Operational Resilience

The Central Bank considers operational resilience to be the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption.  

An operationally resilient firm is able to recover its critical or important business services from a significant unplanned disruption, while minimising impact and protecting its customers and the integrity of the financial system.

The first step in becoming operationally resilient is accepting that disruptive events will occur, and that these events will need to be managed effectively.

Cross Industry Guidance on Operational Resilience

The Central Bank published the Cross Industry Guidance on Operational Resilience in December 2021 following consultation where responses were received from a wide number of industry bodies and regulated entities. The objective of this Guidance is to communicate to industry how to prepare for, respond to, recover and learn from an operational disruption that affects the delivery of critical or important business services.

The Central Bank has updated and republished this guidance in July 2025 to include minor updates ensuring alignment with the Digital Operational Resilience Regulation and Directive (DORA) which sets minimum standards of Digital Operational Resilience in Financial Entities, further complemented by this guidance. At the same time, to ensure regulatory simplification and clarity, the Central Bank has withdrawn its September 2016 Cross Industry Guidance in respect of Information Technology and Cybersecurity Risk Management. The Central Bank recognises that DORA now provides clarity on a harmonised good practice minimum standard on these topics which is relevant for all participants in the financial system,

The Guidance aims to enhance operational resilience and recognise the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which firms operate.

More specifically, the purpose of the Guidance is to:

  • Communicate to the boards and senior management of Regulated Financial Service Providers (RFSPs), the Central Bank’s expectations with respect to the design and management of operational resilience;
  • Emphasise board and senior management responsibilities when considering operational resilience as part of their risk management and investment decisions; and
  • Require that the boards and senior management take appropriate action to ensure that their operational resilience frameworks are well designed, are operating effectively, and are sufficiently robust. This should ensure that the risks to the firm’s operational continuity do not transmit into the financial markets and that the interests of the customers and market participants are safeguarded during business disruptions.
Cross Industry Guidance on Operational Resilience | pdf 735 KB

Three Pillar of Operational Resilience

The Cross Industry Guidance on Operational Resilience is built around three pillars of Operational Resilience:

  • Identify and Prepare
  • Respond and Adapt
  • Recover and Learn

These three pillars support a holistic approach to the management of operational resilience and related risks and create a feedback loop that fosters the perpetual embedding of lessons learned into a firm’s preparation for operational disruptions.

Three Pillars of Operational Resilience

3 Pillar Diagram

Governance 

  • Guideline 1: The Board has ultimate responsibility for the Operational Resilience of a firm.
  • Guideline 2: The Operational Resilience Framework should be embedded within a firm’s overall Governance and Risk Management Frameworks.

Identification of Critical or Important Business Service

  • Guideline 3: The Board reviews and approves the criteria for critical or important business.
  • Guideline 4: A firm should identify its critical or important business services.

Impact Tolerances

  • Guideline 5: Impact tolerances should be approved for each critical or important business service.
  • Guideline 6: A firm should develop clear impact tolerance metrics.

Mapping of Interconnections and Interdependencies

  • Guideline 7: A firm should understand and map out how its critical or important business services are delivered.
  • Guideline 8: A firm should capture third party dependencies in the mapping of critical or important business services.

ICT Resilience

  • Guideline 9: A firm should have ICT Resilience strategies that are aligned to the operational resilience of its critical or important business services.

Scenario Testing

  • Guideline 10: A firm should document and test its ability to remain within impact tolerances through severe but plausible scenarios.

Business Continuity Management

  • Guideline 11:  Business Continuity Management should be fully integrated into the overarching Operational Resilience Framework and linked to a firm's risk appetite.

Incident Management

  • Guideline 12: The Incident Management Strategy should be fully integrated into the overarching Operational Resilience Framework.

Communication Plans

  • Guideline 13: Internal and External Crisis Communication plans should be fully integrated into the overarching Operational Resilience Framework.

Lessons Learned Exercise and Continuous Improvement

  • Guideline 14: A lessons learned exercise should be conducted after a disruption to a critical or important business service to enhance a firm’s capabilities to adapt and respond to future operational events.
  • Guideline 15: Firm should promote an effective culture of learning and continuous improvement as operational resilience evolves.
For further information, please contact [email protected].