Operational Resilience

United States (SR 20-24)

Australia (CPS 230)

Canada (E-21)

UK OpRes​

Europe (DORA)

Integrated OpRes Framework & Assurance

Cross-jurisdictional regulatory alignment

In an era marked by compounding systemic shocks, regulatory complexity, and increasing digital interdependence, operational resilience must evolve from a siloed compliance exercise into an integrated, strategic discipline. At T3, we approach Integrated Operational Resilience (IOR) as the connective tissue between risk domains—blending cyber preparedness, third-party oversight, AI risk governance, and capital impact forecasting into a unified framework.

We help firms go beyond box-ticking to getting full assurance. Our approach builds resilience into the DNA of your critical business services—anchored in regulatory precision, driven by impact tolerance, and designed for boardroom assurance.

Integrated Operational Resilience (IOR) connects cyber preparedness, third-party oversight, AI governance, and capital impact into one repeatable, attested capability. Regulators have converged on the same core ask: map critical services, set & test impact tolerances, and evidence board-level assurance annually.

  • UK (FCA/PRA): Annual board-approved self-assessment and ability to stay within impact tolerances for important business services; the full regime moved out of transition on 31 March 2025 and is now a recurring obligation.
  • EU (DORA): In force from 17 Jan 2025 with annual ICT risk management reviews/testing and calibrated TLPT requirements via joint RTS specifying scope, tester standards, and supervisory cooperation.
  • Canada (OSFI E-21): Finalised Aug 22, 2024; immediate expectations on risk management with phased operationalisation to Sep 1, 2026; board accountability and resilience outcomes central.
  • Australia (APRA CPS 230): Standard commenced 1 July 2025; annual resilience responsibilities with transitional relief for legacy outsourcing to the earlier of contract renewal or 1 July 2026.
Timeline (E.G. 3 FRAMEWORKS) > 18 weeks

Operational Resilience 2026: Regulation, Control & AI Governance

Master compliance across ISO, Basel, FSB, DORA, and national frameworks. Integrate AI risk governance into your control environment. Manage AI as a critical operational asset—not just a compliance burden. Strategic guidance for global financial services firms.

Deliverables:

  • Custom Scenario Design: Tailored to your business model, covering cyber, third-party dependencies, people risk, DORA obligations, and AI-driven vulnerabilities.
  • Test Execution Playbook & Facilitation: A structured guide and expert-led workshops to ensure scenarios are run realistically and consistently.
  • Gap Analysis Report with Board-Level Narrative: Clear findings translated into regulatory language, ready for senior management and supervisory dialogue.
  • Remediation Roadmap with Accountability Matrix:  Actionable next steps with owners, timelines, and measurable outcomes.
Timeline: 6–8 weeks

COMPREHENSIVE TABLE OF CONTROLS

Dimension Regulation Control Framework AI Governance Convergence Operational Definition
TOIL (Threshold Operating Loss Impact) Control Objectives & Activities AI Impact Tolerance (ATOIL) TOIL includes AI driven failures Integrated impact tolerance covering operational and AI failure thresholds
Risk Assessment Operational Risk Categories COSO Risk Framework AI Model Risk Register Unified risk taxonomy incorporating model risk into enterprise risk framework
Third Parties Critical Third Parties (SYSC 4R.9R, DORA Art 28) Vendor Management (COSO) AI Vendors and Models including Cloud, LLM, GenAI Unified third party resilience assessment across technology and AI providers
Testing & Validation Scenario Testing, annual and TOIL focused Control Testing including effectiveness and design AI Model Validation and Adversarial Testing Integrated test plans covering controls, scenarios, and AI model robustness
Incident Response Regulatory Reporting within 24 to 48 hours Root Cause Analysis of control failure AI Model Anomaly Detection and Rollback Single incident response process covering control and AI failures
Board Governance Compliance Status and TOIL Certification Control Effectiveness Reports and KRIs AI Model Performance and AI Governance Metrics Unified operational resilience reporting to the Board
Emerging Risk Regulatory Changes and Consultations New Control Standards such as COBIT updates AI Capability Evolution and Foundation Model Risk Horizon scanning across regulatory, control, and AI domains

Operational Resilience: Regulation, Control & AI Governance

OPERATIONAL RESILIENCE 2026

PILLAR 1: REGULATION

(Compliance Framework)

  • ISO 22301
  • Basel III/IV
  • FSB Principles
  • DORA
  • PRA/FCA/ECB/Fed
  • National Rules

PILLAR 2: CONTROL

(Governance Framework)

  • COSO Framework
  • COBIT 2019
  • Control Mapping
  • Risk Assessment
  • Attestation
  • Board Governance

PILLAR 3: AI

(AI Governance)

  • AI model risk registry
  • AI testing & validation
  • AI failure scenarios
  • Model monitoring
INTEGRATION POINT
  • IMPACT TOLERANCE (TOIL) + AI IMPACT
  • Third-Party Resilience (including AI vendors)
  • Scenario Testing (AI failure modes)
  • Control Testing (AI + Traditional)
  • Board Reporting (Regulation + Control + AI)

AI & Operational Resilience: The Next Hidden Risk​

“Regulators are starting to ask: if your AI fails, who’s harmed, and how fast can you recover?

AI Resilience: What Regulators Expect and What We Deliver

  1. AI is already critical in FS:
    – 70%+ of UK retail credit applications are now scored with machine learning.
    – Fraud engines block billions in suspicious transactions every day.
    – Chatbots handle millions of customer interactions each month.
  2. Failures are no longer “just IT issues”:
    – A misfiring model can wrongly decline mortgages or insurance claims.
    – A sanctions-screening error can let through illicit transactions.
    – A third-party API outage can freeze onboarding and payments.
  3. Regulatory pressure is rising:
    – EU AI Act, DORA, UK Operational Resilience, and APRA’s CPS 230 all expect firms to treat AI as a critical service.
    – That means AI must be visible, tested, and recoverable — with Boards accountable.
Timeline (E.G. 3 FRAMEWORKS) > 2-10 Weeks

Annual OpRes Attestation & OpRes Annual Audit (Independent Assurance)

  • Identify & Review Important Business Services – update the list annually to reflect changes in operations, outsourcing, or technology.
  • Validate Impact Tolerances – re-confirm whether tolerances are still realistic, based on the last year’s disruptions and testing.
  • Conduct Scenario Testing – run annual resilience tests (including cyber and third-party disruption scenarios) to evidence ability to remain within tolerances.
  • Board Approval of Self-Assessment – every year, the Board must sign off a resilience self-assessment report and be able to stand behind it with regulators.
  • Independent OpRes Assurance – Boards are expected to support attestations with annual internal audit reviews or external assurance reports.
Who Signs Off
  • Board of Directors / Senior Executives : they are legally accountable for attesting that resilience frameworks are fit for purpose.
  • Internal Audit / External Assurance Providers (such as T3) : provide give independent validation to underpin the Board’s attestation.
  • Independent annual Operational Resilience assurance reviews to strengthen your self-assessment.
How We Support Your Annual Cycle
  • Board-ready reports designed for FCA/PRA, DORA, and global supervisors.
  • Repeatable methodology that embeds resilience into your yearly planning cycle.
  • Cross-jurisdiction alignment so your UK, EU, US, and APAC obligations are covered in one consistent framework.

HOW WE SUPPORT YOUR ANNUAL OPERATIONAL RESILIENCE CYCLE

Have you updated your list of important business services this year?

Are your impact tolerances still realistic after a year of disruption and testing ?

Can your critical services remain within tolerance during severe but plausible disruptions ?

Is your board ready to stand behind your resilience self-Assessment?

Has your resilience framework been independently reviewed this year?

AI-Enabled Operational Resilience

AI is transforming how organisations anticipate, withstand, and recover from disruption.

By integrating advanced analytics, automation, and predictive modelling, we help firms move from reactive risk management to proactive resilience. Our approach leverages AI to detect early warning signals across operations, finance, and third-party ecosystems, identifying vulnerabilities before they escalate into incidents. Through intelligent process monitoring, scenario simulation, and data-driven decision support, we enable organisations to strengthen continuity, optimise recovery strategies, and meet regulatory expectations under frameworks such as the UK’s Operational Resilience regime and DORA.

MEASUREABLE OUTCOMES

60% Faster Mapping (Dependency Discovery)

24/7 Real-time alerts (Breach Detection)

80% Visibility
(End-to-end services)

85% Effort Reduction
(Reporting & Updates)

1. SERVICE IDENTIFICATION

  • 1. AI analyzes business operations data
  • 2. ML identifies Important Business Services (IBS)
  • 3. Natural language processing of strategy docs
  • 4. Automated criticality scoring & prioritization
  • UP TO 60% AUTOMATION

2. IMPACT TOLERANCE SETTING

  • 1. AI-powered scenario modeling for disruptions
  • 2. Data-driven impact analysis (financial, customers)
  • 3. Board workshops to set tolerance thresholds
  • 4. Automated monitoring threshold configuration
  • UP TO 30% AUTOMATION

3. MAPPING & DEPENDENCIES

  • 1. Graph neural networks map end-to-end processes
  • 2. AI discovers hidden dependencies & single points of failure
  • 3. Third-party risk auto-assessment via API integration
  • 4. Dynamic dependency maps with real-time updates
  • UP TO 70% AUTOMATION

4. SCENARIO TESTING

  • 1. Generative AI creates severe but plausible scenarios
  • 2. Automated simulation of disruption impacts
  • 3. ML predicts recovery time objectives (RTO)
  • 4. Automated criticality scoring & prioritization
  • UP TO 60% AUTOMATION

5. GAP REMEDIATION

  • 1. AI prioritizes gaps by risk & feasibility
  • 2. Automated remediation plan generation
  • 3. Cost-benefit analysis for mitigation options
  • 4. Action tracking with AI-powered progress alerts
  • UP TO 50% AUTOMATION

6. BOARD REPORTING

  • 1. AI drafts self-assessment report (80–120 pages)
  • 2. Automated regulatory compliance mapping
  • 3. Executive dashboards with drill-down capability
  • 4. Board pack generation & attestation support
  • UP TO 80% AUTOMATION

7. CONTINUOUS MONITORING

  • 1. 24/7 AI surveillance of critical services
  • 2. Predictive analytics for early warning signals
  • 3. Automated breach detection & escalation
  • 4. Quarterly board updates & annual re-assessment
  • UP TO 70% AUTOMATION

Impact Tolerance Design​

Define what matters most. Prepare for what hurts most.
We help you set impact tolerances that are meaningful, measurable, and aligned with regulatory expectations (FCA/PRA, DORA, EBA). Using your business services as the anchor, we quantify thresholds beyond which disruption becomes intolerable — grounding policy in real risk.

Deliverables:

  • Material Business Services (MBS) mapping
  • Impact tolerance thresholds and rationale
  • Board-ready briefing paper & heatmap
  • Regulator-aligned documentation pack
Timeline: 4–6 weeks

Third-Party Resilience Deep Dive

Your resilience is only as strong as your weakest supplier.
We assess the resilience posture of your critical third parties — and your own oversight processes. Our framework incorporates DORA’s ICT third-party risk requirements, PRA SS2/21, and best-in-class operational continuity principles.

Deliverables:

  • Governance and oversight framework benchmarking
  • Readiness scorecard and resilience uplift plan
  • Optional vendor engagement support or audit
  • Third-party criticality heatmap and exposure matrix
Timeline: 5–7 weeks

Risk & Regulation 360°

Operational Resilience
Consulting & Annual Assurance

  • Achieve and evidence compliance across DORA, UK OpRes, CPS 230, OSFI E-21, and US SR 20-24
  • Strengthen annual attestation and board-level assurance with independent review
  • Integrate AI governance, third-party risk, and cyber resilience into a unified OpRes framework
  • Reduce operational disruption risk by up to 75% through scenario testing and remediation

Operational Resilience in 2026

Building Resilience That Regulators, Boards, and Customers Trust

Operational resilience is the ability of firms, financial market infrastructures, and the broader financial sector to prevent, adapt to, respond to, recover from, and learn from operational disruptions. In 2026, regulators across every major jurisdiction have moved beyond policy consultation into active supervision, enforcement, and annual attestation cycles. What was once a forward-looking regulatory aspiration is now a recurring compliance obligation with direct board accountability.

At T3, we approach operational resilience as an integrated, strategic discipline that connects business continuity, third-party oversight, cyber preparedness, AI risk governance, and capital impact forecasting into a unified, auditable framework. We help organisations not only comply with regulatory expectations from the PRA, FCA, ECB, the European Supervisory Authorities (ESAs), APRA, OSFI, the Federal Reserve, OCC, and other national supervisors, but also turn resilience into a genuine competitive advantage.

Whether you are preparing for your first annual self-assessment, seeking independent assurance over an existing programme, or looking to embed AI and emerging technology risk into your resilience framework, T3 provides the precision, regulatory depth, and practical delivery that regulated firms require.

Part 1

Global Regulatory Landscape & Key Milestones

Operational resilience regulation has converged globally around a shared set of expectations: identify critical services, set and test impact tolerances, govern third-party dependencies, and evidence board-level accountability annually. Below is a region-agnostic overview of the major regulatory frameworks, standard setters, and key milestones from 2025 onwards — including quarterly milestones through 2026 — that define the operational resilience landscape.

United Kingdom

PRA / FCA Operational Resilience

The UK's operational resilience framework (PRA SS1/21 and FCA PS21/3) reached full transition on 31 March 2025 — firms must now demonstrate the ongoing ability to remain within impact tolerances during severe but plausible disruption scenarios. The Critical Third Parties (CTP) oversight regime entered into force on 1 January 2025, with HM Treasury expected to designate the first CTPs in 2025, triggering a 12-month compliance window. PRA/FCA consultation papers CP17/24 and CP24/28 on operational incident and third-party reporting are expected to be finalised in 2025–2026.

Key Milestones — 2025 Onwards:

  • Q1 2025: CTP oversight regime in force (1 Jan); full transition deadline met (31 Mar) — firms evidence ability to remain within impact tolerances
  • Q2–Q4 2025: PRA/FCA assess firms' operational resilience capabilities; HM Treasury expected to designate first CTPs; PRA annual board-approved self-assessment cycle; PRA ease-of-exit policy for banks in force (1 Oct 2025)
  • Q1 2026: FCA publishes 2025 CBEST thematic analysis (Jan 2026); G7 Cyber Expert Group issues Post-Quantum Cryptography roadmap statement (Jan 2026); designated CTPs begin 12-month compliance window
  • Q2 2026: PRA general insurer dynamic stress test expected to commence (May 2026); PRA ease-of-exit policy for insurers in force (30 Jun 2026); expected finalisation of operational incident and third-party reporting rules
  • Q3–Q4 2026: Recurring supervisory engagement on operational resilience; CTP compliance assessments; ongoing annual self-assessment and scenario testing cycles

European Union

DORA — Digital Operational Resilience Act

The EU's Digital Operational Resilience Act (Regulation (EU) 2022/2554) became fully applicable on 17 January 2025. All obligations — ICT risk management, incident reporting, digital operational resilience testing (including TLPT), third-party ICT provider oversight, and information sharing — are now enforceable. The ESAs have designated the first Critical ICT Third-Party Providers (CTPPs) in November 2025 and are operationalising the oversight framework. The European Commission is due to review DORA's scope by January 2026.

Key Milestones — 2025 Onwards:

  • Q1 2025: Full application date (17 Jan) — all DORA obligations enforceable across 27 EU member states
  • Q2 2025: First Register of Information (RoI) submissions to national competent authorities; deadline for onward transmission to ESAs (30 Apr 2025); ESAs commence CTPP criticality assessments
  • Q3 2025: ESAs publish guide on DORA Oversight activities (Jul 2025); CTPP notification and six-week objection period
  • Q4 2025: ESAs publish designated CTPP list (Nov 2025); Joint Examination Teams (JETs) begin oversight engagement; consultation on non-ICT third-party provider guidelines closes (Oct 2025)
  • Q1 2026: European Commission review of DORA scope due (17 Jan 2026), including assessment of extending to statutory auditors; annual RoI submissions (reference date: 31 Dec 2025) due to national authorities by ~Mar 2026
  • Q2 2026: Supervisory reviews and inspections ramp up; CTPP oversight framework in steady-state operation; TLPT cycles for designated entities
  • Q3–Q4 2026: Sector-wide resilience exercises; ongoing annual ICT risk management reviews; two-year transitional period for reviewing existing third-party arrangements underway

Australia

APRA CPS 230 — Operational Risk Management

APRA's Prudential Standard CPS 230 commenced on 1 July 2025, replacing CPS 231, CPS 232, and SPS 231. CPS 230 unifies operational risk management, business continuity, and service provider management into a single integrated standard. All APRA-regulated entities must identify critical operations, set tolerance levels for disruptions, and maintain comprehensive business continuity plans. Non-SFIs have deferred requirements applying from 1 July 2026. APRA has outlined a three-year supervision programme with heightened scrutiny for significant financial institutions.

Key Milestones — 2025 Onwards:

  • Q3 2025: CPS 230 commenced (1 Jul); full compliance required for all SFIs; entities must notify APRA of tolerance breaches within 24 hours
  • Q4 2025: Initial Material Service Provider (MSP) register submissions due to APRA (1 Oct 2025); APRA commences targeted prudential reviews of SFI subset
  • Q1 2026: APRA continues SFI prudential review programme (Year 1 of 3); entities review and update critical operations mapping
  • Q2–Q3 2026: Climate Vulnerability Assessment results for general insurance sector expected (H2 2025–26); transitional relief deadline for pre-existing material service provider arrangements (1 Jul 2026); deferred requirements for non-SFIs take effect (1 Jul 2026)
  • Q4 2026: APRA commences prudential review of second subset of entities (Year 2 of 3); annual MSP register resubmission cycle
  • 2027–2028: APRA transitions to BAU ongoing supervision (Year 3)

Canada

OSFI Guideline E-21 — Operational Resilience

OSFI's Guideline E-21 on Operational Risk Management and Resilience was finalised on 22 August 2024 and is being implemented in phases. Sections 1 (Governance) and 2 (Operational Risk Management) are effective immediately. Section 4 (Key Areas of Operational Risk Management) adherence was due by 1 September 2025. Full operationalisation is required by 1 September 2026, with scenario testing coverage of all critical operations due by 1 September 2027. E-21 integrates with Guideline B-10 (Third-Party Risk Management) and Guideline B-13 (Technology and Cyber Risk Management).

Key Milestones — 2025 Onwards:

  • Q1 2025: Sections 1 & 2 effective (from Aug 2024); FRFIs expected to have governance structures and operational risk management frameworks in place
  • Q3 2025: Full adherence to Section 4 required (1 Sep 2025) — critical operations identified, disruption tolerances set, business continuity and data risk controls formalised; OSFI conducts selective supervisory reviews
  • Q4 2025: OSFI Quarterly Release (Nov 2025) — capital adequacy and regulatory guidance updates; institutions refine scenario testing methodologies ahead of full operationalisation
  • Q1 2026: CAR Guideline consultation closes (18 Feb 2026); MCT Guideline 2026 in effect (1 Jan 2026); institutions finalise identification, mapping and tolerances for critical operations
  • Q2 2026: OSFI ARO Fiscal Year 2026–2027 published (Apr 2026) with updated guidance priorities; next Quarterly Release cycle commences
  • Q3 2026: Full operationalisation deadline — 1 September 2026 — all E-21 requirements enforceable; scenario testing must be underway for critical operations
  • Q3 2027: Scenario testing must cover all critical operations by 1 September 2027

United States

Federal Reserve, OCC, FDIC & FFIEC Guidance

The US regulatory approach to operational resilience remains principles-based and distributed across multiple agencies. In 2024, the Federal Reserve issued updated Sound Practices for Operational Resilience (SR 24-1, replacing SR 20-24). In 2025, the regulatory posture shifted significantly under new agency leadership, with enhanced supervisory focus on cyber resilience, third-party concentration risk, AI-related operational risk, and digital asset integration. The FFIEC sunset the Cybersecurity Assessment Tool (CAT) on 31 August 2025, directing institutions to NIST CSF 2.0 and CISA Cybersecurity Performance Goals.

Key Milestones — 2025 Onwards:

  • Q1 2025: New agency leadership at Federal Reserve, OCC, and FDIC; regulatory posture recalibrated; OCC FY2025 Bank Supervision Operating Plan prioritises cyber resilience and third-party risk
  • Q2–Q3 2025: Federal Reserve publishes Cybersecurity Resources for Community Banks (May 2025); FFIEC CAT sunset (31 Aug 2025) — institutions transition to NIST CSF 2.0 and CISA CPGs; Federal Reserve Cybersecurity and Financial System Resilience Report to Congress (Jul 2025)
  • Q4 2025: OCC issues interpretive letters on digital asset activities; enhanced supervisory focus on AI-related operational risk and concentration risk in cloud services
  • Q1–Q2 2026: OCC FY2026 Bank Supervision Operating Plan expected; continued examination cycles focused on cyber resilience, third-party risk, and operational resilience integration; CISA Financial Sector Cybersecurity Performance Goals expected
  • Q3–Q4 2026: FFIEC examination cycles continue; heightened supervisory focus on AI governance, digital asset operational risk, and critical infrastructure resilience; interagency coordination on third-party concentration risk

International Standards

Basel Committee, FSB, IOSCO & ISO

At the international level, the Basel Committee's Principles for Operational Resilience (BCBS 508) and revised Principles for the Sound Management of Operational Risk (BCBS 509) continue to anchor national implementations. The Financial Stability Board (FSB) and IOSCO continue to issue guidance on third-party and outsourcing risk, market infrastructure resilience, and emerging AI-related risks. ISO standards — including ISO 22301 (Business Continuity), ISO 27001 (Information Security), and ISO 42001 (AI Management Systems) — provide complementary certification frameworks increasingly referenced by national regulators.

Key References & 2025–2026 Developments:

  • BCBS 508: Principles for Operational Resilience (March 2021) — ongoing national implementation and supervisory reviews
  • BCBS 509: Revised Principles for Sound Management of Operational Risk — baseline for national guidelines
  • FSB: Continued guidance on third-party risk, outsourcing, and AI-related financial stability risks
  • G7 Cyber Expert Group: Statement on Post-Quantum Cryptography roadmap for financial sector (January 2026), with milestones through 2035
  • G7 CEG: Statement on AI and Cybersecurity (2025) — opportunities and risks of AI for cyber resilience
  • ISO 22301: Business Continuity Management Systems
  • ISO 27001/27002: Information Security Management
  • ISO 42001: AI Management Systems — increasing relevance as regulators integrate AI governance into operational resilience frameworks

Part 2

Emerging Changes in Operational Resilience

Operational resilience is no longer limited to business continuity and disaster recovery. Regulators and standard setters are rapidly expanding the perimeter to cover AI-driven operational risk, critical third-party concentration, climate-related disruption, and cyber-physical convergence. Firms that treat these as separate workstreams risk fragmented governance and supervisory challenge.

AI as a Critical Operational Dependency

Regulators are increasingly treating AI and machine learning models as critical operational assets. The EU AI Act (Regulation (EU) 2024/1689), DORA's ICT risk management requirements, the PRA's model risk management expectations (SS1/23), and the Federal Reserve's SR 11-7 all converge on a single expectation: if your AI fails, you must know who is harmed, how quickly you can recover, and whether the failure was within your defined impact tolerance.

For firms deploying AI in credit decisioning, fraud detection, sanctions screening, claims processing, or customer-facing chatbots, this means AI must be mapped as part of your Important Business Services, subject to scenario testing (including AI-specific failure modes such as model drift, data poisoning, and hallucination), and covered by your annual self-assessment and attestation.

Third-Party & Concentration Risk

The convergence of the UK's Critical Third Parties (CTP) regime, DORA's Critical ICT Third-Party Provider (CTPP) framework, APRA's CPS 230 material service provider requirements, OSFI's Guideline B-10, and the US interagency third-party risk guidance signals a global regulatory consensus: firms must have visibility, control, and exit strategies over the third-party providers that underpin their critical operations.

Cloud concentration risk is a particular area of supervisory focus, with regulators examining systemic dependencies on a small number of hyperscale cloud providers. Firms are expected to map fourth-party dependencies, test substitutability, and evidence contractual exit rights and data portability arrangements.

Cyber Resilience & Threat-Led Testing

DORA's Threat-Led Penetration Testing (TLPT) requirements, the UK's CBEST framework, and emerging cyber resilience expectations from APRA and OSFI are aligning towards a common standard: firms must conduct regular, intelligence-led adversarial testing of their critical functions. This includes testing AI-powered systems for adversarial attack vectors, model manipulation, and data exfiltration pathways.

The intersection of AI and cyber risk is a particularly dynamic area, with AI being both a target of attack and a tool used by threat actors. Regulators expect firms to integrate cyber resilience testing with their operational resilience scenario testing programmes.

Climate, Geopolitical & Pandemic Risk

Operational resilience frameworks are expanding to cover climate-related disruption scenarios, geopolitical instability affecting supply chains and data sovereignty, and pandemic preparedness. The BCBS, PRA, and ECB have all indicated that severe but plausible scenarios should include physical climate events, critical infrastructure failures, and cross-border disruption pathways.

For firms with global operations, this introduces complexity around data localisation requirements, cross-jurisdictional recovery arrangements, and the interplay between operational resilience obligations and sanctions or trade restrictions.

Data Governance, Privacy & Operational Integrity

The intersection of data protection regulation (GDPR, UK Data Protection Act, CCPA, and emerging AI-specific data requirements under the EU AI Act) with operational resilience is becoming a supervisory priority. Firms must ensure that data integrity, availability, and confidentiality are maintained throughout disruption events, and that recovery processes do not compromise data protection obligations. DORA's incident reporting requirements and the UK's CTP regime both include explicit data integrity expectations.

Agentic AI & Autonomous Decision-Making

As firms move towards agentic AI systems that can take autonomous actions (executing trades, approving claims, managing customer interactions without human intervention), the operational resilience implications multiply. Regulators are beginning to ask how firms would recover from an autonomous system that operates outside its intended parameters at scale. This emerging theme requires firms to define AI-specific impact tolerances, implement kill-switch and rollback mechanisms, and ensure human oversight protocols are tested under realistic disruption conditions.

How We Help: Our OpRes Methodology

At T3, we deliver operational resilience consulting and assurance with precision and regulatory depth. Our methodology is built on five interconnected pillars, each designed to move you from compliance to genuine resilience maturity.

01

Assess & Benchmark

Gap analysis of your current operational resilience posture against applicable regulatory frameworks (DORA, UK OpRes, CPS 230, E-21, SR 20-24) and international standards (BCBS 508, ISO 22301). Maturity scoring and peer benchmarking.

02

Design & Build

Design and implement your integrated operational resilience framework, including IBS identification, impact tolerance calibration, end-to-end mapping (processes, people, technology, third parties, data), and governance structures with clear roles and accountabilities.

03

Test & Validate

Design and facilitate severe but plausible scenario testing, including cyber disruption, third-party failure, AI-specific failure modes, climate events, and pandemic scenarios. Validate recovery capabilities against impact tolerances. Support TLPT and CBEST requirements.

04

Report & Attest

Produce board-ready self-assessment reports, regulator-aligned documentation, and independent assurance opinions. Support annual attestation cycles for PRA/FCA, DORA, CPS 230, and cross-jurisdictional requirements.

05

Monitor & Evolve

Embed continuous monitoring, horizon scanning for regulatory change, and iterative improvement into your resilience lifecycle. Integrate AI-enabled monitoring tools, early warning systems, and predictive analytics to move from reactive to proactive resilience.

Annual Cycle

Annual OpRes Attestation & Independent Assurance

Across all major jurisdictions, regulators now expect firms to produce annual evidence that their operational resilience frameworks are effective, tested, and governed at board level. This is not a one-off implementation exercise — it is a recurring, auditable compliance obligation. T3 provides the independent assurance and advisory support that boards need to sign off with confidence.

Step 1

Review Important Business Services

Update your IBS register annually to reflect changes in operations, outsourcing, technology, and AI deployments. Ensure new critical services (including AI-driven services) are captured and mapped.

Step 2

Validate Impact Tolerances

Re-confirm whether your impact tolerances remain realistic and calibrated, based on the past year's disruptions, near-misses, testing outcomes, and changes in your risk profile or operating model.

Step 3

Conduct Scenario Testing

Execute annual resilience tests across severe but plausible scenarios, including cyber disruption, third-party failure, AI model failure, climate events, and operational errors. Evidence your ability to remain within tolerances.

Step 4

Board Approval of Self-Assessment

Prepare a board-ready resilience self-assessment report that consolidates evidence, testing outcomes, remediation progress, and residual risks. The board must sign off and be prepared to stand behind this assessment with regulators.

Step 5

Independent Assurance

Boards are expected to underpin their annual attestation with independent review — whether through internal audit or external assurance providers such as T3. We provide independent validation of your framework design, testing adequacy, evidence quality, and overall resilience maturity.

Is Your Board Ready for Annual OpRes Attestation?

Independent operational resilience assurance reviews to strengthen your self-assessment.

BOOK AN ASSURANCE CONSULTATION

Why T3 for Operational Resilience

At T3, we deliver risk management and regulatory transformation with precision and reliability — getting it right the first time by drawing on cutting-edge research, innovation, and deep specialist expertise.

Multi-Jurisdictional Expertise

We operate across UK, EU, US, Canada, Australia, and APAC regulatory frameworks, providing a single consistent methodology that covers your global obligations.

AI & Technology Risk Integration

We are one of the few operational resilience consultancies that integrates AI risk governance (EU AI Act, ISO 42001, NIST AI RMF) directly into the operational resilience framework.

Independent Assurance

Board-ready, regulator-aligned assurance reports designed for FCA/PRA, DORA, CPS 230, and global supervisors. We provide the independent challenge your board needs.

Practical Delivery

We do not produce shelf-ware. Our deliverables are designed to be operationalised, tested, and defended with regulators. We embed resilience into your annual planning cycle.

All firms seeking to reduce operational risk

Who Does It Impact?

C-Suite & Board

Risk & Compliance Teams

Financial Services

Insurance

Technology & Cloud Providers

Asset & Wealth Managers

Market Infrastructures

Healthcare & Critical Services

Our Impact on Operational Resilience

Use Cases

Annual OpRes Attestation for a Tier 1 Bank

CHALLENGE:

A major international bank required independent assurance over its first post-transition annual self-assessment under the PRA/FCA operational resilience framework, with cross-border alignment to DORA requirements for its EU-regulated entities.

APPROACH:

T3 conducted an end-to-end review of the bank's IBS register, impact tolerance calibration, mapping completeness (including AI-dependent services), scenario testing programme, and board governance. We produced a gap analysis with regulatory-aligned findings and a remediation roadmap with clear owners and timelines.

RESULTS:

Board signed off the annual attestation with confidence. Three material gaps were identified and remediated prior to regulatory engagement. AI-dependent services were formally integrated into the resilience framework for the first time.

DORA Compliance Programme for an EU Asset Manager

CHALLENGE:

A mid-size EU asset management firm needed to achieve full DORA compliance by the January 2025 application date, including establishing an ICT risk management framework, incident reporting procedures, third-party register of information, and digital operational resilience testing programme.

APPROACH:

T3 delivered a 16-week DORA implementation programme covering all five pillars: ICT risk management, incident management, resilience testing, third-party oversight, and information sharing. We aligned the firm's existing ISO 27001 and BCP frameworks with DORA's specific requirements, reducing duplication and implementation cost.

RESULTS:

Full DORA compliance achieved ahead of the application date. Third-party register of information submitted to the national competent authority. Board reporting framework established for annual ICT risk management review cycle.

Operational Resilience Services

Services We Provide

OpRes Framework Design & Implementation

End-to-end framework build or integration into existing risk management programmes. IBS identification, impact tolerance setting, mapping, and governance design.

Annual OpRes Attestation Support

Board-ready self-assessment reports, evidence packs, and attestation documentation for PRA/FCA, DORA, CPS 230, and cross-jurisdictional requirements.

Independent Assurance & Audit

Independent review and validation of your operational resilience framework, testing programme, and evidence quality. Designed to underpin board attestation and satisfy supervisory expectations.

Scenario Testing & TLPT

Custom scenario design, test execution playbooks, facilitated exercises, and gap analysis reports. Covering cyber, third-party, AI failure, climate, and pandemic scenarios. TLPT and CBEST support.

Third-Party Resilience Assessment

Criticality heatmaps, governance benchmarking, concentration risk analysis, vendor resilience scorecards, and exit strategy validation. Aligned to DORA CTPP, UK CTP, CPS 230, and B-10 requirements.

AI & OpRes Integration

Embed AI governance into your operational resilience framework. AI-specific impact tolerances, failure mode testing, model risk integration, and alignment with EU AI Act, NIST AI RMF, and ISO 42001.

DORA Compliance Programme

Full DORA implementation across all five pillars: ICT risk management, incident reporting, digital operational resilience testing, third-party oversight, and information sharing arrangements.

OpRes Maturity Assessment

Gap analysis and maturity scoring against applicable frameworks and peer benchmarks. Remediation roadmap with prioritised actions, owners, and timelines.

Business Continuity & Crisis Management

BCP review, crisis management framework design, tabletop exercises, and integration with your operational resilience programme. ISO 22301 alignment and certification support.

Frequently Asked Questions

What is operational resilience?

Operational resilience is the ability of firms and the financial system to prevent, adapt to, respond to, recover from, and learn from operational disruptions. It goes beyond traditional business continuity by focusing on the continuity of critical services to customers and markets, rather than the recovery of individual systems or processes. Regulators across the UK (PRA/FCA), EU (DORA), Australia (APRA CPS 230), Canada (OSFI E-21), and the US (SR 20-24) have all established specific operational resilience requirements.

What is an annual OpRes attestation?

An annual OpRes attestation is your formal yearly confirmation — typically requiring board or senior management sign-off — that your operational resilience framework is in place, tested, and supported by evidence. It consolidates your Important Business Services register, impact tolerances, mapping, scenario testing results, and remediation actions into a defensible statement for internal governance and regulatory engagement.

Do we need an independent OpRes assurance review?

Most regulated firms benefit from independent assurance because it provides independent challenge and strengthens the credibility of your annual attestation with regulators. If your firm has material changes (new services, suppliers, technology, or AI deployments), inconsistent evidence across teams, or is preparing for supervisory engagement, an independent review reduces risk by identifying gaps before they become regulatory findings.

How does AI affect operational resilience?

AI systems are increasingly embedded in critical business services, from credit decisioning and fraud detection to customer interactions and sanctions screening. Regulators now expect firms to treat AI as a critical operational dependency, subject to the same mapping, testing, and governance requirements as any other critical process or technology. AI-specific failure modes — including model drift, data poisoning, hallucination, and adversarial attacks — should be incorporated into your scenario testing programme and annual self-assessment.

What is DORA and who does it apply to?

The Digital Operational Resilience Act (DORA) is an EU regulation (Regulation (EU) 2022/2554) that establishes a comprehensive ICT risk management framework for financial entities. It applies to banks, insurers, investment firms, payment institutions, crypto-asset service providers, and critical ICT third-party providers operating within the EU. DORA has been fully applicable since 17 January 2025 and requires annual ICT risk management reviews, incident reporting, digital operational resilience testing, and third-party oversight.

What frameworks does T3 align to?

T3's operational resilience methodology aligns to all major regulatory frameworks and international standards, including PRA SS1/21 and FCA PS21/3 (UK), DORA and ESA technical standards (EU), APRA CPS 230 (Australia), OSFI E-21, B-10, and B-13 (Canada), SR 20-24 and interagency guidance (US), BCBS 508 and 509 (Basel Committee), FSB and IOSCO guidance, ISO 22301 (Business Continuity), ISO 27001 (Information Security), and ISO 42001 (AI Management Systems).

How can T3 help with operational resilience?

T3 provides end-to-end operational resilience consulting and assurance, from initial gap analysis and framework design through to annual attestation support and independent assurance. We specialise in multi-jurisdictional alignment (covering UK, EU, US, Canada, and Australia requirements in a single consistent methodology), AI and technology risk integration, scenario testing and TLPT, third-party resilience, and board-ready reporting. Whether you need a full framework build, annual assurance, or targeted support on emerging themes like AI operational risk, T3 has the expertise to deliver.

Ready to Strengthen Your Operational Resilience?

Book a call with our experts to discuss your annual attestation, assurance needs, or operational resilience programme.

FAQs

What is an annual OpRes attestation?

An annual OpRes attestation is your formal yearly confirmation, typically for board/senior management sign-off—that your operational resilience framework is in place, tested, and supported by evidence. It usually ties together your Important Business Services, impact tolerances, mapping, scenario testing results, and remediation actions into a clear, defensible statement for internal governance and regulator expectations.

Do we need an OpRes annual audit?

Most firms benefit from an OpRes annual audit because it provides independent challenge and strengthens the credibility of your annual OpRes attestation. If you’re regulated, have material changes (services, suppliers, technology), or your evidence pack is inconsistent across teams, an opres annual audit reduces risk by identifying gaps early and giving you an audit-ready set of actions before sign-off.

What does an OpRes audit cover?

An opres audit typically reviews end-to-end operational resilience design and evidence, including: governance and ownership, definition of services, impact tolerances, mapping completeness (processes/people/technology/third parties), scenario testing approach and outcomes, lessons learned, and remediation tracking. A good opres audit also tests whether your documentation is internally consistent and “stands up” to scrutiny from Risk, Compliance, Internal Audit, and regulators.

What evidence is needed for the operational resilience self-assessment?

For the operational resilience self-assessment, you generally need evidence that shows what you deliver, how you deliver it, and how you prove it holds under disruption. Typical evidence includes: IBS and impact tolerance documentation, mapping outputs (including third parties), scenario testing plans and results, incident and disruption learnings, control/testing records, remediation plans with owners and dates, and board/committee minutes showing review and challenge. This evidence pack is what makes your annual OpRes attestation defensible.

ANNUAL OPRES ATTESTATION

Take the Quiz

OpRes Annual Self Assessment

Where do you stand on OpRes Annual Attestation?

Select the framework that applies to your firm. You will score each requirement as Fully met, Partially met, or Not met. At the end, you will see your overall risk level and section breakdown.

Business Continuity

Crisis Management

TPRM

DORA

UK Operational Resilience

Why T3 for Operational Resilience?

T3’s Operational Resilience practice brings deep, hands-on experience designing and implementing resilience frameworks at top-tier global financial institutions.

  • End-to-end operational resilience delivery:
    • Important Business Services (IBS) mapping and impact tolerance setting
    • Third-party and critical vendor risk management, including concentration risk and exit strategies
    • Business continuity, disaster recovery, and crisis management frameworks
    • Scenario testing for severe-but-plausible operational disruption
  • Deep regulatory expertise spanning DORA, PRA/FCA Operational Resilience (PS21/3, SS1/21), BCBS 508, EBA ICT Risk Guidelines, and CTP oversight frameworks
  • Technology resilience, multi-cloud architecture (AWS, Azure, GCP), cyber resilience, and IT service continuity
  • Backed by T3’s AI expertise, enabling resilient-by-design AI deployment and automated resilience monitoring

We don’t just plan for disruption, we build organisations that withstand it.

Book a Call NOW!
Book a call with our experts  
Book a Call