Operational resilience: from compliance to competitive advantage | The Association of Corporate Treasurers

Operational resilience: from compliance to competitive advantage

19 May 2026
Go back

As scrutiny increases around the world, corporates and their treasurers can turn regulatory focus into strategic capability, argues Simran Singh

gold branches reaching over blue background

Operational resilience has moved well beyond regulatory compliance. In today’s increasingly volatile risk environment, it is now a defining business capability. Firms that succeed will be those that treat operational resilience not as a regulatory obligation, but as a strategic lever and, ultimately, a source of competitive advantage.

Global regulatory convergence despite varying terminology

Across jurisdictions, we have seen increasing regulatory focus and scrutiny around operational resilience. While terminology differs across regulations – such as important business services (IBSs), critical operations, critical functions or critical services – the objectives and outcomes are consistent. This convergence centres on five core expectations:

  • Establish an end-to-end view of service delivery
  • Identify vulnerabilities across enabling resources
  • Set and monitor impact tolerances
  • Conduct rigorous scenario testing
  • Mitigate customer harm and protect financial stability.

For globally active firms, the challenge lies in navigating differing regulatory languages while demonstrating a common capability: proving that IBSs can remain within impact tolerances (ITOLs) during severe but plausible disruptions.

Supervisors increasingly expect robust evidence, from mapping to scenario results to governance effectiveness, rather than theoretical frameworks. 

 The shift is not about building parallel structures; it is about pivoting existing capabilities through a service lens to support effective resilience outcomes  

What operational resilience really requires

Operational resilience is the ability of firms to prevent, adapt and respond to, recover and learn from operational disruption. It is grounded in a service-led view. It demands a clear, service-led understanding of how the organisation delivers value and where it is most exposed.

Resilience requires appreciating how enabling resources interact, how vulnerabilities aggregate and how disruption spreads across interconnected processes.

Operational resilience does not replace existing capabilities. Instead, it integrates and elevates existing capabilities such as business continuity, operational risk, cyber security and third-party risk management. Existing vulnerability analysis, controls and management information should inform both resilience posture and investment priorities.

The shift is not about building parallel structures; it is about pivoting existing capabilities through a service lens to support effective resilience outcomes.

Leveraging existing capabilities through an integrated lifecycle

Mature operational resilience programmes follow a structured lifecycle:

  •     Identify and prioritise IBSs
  •     Conduct end-to-end mapping and vulnerability assessment
  •     Set ITOLs
  •     Perform scenario testing across severe but plausible events
  •     Implement remediation and investment plans
  •     Embed governance and assurance.

The most effective firms integrate this lifecycle into their existing operating model rather than treating it as a standalone regulatory initiative. Operational resilience requires harmonisation of your existing capabilities, rather than reinvention.

Implementation insights and recurring challenges

When looking at the implementation lessons learned, there are some recurring themes across firms:

  • Governance and accountability
    Governance must be established across all levels, with clear, named accountability flowing from board forums downward. Without clear ownership, resilience remains conceptual rather than actionable.
     
  • Operating model clarity
    Many firms possess strong risk and continuity foundations. Yet gaps remain in operating model clarity, including how information, responsibility and decision-making flow across functions. Alignment is critical to ensuring resilience outcome are delivered consistently across important business services and their enablers.
     
  • Terminology and alignment
    A consistent corporate language is essential; inconsistent terminology creates friction, slows decisions and weakens governance.
     
  • Extended supply chain resilience
    Raising the bar for extended supply chain resilience remains challenging. Understanding upstream and downstream dependencies and their potential to trigger cascading disruption is now a regulatory priority.
     
  • Meaningful scenario testing
    Scenario planning must explore a broad range of severe but plausible events, including effects on internal enabler functions. Testing should be data-driven and focus on minimum viable service, workarounds, substitutes and impact mitigation, not solely technical recovery timelines.
     
  •  Holistic, service-focused reporting
    Transitioning from siloed reporting towards holistic, service focused management information provides more actionable oversight and supports stronger regulatory dialogue.
     
  • Resilience by design
    Operational resilience requirements must be embedded within change processes. Integrating resilience considerations into transformation initiatives ensures tolerance protection is sustained over time.

Key focus areas in 2026 and beyond

As regulatory deadlines mature, attention is shifting from framework establishment to an enduring demonstrable capability.

  • IBSs, ITOLs and infrastructure investment
    While firms have identified important services and set impact tolerances using multiple metrics, the next phase is evidencing progress in building resilience infrastructure. This includes protecting ITOL positions against IT failure, cyber attack, third party disruption and broader shocks. In many cases, multi-year investment programmes may be required to close structural gaps.
     
  • High-severity cyber capabilities
    Sophisticated cyber attacks can breach impact tolerances. Firms are increasingly developing minimum viable service strategies, investing in recovery capabilities and prioritising time-critical service protection.
     
  • Material third parties
    Material third parties often represent the weakest link. Gaps remain in third-party cyber disruption strategies, prompting additional mitigation approaches and, in some cases, collective industry action where systemic risks exist.
     
  • Survivable communications
    While crisis communication plans exist, the survivability of tested, posing risks to transparency and confidence during disruption.

From regulatory requirement to strategic capability

Operational resilience is an enduring strategic capability, not a regulatory destination.
Firms that invest strategically, prioritise time-critical services, uplift third-party resilience and embed resilience dynamically into governance and change will be best positioned to meet regulatory expectations and maintain stakeholder trust during disruption.
When implemented strategically, operational resilience transforms from regulatory burden into competitive advantage, which enables organisations to thrive when others merely survive.
 

Operational resilience: considerations for treasury teams

Within treasury teams, operational resilience requires a fundamental shift from viewing treasury as a support function to recognising its critical role in enabling IBSs.
Key considerations for treasury teams include:

Cross-functional engagement and process mapping:
Treasury should engage closely with operational resilience and business continuity functions to map treasury processes against IBS delivery chains, identifying where treasury capabilities directly impact trading, settlement, payments and other critical services that must remain within impact tolerances during a disruption.

Leveraging existing capabilities and alignment:
Many treasury functions already possess robust business continuity and crisis management capabilities that can be enhanced to support broader operational resilience objectives. An important further consideration is ensuring that treasury recovery time objectives align with the firm’s established impact tolerances for its dependent IBSs.

Comprehensive scenario testing and communication:
Treasury should participate in operational resilience scenario testing, including being involved in communication protocols during prolonged market stress, where treasury’s role in maintaining stakeholder confidence may be paramount.

About the author

Simran Singh is a director at KPMG
 

You may also like

Marigona Kuci, treasury manager at Save the Children International

Ones to Watch focus: resilience in global humanitarian treasury

Read more
grand central birmingham

Deals of the Year focus: preparing for volatility

Read more
Scroll to top