Financial institutions are no strangers to quantifying operational risk; it's a core component of ICAAP and ICARA frameworks. However, as the regulatory lens sharpens on operational resilience, the conversation is shifting. The focus is no longer on risk, but on the ability to prevent, adapt, respond, recover, and learn from disruption.
Whilst regulators currently stop short of explicitly mandating firms to quantify operational resilience exposure in all cases, they are increasingly calling for integrated thinking across risk, capital and resilience. This opens the door for firms to lead the way by applying financial and operational metrics to resilience scenarios, aligning with existing risk models, and demonstrating the value of resilience investments. Crucially, these quantification efforts also feed directly into the mandatory operational resilience self-assessment required by the FCA, providing a robust, data-driven demonstration of a firm’s resilience posture.
So, how can firms begin to bridge this gap and meet evolving expectations? Below are several practical strategies to help you bring quantification into your operational resilience toolkit.
01
Regulators ask that operational resilience is embedded within the organisation. Your existing risk department is a goldmine. Identify which scenarios, RCSAs and incidents already reflect resilience events. Use your ICARA/ICAAP quantification to get an idea of the operational resilience exposure the firm might face, and which are your top risks. This foundation can accelerate your quantification journey and ensure consistency across frameworks.
02
Have you identified severe but plausible operational resilience scenarios that are not included in your ICAAP/ICARA? Consider including these in the future or alternatively use the same methodologies, including Impact Scenario Analysis and Value at Risk modelling, to quantify their impact on the business. This directly supports the regulator’s expectation for robust scenario testing that extends beyond mere time-based tolerances.
03
Risk teams typically assess both inherent and residual exposures to account for the costs and benefits of controls and mitigation strategies. Many resilience initiatives focus on enhancing response and recovery capabilities to minimise the impact of adverse events. However, these resilience measures are often not accurately reflected in risk and scenario registers, making it unclear how much they reduce risk from inherent to residual. Clarifying this helps prioritise resilience strategies and demonstrating their return on investment.
04
While time-based tolerances remain a crucial measure, introducing financial impact tolerance adds a new, measurable layer of resilience. This helps you define what financial “intolerable harm” really looks like and gives you a clearer target for mitigation. Here is an article we wrote on this topic.
05
The FCA mandate that firms produce a comprehensive operational resilience self-assessment. The quantitative insight gained from applying financial and operational risk metrics to scenarios, assessing the ROI of resilience investments, and defining financial impact tolerances will form a crucial evidence-based part of this assessment. This demonstrates your firm’s robust understanding and management of operational resilience to the Board and the regulator.
A UK financial institution recently reviewed its ICARA scenarios and identified that 4 out of 10 mapped directly to critical operational resilience risks, ranging from cyber disruption to third-party failure. Using the financial impact analysis from their scenario workshops, they were able to estimate potential losses and model their operational resilience scenarios. This not only clarified their resilience exposure but also helped justify targeted investments in controls and insurance, providing concrete data for their self-assessment.
Quantifying operational resilience isn’t just a technical exercise; it’s a strategic opportunity to enhance decision-making, justify investments, and robustly demonstrate compliance. We’re interested in how others are approaching this challenge. Have you linked your operational risk efforts to your resilience ones? Have you found ways to demonstrate ROI on resilience investments? How are your quantification methods feeding into your self-assessment?
If you're exploring these questions, or want to, our Operational Risk Solutions team is here to help. Whether you're looking to define financial impact tolerances, quantify stressed scenarios, align ICAAP/ICARA with resilience initiatives, or strengthen your self-assessment, we can support you in turning resilience into measurable value.
