Banking resilience today: withstanding disruption, not just recovering from it

What does “resilience” mean for financial institutions today?

Oliver Dennison: For financial institutions today, resilience is no longer simply about responding to and recovering from an event after it occurs. The expectation now is that the institution can withstand events that previously would have impacted service continuity or that would have required the business to invoke a recovery plan.

Why are financial institutions approaching resilience differently today?

Oliver Dennison: The subject of resilience is coming up more and more frequently with our clients. A big part of that renewed focus is tied to changes in operating models.

Historically, resiliency was managed under business continuity and disaster recovery. Those frameworks were largely inward-looking. They focused on the internal enterprise’s operating model — the functions and services that supported it. Customer interaction at that time was generally through a human portal and often paper-based, with the action then occurring either at the end of the day or the next day.  A disruption could occur internally, and the organization would recover without it being immediately visible.

That environment no longer exists. Today, institutions are bringing customers directly into their operating and service environments rather than allowing them to sit on the periphery. In addition, more third parties and service providers are engaged in delivering services.

That interconnectivity creates huge opportunity, but it also introduces operational complexity. There are more dependencies, more integration points and, as a result, more ways disruption can occur — whether through cyber threats, vendor breakdowns or weaknesses within the operating model itself.

With customers now sitting inside the institution's operating model, they’re interacting through integrated digital channels where self-service is the norm. When disruption occurs, it is experienced in real time.

Because of that shift, resilience is no longer just about responding to and recovering from an event. It’s about ensuring that challenges — whether continuity failures, bad actors or breakdowns within the operating model — are absorbed in a way that minimizes visible impact to customers, while managing the event in real time. The expectation has moved from recovery after the fact to withstanding disruption as it happens.

Leslie Watson-Stracener: I would add that shifting regulatory priorities and customer expectations have elevated the importance of resilience.

How have today's customers changed the meaning of resilience?

Oliver Dennison: Not so many years ago, financial services customers and suppliers could have been largely blind to a business continuity or disaster recovery event. A disruption might have occurred internally and the institution would respond and recover without that failure being fully visible externally.

But in 2026, data capture and the supporting architecture are highly developed, integrated and de-centralized. Because of that, resilience from a security and cyber perspective becomes critical. Institutions need to ensure that data remains accessible — accessible only to the right people — and that during a breach or disaster, they understand exactly where that data resides, who has access to it and whether it has left the operating model.

This becomes even more complex when data is held by third parties. Institutions need to consider whether providers are operating with the same level of resilience customers expect from the financial institution itself.

An example of this is that many customers have absolved their data, transaction and security responsibilities to their financial services provider. If there is an unknown merchant transaction or payment value error, then the customer calls their bank or card provider. Banks have been re-classified from payment facilitators to transaction owners and therefore owners of all data and service elements associated with that transaction.

This has increased the expectations that their customers — both purchasers and merchants — have of them and their ability to respond immediately. A bank’s resilience model needs to consider the need to be able to bring together all parties within a transaction and to be able to do so across all potential scenarios and time zones.

How we can help you

INDUSTRY

Banking -->

SERVICES

Risk Advisory -->

Ready to talk? We’re ready to listen.

Request a meeting -->

How should banks assess resilience across their operating model?

Oliver Dennison: When we look at resilience within the operating model, it starts with identifying the critical services and functions that require elevated resilience. Not every activity carries the same level of risk. The goal is to understand where disruption would have the greatest impact — whether that’s to customers, data or regulatory obligations.

Many institutions approach this through their Risk and Control Self-Assessment, or RCSA, process. RCSA evaluates key processes and activities, assesses inherent risk, reviews the controls in place and determines what risk remains. That helps leadership see where both inherent and residual risk  truly resides and where controls and therefore resiliency factors — need to be strengthened.

Controls generally fall into two categories. Preventive controls are designed to stop something from going wrong in the first place; they are actively embedded into processes and serve as defensive triggers. Detective controls are designed to identify issues after they occur; they’re retrospective in nature and focus on finding and alerting to errors, fraud or anomalies to trigger corrective actions. Both are important, with preventive controls reducing the likelihood of disruption and supporting active resilience and detective controls helping institutions recognize challenges that need to be strengthened within their control environment.

By evaluating the controls embedded within the specific activities that support critical services and functions, including those provided by third parties, institutions can identify early signs of stress and address them before they escalate to being an event. Used properly, RCSA helps clarify control ownership, highlight downstream impact and ensure resilience is built into processes — not added on after the fact.

How does aligned governance, compliance and audit improve resilience?

Leslie Watson-Stracener: Resilience is significantly stronger when governance, controls, compliance and audit are aligned rather than operating in silos. A resilience program shouldn’t function as a standalone effort — it should be embedded in the financial institution’s broader risk management structure.

That means leveraging existing frameworks, business continuity planning, disaster recovery and governance committees and ensuring resilience activities align with those established structures. When resilience is integrated within those structures, institutions can drive consistency across business lines, technology and risk functions.

Compliance and audit play a critical role by independently assessing whether the resilience strategy is well designed, clearly documented and aligned with regulatory expectations. Their oversight helps confirm that roles, responsibilities, governance structures, reporting and  escalation processes support coordinated and timely decision-making.

It’s also essential to look across departments at existing controls, testing routines and scenario analyses and to identify opportunities to consolidate or better coordinate these efforts for a more unified, enterprise-wide resilience program.

These functions work together to provide the structure and visibility needed to anticipate emerging risks and adapt to regulatory or strategic change, while maintaining operational continuity and protecting customers.

How is resilience tested?

Oliver Dennison: One of the questions we’re asked most often is how resiliency should actually be tested. Historically, that meant desktop disaster recovery exercises or simulations where we sent most employees home to see if the organization could continue operating remotely. At the time, that was considered a meaningful test.

Those days have changed. Most institutions now operate in hybrid or distributed environments. Simply proving people can work from home isn’t enough.

Where should financial institutions focus on building resilience in 2026?

Leslie Watson-Stracener: In 2026, building resilience really starts with clarity. Governance and documentation must evolve alongside the institution’s strategy, products and operating model. That requires modernizing governance structures — standardizing charters, policies and templates — so they clearly define purpose, scope, roles, decision rights and escalation paths. When these elements are clear, coordination during disruption becomes far more effective.

It’s also important to centralize governance materials. Institutions should maintain version-controlled repositories to help ensure teams are working from the most current policies and procedures. Documents need to be written in plain, concise language with consistent terminology and clearly defined ownership, reducing ambiguity and making governance usable in day-to-day operations.

Strengthening data and model oversight is also critical, particularly as AI adoption accelerates.  Governance, validation and monitoring frameworks need to address AI-driven risks while ensuring data quality, transparency and consistent controls across models. That same level of rigor should extend to third-party and technology risk management, especially where critical services or customer data are involved.

Oliver Dennison: I’d build on that by emphasizing monitoring and early detection. Customers and regulators are increasingly focused on whether data aligns with historical patterns and projected outcomes. Dynamic correlative reporting, supported by AI and automated controls, gives institutions better visibility into emerging issues.

These tools allow financial institutions to establish  inner and outer boundaries that signal when the organization may be approaching a resiliency event. This helps organizations recognize stress early enough to avoid entering a resilience state altogether.

That expectation should also apply to third parties. Many fintechs are already advancing AI-driven monitoring and performance analytics to prevent disruptions. Financial institutions should expect similar resilience standards across vendors, particularly where customer data and direct customer service are involved. 

Leslie Watson-Stracener: Another priority is breaking down silos. Resilience is stronger when risk, compliance, audit, technology and the business share consistent visibility into emerging risks and boundary thresholds. When decision-making is coordinated across the enterprise, the organization can respond in a unified way that supports all customers and stakeholders.

Oliver Dennison: And ultimately, none of this works without the right culture. Technology and automation are powerful, but people are at the center of a resilient organization. Through training and communication, resilience becomes embedded in how architectures are designed, decisions are made and services are provided.