need to ensure that their broader resilience frameworks are sufficiently sophisticated and all-encompassing to minimise disruption and cost, protect the best interests of clients and investors, and ultimately restore normal functions as soon as possible.
A critical, yet frequently overlooked, component of resilience is the continuity of non-ICT dependent internal-facing services. These functions, such as governance and oversight (including third-party supervision), are essential to the day-to-day operations of regulated organisations. Despite being subject to intense regulatory scrutiny, they are often overlooked in the design and implementation of an organisation’s resilience framework.
The regulatory view of resilience
Resilience remains a top priority for legislators and regulators around the world, including the European Commission and the Central Bank of Ireland (the “Central Bank”). The Central Bank has explicitly signalled this focus on resilience in the Regulatory & Supervisory Outlook Report (February 2025). In fact, the Central Bank identified ensuring ‘organisations are resilient to the challenging macro environment’ as its second highest supervisory priority for 2025/26.
This continued focus comes as a result of the Central Bank’s risk assessment of the global macro environment and what it views as the key risk drivers “that could threaten, should they crystallise, the safety and soundness of regulated entities, the interests of consumers and investors, the effective functioning and integrity of the financial system, or financial stability.” In particular the Central Bank notes that the severity of this risk comes from:
- The increasing reliance of regulated entities on outsourced service providers
- The growing incidence and sophistication of cyberattacks
- Complex operating environments built on interconnections and dependencies between systems and entities
- The continued digitalisation of services, considering the risks arising from the use of outdated, legacy technology
In designing their resilience frameworks, organisations should firstly consider the requirements set out in the relevant authorisation legislation which applies to their organisation, for example, the UCITS Directive, AIFMD, MiFID II, Basel III or Solvency II. Such legislation typically sets out how the organisation is expected to approach the broader areas of risk management and business continuity management.
In addition, organisations should seek to comply with relevant regulatory requirements and guidance, including but not limited to:
- The Central Bank’s Cross Industry Guidance on Operational Resilience (the “Operational Resilience Guidance”)
- The Central Bank’s Cross Industry Guidance on Outsourcing (the “outsourcing guidance”)
- The Digital Operational resilience Act (“DORA”)
Extract from the Central Bank of Ireland’s Regulatory & Supervisory Outlook Report (February 2025):
Priority 2: Firms are resilient to the challenging macro environment. Firms have sufficient operational and financial resources, adaptability and recoverability, to be resilient and well-prepared in the face of risks in the macro environment, economic and financial market uncertainty and fragile sentiment, particularly given the breakdown in previously stable international relations, protectionism, and other political, technological and environmental developments.
The components of resilience
Under existing legislation and regulations, the broader concept of resilience is frequently disaggregated into discrete components, each addressed in isolation. This fragmented approach risks obscuring the interconnected nature of resilience as different regulations address each component in isolation. Organisations should endeavour to maintain a continuous focus on the interdependencies that exist across the regulatory landscape governing resilience, recognising that effective oversight requires a holistic, integrated approach.
Our resilience playbook is designed to move beyond the individual components by advancing a holistic resilience framework, one that spans all dimensions of an organisation’s operations and activities, and support the development of integrated and enduring resilience practices.