Assure Continuity with Operational Resilience

How can critical Information and Communication Technology (ICT) providers help bring stability, security, and innovation to financial institutions?

The financial services sector is front and centre when it comes to the demands of regulatory oversight aimed at improving operational resilience. As a strategic ICT partner to many financial organisations, Sword see that these regulations bring two clear headline responsibilities – mandatory security requirements and minimum security standards. This is not whole story, as understanding the innovation opportunities afforded by tackling resilience requirements is key to building competitive advantage. We asked Rob Mossop, COO at Sword, to talk us through how financial institutions can navigate compliance and drive excellence across critical financial and national infrastructure.

Financial institution regulations for operational resilience

Security regulations are tightening for financial institutions across the UK and Europe, including EU regulation DORA, the UK CSR Bill, and NIS2 (learn more in the glossary below). These regulations are designed to guide organisations as they look beyond their own infrastructure and operations, encouraging them to think of the broader impact on how disruption affects customers, not just internal systems. This means it’s important for organisations to reengineer ways of working and reporting methods for operational resilience, to develop a deep understanding of dependencies on critical systems and their tolerance for disruption.

Scrutiny on critical ICT providers

Critical third-party ICT providers play a key role in improving resilience, often responsible for the IT and digital infrastructure on which organisations’ critical systems run. Your strategic technology providers should help you to interpret and implement resilience requirements, and under tightening regulations like the UK CSR Bill, will become subject to regulations directly. Strong partnerships will help protect your organisation against threats and demonstrate a robust supply chain to regulatory bodies.

Resilience as the foundation for innovation

Many organisations are moving beyond baseline regulatory requirements, driving increased growth and customer engagement through the smart use of the data and technology operational resilience requires.

The data needed to demonstrate compliance can become central to understanding your operations, customer behaviour and product performance. Innovative organisations are leveraging their improved operational resilience with third-party assurances, to adopt new technologies that boost effectiveness and performance. This combination of insights from critical system behaviour and deeper knowledge of (and trust in) third-party providers, allows organisations to understand what customers need from their products, and iterate toward that need more quickly, with lower risk.

Simplified, trusted, IT partnerships

Most organisations have a network of IT and digital providers, each delivering different services. Establishing a clear plan for how you would operate through disruption together, and the role each plays in response, is critical. Choosing capable ICT providers who have strong processes in place to assure resilient operations that meet compliance requirements is increasingly important.

Simplifying your partnerships around a small set of strategic partners with whom you engage directly in support of your operations resilience plans will help you to meet your regulatory needs and best prepare for disruption. Quickly identifying where disruption could occur in your supply chain can show fragility points and allow you to strengthen resilience, particularly when it comes to disruption response, where your IT partners need to understand their role in ensuring tolerance thresholds are not breached.

You should expect your technology providers to bring a wider view of processes and systems, moving beyond purely technology-based recommendations to encompass broader organisational needs, such as target operating models and service operating models.

Disruption to critical systems is rarely a “single provider” issue. Leaning on the operating models of your IT partners, and integrating them into your own, will help to ensure that multi-partner responses are easier to manage and monitor during an event.

M&A activity under the microscope

Financial institutions with intensive M&A programmes may find themselves under increasing scrutiny from all sides. Integration of systems and processes, or a need identified through due diligence and pre- or post-merger analysis, may add to compliance requirements. It’s important to keep a centralised view and protect all organisations involved to avoid inheriting bad behaviours, processes or suppliers that bring vulnerabilities. If you anticipate divesting, it’s equally important to prove that you’re selling a resilient, disruption-tolerant organisation that is ready to meet and report on compliance requirements.

Steps to take today

Current regulations do not provide detailed blueprints or formats for how organisations should track compliance. It is up to you, and your technology partners, to define these processes. 

Take these regulations as a trigger to prepare against disruption and lay the ground for service progression – engage with your critical suppliers, map your third party dependencies, and proactively orchestrate threat lead penetration testing exercises. Begin thinking now about how the data and technology you invest in can move your understanding of business operations and customer behaviours onwards, to spot innovation opportunities early.

Engage your suppliers in your planning, and ensure that your operating model and technology decisions are supportive of those plans. We all need to understand our role in the wider ecosystem of protecting our financial infrastructure to deliver critical customer services that are more tolerant of, and more responsive during, disruption.

Terminology Glossary

DORA – Digital Operational Resilience Act – EU regulation in place from 17 Jan 2025 to strengthen digital resilience of financial entities.

UK CSR Bill – UK Cyber Security and Resilience Bill was first read to parliament 12th Nov 2025, making amendments to 2018 legislation that aim to make essential and digital services more secure.

NIS2 – Network and Information Security 2 Directive is an EU cybersecurity law.

What next?

If you’re interested in more information on how to build operational resilience, you can read more about Sword’s services here – https://www.sword-group.com/uk-platform/ 

To get in touch with someone at Sword to find out how we can help, please email uk.info@sword-group.com

About Sword

Sword is a leading business technology company headquartered in Aberdeen, employing 650+ people across the UK. Our mission is to solve complex challenges, build operational resilience, and create efficiencies for organisations in the Finance, Energy, and Public Sectors.