Security · IT Support

Operational Resilience Is a Technology Strategy Problem

6 July 2026

Operational Resilience Is a Technology Strategy Problem

Operational resilience tends to get filed under compliance. A policy is written, a risk register is updated, and the conversation moves on until the next review cycle. That framing misses the point. Resilience isn't a document — it's a property of the systems and decisions underneath the document.

You cannot achieve operational resilience with a well-written policy sitting on top of a poorly governed technology environment. The strategy has to reach all the way down.

This article relates to the Technology Strategy & Governance domain of the Technology Resilience Score. It looks at whether your firm's technology decisions are actually aligned with its resilience obligations.

Why this is different for financial services firms

Financial services firms sit under some of the most explicit operational resilience expectations of any sector, yet many still treat technology strategy and regulatory resilience as separate conversations, run by different people, on different timelines.

  • Risk and compliance teams often define resilience requirements without technology input
  • Technology decisions are made by IT or an external provider without reference to resilience obligations
  • Important business services are rarely mapped to the specific systems that actually deliver them
  • Impact tolerances, where they exist, are frequently theoretical rather than tested

Resilience built this way looks complete on paper and untested in practice.

FCA operational resilience as a strategy question, not a policy one

The FCA's operational resilience framework asks firms to identify important business services, map the people, processes and technology that deliver them, set impact tolerances, and test their ability to stay within those tolerances. Every part of that chain runs through technology. A firm cannot map its important business services accurately without technology strategy input, and it cannot test impact tolerances without technology teams actively involved in the exercise.

This makes operational resilience inseparable from how a firm governs its technology decisions day to day. The key question becomes: "Does our technology strategy actually reflect what the business has told the regulator about its important services and impact tolerances?"

Is your firm's technology environment resilient?

Find out whether your technology strategy genuinely supports your resilience obligations.

Get your Technology Resilience Score

The problem with treating resilience as a compliance output

When resilience is owned entirely by risk or compliance functions, it tends to describe the business as it should be, not as it actually operates.

  • Resilience documentation drafted without close involvement from those who run the systems
  • No mechanism to keep the resilience plan updated as technology actually changes
  • Testing, where it happens, is a paper exercise rather than a technical one
  • Technology investment decisions made with no reference to resilience priorities

A plan disconnected from the technology it describes will not survive contact with a real incident.

What weak technology strategy and governance looks like in a financial services firm

These are common signs that resilience and technology strategy are running on separate tracks.

  • No single view connecting important business services to the systems that deliver them
  • Technology roadmap set independently of the firm's resilience obligations
  • Impact tolerances documented but never actually tested against real systems
  • No senior technology voice involved in resilience planning
  • Resilience reviewed annually, while technology changes continuously
  • No clear record of technology risk decisions for regulatory or audit purposes

Each gap widens the distance between what the firm says and what it can actually do.

What strong looks like

A firm with strong technology strategy and governance treats resilience as a live design constraint, not an annual report. Technology decisions are made with clear reference to which important business services they support, and resilience testing genuinely exercises the systems involved rather than just reviewing documentation.

Ownership is shared properly between the business and technology sides of the firm, so that resilience planning reflects how systems actually behave, not how they were originally described.

How this TRS domain helps financial services firms improve

The Technology Strategy & Governance domain of the Technology Resilience Score examines whether a firm has clear ownership, visibility and planning across its technology environment, connected directly to its resilience obligations.

  • Maps technology systems against the important business services they support
  • Assesses whether resilience testing genuinely involves technology teams
  • Reviews how technology investment decisions reflect resilience priorities
  • Checks whether governance produces evidence a regulator could actually review

The result is a score out of 5, giving your firm a clear baseline and a structured improvement path connecting strategy to real operational resilience.

Closing the gap between policy and practice

Firms that treat operational resilience purely as a compliance deliverable will keep discovering, usually during an actual incident, that the plan didn't match reality. Closing that gap starts with treating technology strategy as part of the resilience conversation, not a separate one.

The Technology Resilience Score gives ambitious financial services firms a benchmark across 10 domains, including Technology Strategy & Governance, so resilience becomes something the firm can actually demonstrate.

Related reading

Get your Technology Resilience Score

We use cookies to understand how visitors use our site and to improve your experience. You can accept all cookies or decline non-essential ones. Privacy policy.