Regulation
Operational resilience
The ability to prevent, adapt to, respond to, recover from and learn from operational disruptions. Regulators — particularly DNB — have made operational resilience a top supervisory priority.
What is operational resilience?
Operational resilience is the ability of a financial institution to deliver critical services through disruptions. It goes beyond traditional business continuity — regulators now expect institutions to set impact tolerances for critical services and demonstrate they can remain within those tolerances under severe but plausible scenarios.
In the Netherlands, DNB has incorporated operational resilience requirements into its supervisory expectations. DORA adds a specific ICT dimension. The Basel Committee and FSB have also published guidance that shapes DNB's approach.
Key components
Critical service identification
Institutions must identify which services are critical — those whose disruption would cause significant harm to clients, markets or financial stability. This mapping must be regularly reviewed and board-approved.
Impact tolerances
For each critical service, institutions must define maximum tolerable disruption (impact tolerance): how long the service can be unavailable before causing unacceptable harm. This goes beyond traditional RTOs — it requires thinking from the client and market perspective.
Scenario testing
Institutions must test their ability to remain within impact tolerances under severe disruption scenarios — including cyber attacks, third-party failures, natural disasters and simultaneous disruptions. Testing must be documented and findings remediated.
Third-party dependencies
Critical service delivery chains must be mapped end to end, including third-party and fourth-party dependencies. Concentration risk in critical services must be identified and managed. DORA adds specific requirements for ICT third parties.
Communication and recovery
Institutions must have tested communication plans for disruptions — internal escalation, client communication and regulator notification. Recovery playbooks must be operational, not theoretical.
How Arcens helps
Horizon scanning: We track DNB guidance, DORA technical standards and international resilience frameworks to keep your approach current.
NFR management: We design operational resilience frameworks from critical service identification through to impact tolerance-setting, scenario design and governance integration.
Remediation: Operational resilience findings — particularly on testing quality and third-party mapping — are increasingly common in DNB examinations. We manage end-to-end remediation.
Quick facts
Framework: DNB supervisory expectations + DORA (ICT dimension)
Supervisor: DNB
Key concept: Impact tolerances for critical services
Ask our advisor about operational resilience
Get clarity on DNB's resilience expectations, impact tolerance methodology or how DORA intersects with your broader resilience framework.