Resilience should help finance firms act faster, not just recover faster

Resilience should help finance firms act faster, not just recover faster
Year: 2026 Article Industry: Financial Services Industry: Pensions Industry: Insurance Industry: Banking

Financial services firms often treat resilience as a compliance and risk topic. DORA in the European Union and the FINMA Operational Risk Circular in Switzerland have set strict standards and raised the bar for resilience across the industry. DORA pushes firms to map their critical functions, maintain a register of ICT third-party arrangements, run threat-led penetration tests and prove they can recover within defined tolerances. FINMA’s Circular on Operational Risks mandates banks to identify and protect their critical data beyond confidentiality, test exit strategies from critical third-party providers, and ensure business continuity, the same disciplines a business needs to move quickly and safely.

But all that raises one more strategic question: once compliance is in place, what else can resilience help the business achieve?

For Eraneos Partner Khaled Ouafi, a financial services expert, the answer is broader than regulation.

“A couple of years ago, organizations often thought of resilience as a regulatory tick box. Now it’s a business question: how do we offer better service, protect our supply chain and move faster without losing control? The firms that get this right stop treating resilience as a cost and start using it to compete. If you strip resilience back, it is, at its core, a question about technology: the services that cannot fail are digital, and the dependencies that make them fragile are increasingly IT ones,” says Khaled.

Start with what the business cannot afford to lose

Resilience adds value for financial service providers by protecting services customers use every day. An unavailable e-banking platform, a failed trading system, a delayed payment or a disrupted client portal hits fast. The damage runs across revenue, reputation, client confidence and regulatory exposure.

That is why financial institutions should start with their own business model, says Khaled. A private bank may need reliable digital access for clients across regions. A payments provider may need cross-border transactions to keep moving while managing cyber risk and supplier dependency. An insurer may need stable digital claims handling during peaks in demand.

The question is always: what is important for my business? Answer that first, and resilience stops being abstract. You protect the few digital services you genuinely can’t live without, not everything at once.
Khaled Ouafi, Partner

That question helps leaders move beyond generic resilience planning. The focus shifts to the handful of services that define the business, the suppliers and systems they quietly depend on, and the failures that would cost client trust the fastest. In almost every case, those services run on technology and those dependencies are IT ones — which is why resilience keeps leading to technology strategy.

Technology choices are strategy choices

This is where resilience becomes operational. Technology decisions now shape business strategy. Cloud architecture, supplier concentration, data location, cybersecurity and AI adoption shape the services the business can launch, the speed of its response and the risk it carries.

“IT has always been there to serve the business, and in the past the business didn’t want to know the details — it was something you switched on. That no longer holds. When your technology choices decide what you can launch and how much risk you carry, the business has to own them,” says Khaled.

The separation between IT and business is harder to maintain now. Highly concentrated cloud strategies, for example, create speed and consistency. They also raise questions about dependency, flexibility and operational flexibility. Geopolitics adds another layer: who can access the data, which legal frameworks apply and how much control the institution really has.

“I have seen banks shift from a single-cloud strategy to multi-cloud — to pick the best fit for each use case, balance their risks and maximize flexibility,” says Khaled.

Good enough is a fragile place to stay

Resilience loses impact when organizations focus only on the issue directly in front of them. Closing a regulatory gap or addressing one visible technical weakness can improve compliance, but it may not prepare the institution for the next operational, technological or geopolitical risk.

“Too many organizations fix today’s problem and call it resilience. The world is moving so fast that tomorrow is becoming the next hour — so you have to design for the shift you can see coming, not just the gap in front of you,” says Khaled.

Technical debt, current dependencies and unresolved weaknesses deserve closer attention. A system that runs today may still limit tomorrow’s service model, supplier strategy or cyber response.

Cybersecurity makes this visible. Attackers now automate reconnaissance and weaponize new vulnerabilities within hours, while most defenders still patch and respond on a human timetable. Closing that gap means automating detection and response, and assigning clear ownership so no exposure waits for the next change window.

“You have to be even faster than your attackers. And your attackers are machines,” explains Khaled.

How finance leaders embed resilience into their organization’s ecosystem

  • Define what resilience should enable
    Start by clarifying which services resilience needs to protect, which markets the business wants to serve and which risks could limit growth. Make it specific: name the three or four services whose failure would hurt most, set a tolerance for how long each can be down and how much data you can afford to lose — recovery-time and recovery-point objectives, in the regulator’s language, and tie those targets back to revenue and client commitments rather than to a control checklist.

  • Build control into the operating model
    Resilience works best when architecture, supplier choices, cyber response, product development and decision rights reflect the speed, flexibility and assurance the organization wants. In practice, that means knowing where a single supplier or cloud region creates concentration risk, agreeing in advance who can invoke a failover or trigger an exit strategy, and rehearsing those decisions before an incident forces them.

  • Treat AI as part of resilience planning
    AI introduces greater speed and more autonomy into defined processes. That creates new questions around access, explainability, auditability, decision ownership and control. Decide which decisions a model may take on its own and which need a human in the loop, keep a record of why each automated action was taken, and treat the AI pipeline itself as something an attacker will target.

  • Look beyond your own perimeter
    Resilience no longer stops at the institution’s own systems. Most firms now depend on the same handful of cloud platforms, payment rails and SaaS providers, which means a single provider failure can hit much of the sector at once — concentration risk that no individual firm can fully control. Map the shared dependencies behind your critical services, understand where the wider ecosystem is exposed to the same points of failure, and plan for disruption that originates outside your walls.
Even the best-known providers are not immune. A single fault deep in AWS once rippled out across much of the internet — taking banking apps offline along with other digital services.
Khaled Ouafi, Partner

Resilience makes it safer to move fast

Financial services firms have made real progress on compliance. The next step is to connect that work more closely to business value, service quality and strategic choice.

The question is no longer only whether a system works today. It is whether the digital operating model — the technology, suppliers and data the business runs on — gives it enough flexibility, security and confidence for what comes next. That is where resilience in financial services ultimately lives: not in the compliance file, but in the IT and digital choices that decide how fast and how safely the business can move. In Khaled’s view, resilience gives financial institutions the structure to keep moving, serve clients better and adapt without losing control.