As the deadline for Operational Resilience compliance approaches, firms are tasked with ensuring that their project governance processes align with board expectations and that they remain adaptable to the changing business landscape. A well-structured project governance process not only helps to deliver key Operational Resilience outcomes but also provides the necessary assurance that these outcomes are sustainable in the long term.
This article is the second of the ICSR Operational Resilience Assurance Week’s series (Follow the conversation on LinkedIn at: #ICSROpResAssuranceWeek) and explores the role of project governance in Operational Resilience, particularly focusing on how assurance processes support the successful delivery of actions and deliverables. It will also examine how effective governance enables firms to adapt to external changes, such as evolving market conditions or shifts in business models, without compromising resilience goals.
Appropriate Decision Making Process
The Role Of Project Governance In Operational Resilience
Project governance is central to the successful implementation of Operational Resilience frameworks. It sets the strategic direction, establishes accountability, and provides oversight to ensure that projects are delivered on time, within scope, and to the required standard. But governance in this context is not just about project management — it is about providing assurance that the decisions and actions being taken will achieve the required resilience outcomes.
Why Project Governance Matters In Operational Resilience
Operational Resilience projects are complex, often involving multiple stakeholders across different functions and departments. A strong governance structure ensures that these stakeholders are aligned, that risks are identified and managed, and that decision-making is both transparent and efficient.
The governance process provides the framework within which assurance activities are conducted, ensuring that resilience objectives are consistently reviewed, tested, and adjusted as necessary. Without effective governance, there is a risk that key deliverables may not be achieved, or that projects may fail to adapt to changes in the external environment, leaving your firm exposed to operational disruptions.
Assurance As A Core Component Of Project Governance
Assurance is essential to project governance because it provides the board and senior management with confidence that resilience projects are on track to meet their objectives. Through regular assurance reviews, governance bodies can ensure that:
- The project remains aligned with regulatory expectations.
- Deliverables are being met according to the agreed timeline.
- Risks are being effectively managed and mitigated.
- The project can adapt to changes in the external environment without compromising resilience.
Assurance also plays a crucial role in verifying that a structured and appropriate decision-making process has been followed throughout an Operational Resilience initiative. It ensures that key decisions—whether related to identifying Important Business Services (IBS), setting Impact Tolerances, or addressing vulnerabilities—are based on sound analysis, clear evidence, and a thorough assessment of risks. Assurance activities scrutinise the steps taken during the project, ensuring that all decisions align with regulatory requirements, business objectives, and Operational Resilience goals.
By providing an independent review, assurance ensures that decisions were made through a formal governance process, with the right stakeholders involved at the right stages. This helps confirm that decisions are transparent, justifiable, and well-documented, reducing the risk of oversight or bias, and ultimately leading to better resilience outcomes.
Reviewing Project Deliverables And Actions
One of the key aspects of assurance in project governance is the review of project deliverables and actions. This ensures that the outputs of the project are not only completed but are also aligned with your firm’s resilience objectives and regulatory requirements.
Tracking And Reviewing Deliverables
At the heart of any Operational Resilience project are the deliverables — the specific outcomes that must be achieved to demonstrate compliance with regulatory expectations. These deliverables typically include the identification of Important Business Services (IBS), the setting and testing of Impact Tolerances, the development of resilience frameworks, and the implementation of stress testing and scenario analysis.
Governance structures should include regular reviews of these deliverables to ensure that they are progressing according to plan. Assurance activities, such as independent audits and progress reviews, provide transparency around the status of these deliverables, ensuring that any potential delays or issues are identified early.
Key deliverables that should be reviewed through the assurance process include:
- Identification of IBS: Ensuring that your firm has correctly identified the services that are critical to its operations and to its customers.
- Setting Impact Tolerances: Reviewing whether your firm’s Impact Tolerances reflect realistic thresholds for operational disruptions.
- Scenario Testing: Assessing the effectiveness of resilience tests and ensuring that the results are used to inform future planning.
- Vulnerability Remediation: Ensuring that vulnerabilities jeopardising your firm’s ability to remain within tolerance have been identified and adequately mitigated.
Adapting Deliverables To Changing Requirements
The external environment in which firms operate is constantly changing. Shifts in market conditions, changes in your firm’s business model, or new regulatory guidance can all impact the scope and objectives of Operational Resilience projects.
A key function of project governance is to ensure that deliverables are adapted as necessary to reflect these changes. Assurance processes play a critical role in this, providing an independent review of how well the project has responded to external changes. This includes:
- Reviewing how effectively your firm has adapted its Impact Tolerances to changes in its business model or risk profile.
- Assessing whether changes to project deliverables have been communicated effectively to all relevant stakeholders.
- Evaluating whether resilience frameworks have been adjusted to reflect new regulatory guidance or evolving threats.
Assurance reviews provide governance bodies with the confidence that changes have been managed in a way that supports your firm’s resilience objectives, rather than undermining them.
Governance And Adaptation To External Changes
One of the biggest challenges in Operational Resilience projects is the need to adapt to external changes, such as evolving regulatory expectations, technological advancements, or shifts in customer behaviour. Governance processes must be flexible enough to accommodate these changes without derailing the project.
Adapting To Market And Business Model Changes
Operational Resilience projects must also be able to adapt to changes in the external market or your firm’s own business model. For example, a firm that introduces new digital services or expands into new markets may need to reassess its resilience framework to account for new risks or dependencies.
Governance bodies should ensure that the project has processes in place to regularly review and update resilience frameworks as the business evolves. This might include revisiting the identification of IBSs to ensure they remain relevant, or conducting new stress tests to account for changes in your firm’s risk profile.
Assurance processes help governance bodies to evaluate how effectively the project has adapted to these changes, providing confidence that your firm’s resilience objectives remain achievable in a dynamic environment.
Responding To Regulatory Changes
Firms must remain vigilant to any changes in regulatory guidance. For example, updates to the FCA, PRA, or Bank of England requirements may necessitate adjustments to resilience frameworks or the timing of deliverables.
Governance structures must include mechanisms for monitoring regulatory developments and assessing their impact on the project. Assurance processes are essential here, as they provide a formal review of how well the project has responded to new requirements. This may include:
- Updating resilience frameworks to align with new regulatory guidance.
- Revisiting previously set Impact Tolerances to ensure they remain appropriate.
- Conducting additional stress tests to reflect updated risk scenarios.
Key Assurance Activities Within Project Governance
Several assurance activities are critical to the success of governance processes within Operational Resilience projects. These activities provide the independent validation that governance bodies need to ensure that the project remains on track and aligned with your firm’s objectives.
Regular Audits And Independent Reviews
Independent audits and reviews are an essential component of assurance in Operational Resilience projects. These reviews provide an objective assessment of the project’s progress, highlighting any gaps or risks that may need to be addressed.
Governance bodies should ensure that independent reviews are conducted regularly throughout the project lifecycle, particularly at key milestones or before significant regulatory deadlines. These reviews should focus on:
- The completion of key deliverables, such as the identification of IBS and the setting of Impact Tolerances.
- The effectiveness of resilience testing and the use of test results to inform future planning.
- The project’s ability to adapt to external changes, such as regulatory updates or market shifts.
Risk Management And Mitigation
Risk management is a key function of project governance, and assurance processes play a critical role in ensuring that risks are effectively identified, managed, and mitigated. Governance bodies should ensure that the project includes regular risk assessments and that assurance activities are used to validate the effectiveness of risk management processes.
This might include reviewing your firm’s third-party dependencies, assessing the adequacy of contingency plans, or evaluating the effectiveness of risk mitigation strategies for critical business services.
Project Governance Processes: What Should You Consider?
As firms approach the Operational Resilience deadline, they should regularly evaluate their project governance processes to ensure that assurance activities are being used effectively to support resilience objectives. The following questions can help firms assess the effectiveness of their project governance and assurance frameworks:
- Is our decision making process sound?
Do we have clarity around roles and responsibilities when it comes to decision making? Do we have sufficient evidence around the key decisions that have been made, who made them and what information was provided to support the decision? - Are we tracking project progress against clear deliverables and milestones?
Do we have transparent processes in place to monitor the completion of key deliverables, from the identification of IBS to the closure of vulnerabilities? - How does our governance structure adapt to unforeseen changes?
Are we confident that our governance framework is flexible enough to respond to external changes, such as shifts in our business model or new regulatory requirements? - How effectively are we integrating assurance into our governance reviews?
Are we using independent assurance activities, such as audits and reviews, to validate the effectiveness of our resilience projects and provide transparency to the board and senior management? - Are we confident that our project is on track to meet the March 2025 deadline for the end of the transition period?
Are we regularly reviewing our progress against regulatory requirements, and are we confident that we will achieve full compliance by the deadline? - How are we managing risks and issues within the project?
Are we conducting regular risk assessments, and do we have adequate risk mitigation strategies in place to address any vulnerabilities identified through assurance activities? - Are our deliverables still in line with business objectives?
Are the decisions we have made (IBS identification, Impact Tolerances, scenarios used in testing etc.) still valid and do they reflect any changes that may have happened in key assumptions since the beginning of the project?
Conclusion
Effective project governance is critical to the successful delivery of Operational Resilience frameworks, particularly as firms work toward the March 2025 regulatory deadline. By embedding assurance into the governance process, firms can ensure that they remain on track to achieve their resilience objectives, even in the face of external changes.
Governance bodies play a central role in overseeing the progress of resilience projects, ensuring that deliverables are met, risks are managed, and the project remains aligned with both regulatory expectations and business objectives. Assurance processes, such as independent reviews, risk assessments, and audits, provide the transparency and validation needed to give stakeholders confidence in your firm’s resilience efforts.
Ultimately, strong governance and assurance processes enable firms to build a culture of continuous improvement, ensuring that their Operational Resilience frameworks remain robust, adaptable, and sustainable well beyond March 2025.
If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulation, please do speak with either of the authors or your usual ICSR contact.
Tomorrow we will be covering the approach to the identification of Important Business Services, Impact Tolerances and Stress Testing including the creation of your Operational Resilience framework.
Talking Operational Resilience
Kenneth Underhill talks about the project governance process and how to approach an Assurance review in this short video.
Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience
- ICSR Operational Resilience webinars – watch on our YouTube channel:
- Operational Resilience – Introduction with Kenneth Underhill (4th June 2020)
- ICSR Webinar: Technology & Operational Resilience (16th July 2020)
- Operational Resilience: Service and Activity Mapping with Kenneth Underhill (8th October 2020)
- Operational Resilience: Impact Tolerances webinar (26th May 2021)
- Articles:
- Operational Resilience Assurance Week – Preparing For Q1 Board Review And Sign-Off (25th October 2024)
- Operational Resilience – The Final Furlong Towards Implementation (21st May 2024)
- TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This? (18th January 2023)
- Outsourcing and Third-Party Arrangements – Creating Resilience In Your Operational Processes (10th February 2022)
- Operational Resilience – A Regulatory Double-Header (15th April 2021)
- Mapping Important Business Services: When Does A Service Finish? (12th November 2020)
- Operational Resilience: The First Shot Has Been Fired! (6th March 2020)
- Case Studies:
- Assisting International Insurer Manage Its Operational Resilience Obligations
- Digital Operational Resilience Act (DORA) Support For Client In The Irish Regulated Market
- Supporting The Client With The Delivery Of A New Governance, Service And Operating Model As A Part Of A Corporate Restructure
- Assisting London Market Insurance Broker With Operational Resilience
- Support Developing Operational Resilience Control Framework
- Assisting Client With Project Delivering PRA and FCA Operational Resilience Requirements
- Support Preparing For Introduction of Operational Resilience and Business Continuity Planning
Related Articles
Operational Resilience: The 31st March 2025 Deadline And Beyond
In this article we look at what firms need to have in place by the end of March 2025 to be compliant with Operational Resilience regulations in the UK, looking beyond the deadline into the areas UK regulators are expected to shift their focus towards.
Operational Resilience: An Assurance Review Of Outsourcing Policies, Third-Party Risk Management And Critical Third Parties
Outsourcing has become a fundamental aspect of operational strategy – as firms strive to meet OpRes requirements. Ensuring their outsourcing policies and third-party relationships are robust and capable of withstanding disruptions is key.
Operational Resilience: Assurance Review Of IBS, Impact Tolerances, Scenario Testing And Vulnerabilities Resolution
Explore how assurance reviews can provide firms with confidence that their OpRes measures around IBS, Impact Tolerances, Scenario Testing and vulnerability management are sound, actionable, and aligned with regulatory expectations.
Operational Resilience: Why Assurance Matters And What Is Required
Learn more about the vital role assurance plays in Operational Resilience, including the regulatory backdrop, the risks of non-compliance, and how firms can ensure their assurance processes are robust, transparent, and aligned with long-term business objectives.
Operational Resilience Compliance – Doing The Right Thing Is Not Enough; You Must Prove It!
The clock is ticking for insurance firms ahead of the March 2025 deadline to fully implement and demonstrate Operational Resilience. Claire King and Benoit Steulet explore the importance of being able to evidence compliance with the regulations.
Operational Resilience Assurance Week – Preparing For Q1 Board Review And Sign-Off
The Operational Resilience regulations require firms to undertake a process of self-assessment and sign-off, but what are the regulatory expectations for that work?