As the deadline for Operational Resilience compliance approaches, firms are tasked with ensuring that their project governance processes align with board expectations and that they remain adaptable to the changing business landscape. A well-structured project governance process not only helps to deliver key Operational Resilience outcomes but also provides the necessary assurance that these outcomes are sustainable in the long term.

This article is the second of the ICSR Operational Resilience Assurance Week’s series (Follow the conversation on LinkedIn at: #ICSROpResAssuranceWeek) and explores the role of project governance in Operational Resilience, particularly focusing on how assurance processes support the successful delivery of actions and deliverables. It will also examine how effective governance enables firms to adapt to external changes, such as evolving market conditions or shifts in business models, without compromising resilience goals.

Appropriate Decision Making Process

The Role Of Project Governance In Operational Resilience

Project governance is central to the successful implementation of Operational Resilience frameworks. It sets the strategic direction, establishes accountability, and provides oversight to ensure that projects are delivered on time, within scope, and to the required standard. But governance in this context is not just about project management — it is about providing assurance that the decisions and actions being taken will achieve the required resilience outcomes.

Why Project Governance Matters In Operational Resilience

Operational Resilience projects are complex, often involving multiple stakeholders across different functions and departments. A strong governance structure ensures that these stakeholders are aligned, that risks are identified and managed, and that decision-making is both transparent and efficient.

The governance process provides the framework within which assurance activities are conducted, ensuring that resilience objectives are consistently reviewed, tested, and adjusted as necessary. Without effective governance, there is a risk that key deliverables may not be achieved, or that projects may fail to adapt to changes in the external environment, leaving your firm exposed to operational disruptions.

Assurance As A Core Component Of Project Governance

Assurance is essential to project governance because it provides the board and senior management with confidence that resilience projects are on track to meet their objectives. Through regular assurance reviews, governance bodies can ensure that:

  • The project remains aligned with regulatory expectations.
  • Deliverables are being met according to the agreed timeline.
  • Risks are being effectively managed and mitigated.
  • The project can adapt to changes in the external environment without compromising resilience.

Assurance also plays a crucial role in verifying that a structured and appropriate decision-making process has been followed throughout an Operational Resilience initiative. It ensures that key decisions—whether related to identifying Important Business Services (IBS), setting Impact Tolerances, or addressing vulnerabilities—are based on sound analysis, clear evidence, and a thorough assessment of risks. Assurance activities scrutinise the steps taken during the project, ensuring that all decisions align with regulatory requirements, business objectives, and Operational Resilience goals.

By providing an independent review, assurance ensures that decisions were made through a formal governance process, with the right stakeholders involved at the right stages. This helps confirm that decisions are transparent, justifiable, and well-documented, reducing the risk of oversight or bias, and ultimately leading to better resilience outcomes.

Reviewing Project Deliverables And Actions

One of the key aspects of assurance in project governance is the review of project deliverables and actions. This ensures that the outputs of the project are not only completed but are also aligned with your firm’s resilience objectives and regulatory requirements.

Tracking And Reviewing Deliverables

At the heart of any Operational Resilience project are the deliverables — the specific outcomes that must be achieved to demonstrate compliance with regulatory expectations. These deliverables typically include the identification of Important Business Services (IBS), the setting and testing of Impact Tolerances, the development of resilience frameworks, and the implementation of stress testing and scenario analysis.

Governance structures should include regular reviews of these deliverables to ensure that they are progressing according to plan. Assurance activities, such as independent audits and progress reviews, provide transparency around the status of these deliverables, ensuring that any potential delays or issues are identified early.

Key deliverables that should be reviewed through the assurance process include:

  1. Identification of IBS: Ensuring that your firm has correctly identified the services that are critical to its operations and to its customers.
  2. Setting Impact Tolerances: Reviewing whether your firm’s Impact Tolerances reflect realistic thresholds for operational disruptions.
  3. Scenario Testing: Assessing the effectiveness of resilience tests and ensuring that the results are used to inform future planning.
  4. Vulnerability Remediation: Ensuring that vulnerabilities jeopardising your firm’s ability to remain within tolerance have been identified and adequately mitigated.

Adapting Deliverables To Changing Requirements

The external environment in which firms operate is constantly changing. Shifts in market conditions, changes in your firm’s business model, or new regulatory guidance can all impact the scope and objectives of Operational Resilience projects.

A key function of project governance is to ensure that deliverables are adapted as necessary to reflect these changes. Assurance processes play a critical role in this, providing an independent review of how well the project has responded to external changes. This includes:

  • Reviewing how effectively your firm has adapted its Impact Tolerances to changes in its business model or risk profile.
  • Assessing whether changes to project deliverables have been communicated effectively to all relevant stakeholders.
  • Evaluating whether resilience frameworks have been adjusted to reflect new regulatory guidance or evolving threats.

Assurance reviews provide governance bodies with the confidence that changes have been managed in a way that supports your firm’s resilience objectives, rather than undermining them.

Governance And Adaptation To External Changes

One of the biggest challenges in Operational Resilience projects is the need to adapt to external changes, such as evolving regulatory expectations, technological advancements, or shifts in customer behaviour. Governance processes must be flexible enough to accommodate these changes without derailing the project.

Adapting To Market And Business Model Changes

Operational Resilience projects must also be able to adapt to changes in the external market or your firm’s own business model. For example, a firm that introduces new digital services or expands into new markets may need to reassess its resilience framework to account for new risks or dependencies.

Governance bodies should ensure that the project has processes in place to regularly review and update resilience frameworks as the business evolves. This might include revisiting the identification of IBSs to ensure they remain relevant, or conducting new stress tests to account for changes in your firm’s risk profile.

Assurance processes help governance bodies to evaluate how effectively the project has adapted to these changes, providing confidence that your firm’s resilience objectives remain achievable in a dynamic environment.

Responding To Regulatory Changes

Firms must remain vigilant to any changes in regulatory guidance. For example, updates to the FCA, PRA, or Bank of England requirements may necessitate adjustments to resilience frameworks or the timing of deliverables.

Governance structures must include mechanisms for monitoring regulatory developments and assessing their impact on the project. Assurance processes are essential here, as they provide a formal review of how well the project has responded to new requirements. This may include:

  • Updating resilience frameworks to align with new regulatory guidance.
  • Revisiting previously set Impact Tolerances to ensure they remain appropriate.
  • Conducting additional stress tests to reflect updated risk scenarios.

Key Assurance Activities Within Project Governance

Several assurance activities are critical to the success of governance processes within Operational Resilience projects. These activities provide the independent validation that governance bodies need to ensure that the project remains on track and aligned with your firm’s objectives.

Regular Audits And Independent Reviews

Independent audits and reviews are an essential component of assurance in Operational Resilience projects. These reviews provide an objective assessment of the project’s progress, highlighting any gaps or risks that may need to be addressed.

Governance bodies should ensure that independent reviews are conducted regularly throughout the project lifecycle, particularly at key milestones or before significant regulatory deadlines. These reviews should focus on:

  • The completion of key deliverables, such as the identification of IBS and the setting of Impact Tolerances.
  • The effectiveness of resilience testing and the use of test results to inform future planning.
  • The project’s ability to adapt to external changes, such as regulatory updates or market shifts.

Risk Management And Mitigation

Risk management is a key function of project governance, and assurance processes play a critical role in ensuring that risks are effectively identified, managed, and mitigated. Governance bodies should ensure that the project includes regular risk assessments and that assurance activities are used to validate the effectiveness of risk management processes.

This might include reviewing your firm’s third-party dependencies, assessing the adequacy of contingency plans, or evaluating the effectiveness of risk mitigation strategies for critical business services.

Project Governance Processes: What Should You Consider?

As firms approach the Operational Resilience deadline, they should regularly evaluate their project governance processes to ensure that assurance activities are being used effectively to support resilience objectives. The following questions can help firms assess the effectiveness of their project governance and assurance frameworks:

  1. Is our decision making process sound?
    Do we have clarity around roles and responsibilities when it comes to decision making? Do we have sufficient evidence around the key decisions that have been made, who made them and what information was provided to support the decision?
  2. Are we tracking project progress against clear deliverables and milestones?
    Do we have transparent processes in place to monitor the completion of key deliverables, from the identification of IBS to the closure of vulnerabilities?
  3. How does our governance structure adapt to unforeseen changes?
    Are we confident that our governance framework is flexible enough to respond to external changes, such as shifts in our business model or new regulatory requirements?
  4. How effectively are we integrating assurance into our governance reviews?
    Are we using independent assurance activities, such as audits and reviews, to validate the effectiveness of our resilience projects and provide transparency to the board and senior management?
  5. Are we confident that our project is on track to meet the March 2025 deadline for the end of the transition period?
    Are we regularly reviewing our progress against regulatory requirements, and are we confident that we will achieve full compliance by the deadline?
  6. How are we managing risks and issues within the project?
    Are we conducting regular risk assessments, and do we have adequate risk mitigation strategies in place to address any vulnerabilities identified through assurance activities?
  7. Are our deliverables still in line with business objectives?
    Are the decisions we have made (IBS identification, Impact Tolerances, scenarios used in testing etc.) still valid and do they reflect any changes that may have happened in key assumptions since the beginning of the project?

Conclusion

Effective project governance is critical to the successful delivery of Operational Resilience frameworks, particularly as firms work toward the March 2025 regulatory deadline. By embedding assurance into the governance process, firms can ensure that they remain on track to achieve their resilience objectives, even in the face of external changes.

Governance bodies play a central role in overseeing the progress of resilience projects, ensuring that deliverables are met, risks are managed, and the project remains aligned with both regulatory expectations and business objectives. Assurance processes, such as independent reviews, risk assessments, and audits, provide the transparency and validation needed to give stakeholders confidence in your firm’s resilience efforts.

Ultimately, strong governance and assurance processes enable firms to build a culture of continuous improvement, ensuring that their Operational Resilience frameworks remain robust, adaptable, and sustainable well beyond March 2025.

If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulation, please do speak with either of the authors or your usual ICSR contact.

Tomorrow we will be covering the approach to the identification of Important Business Services, Impact Tolerances and Stress Testing including the creation of your Operational Resilience framework.

Talking Operational Resilience

Kenneth Underhill talks about the project governance process and how to approach an Assurance review in this short video.

Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience

Related Articles

Advisory & Resourcing

Pin It on Pinterest

Share This