Operational Resilience Refresh 2025

Our most recent update to the Operational Resilience guidance reaffirms and deepens recommendations for firms managing operational risk. Whether you have access to large resources or not, it is an unescapable fact that in addition to proper planning, and monitoring, you rely on your partners for resilience. We have updated our white paper on operational resilience with reference to latest guidance. We also look to horizon, for any emerging icebergs.

Our recent update incorporates lessons learned from evolving post-COVID threats, rapid technology changes (including AI risks), and heightened regulatory expectations, with clear track-change highlights for key updates in guidance, best practices, and covers the required controls that all firms should consider.

The whitepaper was originally drafted in 2022 (holding it all together Source: Cognitive GRC) in response to updated expectations following COVID and has been reviewed to bring up to date on latest threat horizon. The aim here is to reposition cyber concerns within operational resilience in order that these diverse threat vectors can be managed within most firm’s governance frameworks in a practical and straightforward manner.

Management teams are encouraged to read the paper and consider whether they need to upgrade any aspects of their mitigation response programmes.

Clients can refer to the white paper on our resources repository (on our client VDR: datasite) where we provide a clean and tracked change version called Operational-Resilience-2025-Business-Continuity-and-Resliency-Planningvf1.0.docx. We cover the known risk universe that all firms should be aware of, as well as the most recent regulatory guidance. However, we are also looking to the future and the ways in which the industry can practically respond to an ever-changing and uncertain landscape.

We recognise that the whitepaper is a broad compendium of potential issues, so please find a summary of the recent changes below as a primer for our webinar on Operational Resilience hosted by AIMA on 16 October.

This will be a fore runner to a focused discussion on digital resilience and cyber with industry leaders at the AIMA APAC Forum later this month and revisit sessions on operational resilience from 2022 (Bouncebackability) and 2023 with a fresh focus on AI, third party and fourth party risk. We draw on recent AIMA updates around AI adoption and our own engagement with the developing technology.

Our observations

• Firms must incorporate technology resilience and AI-related threats into operational risk frameworks, reflecting an accelerated regulatory focus on digital risks when new developments present new risks and mitigation options from within the existing threat landscape.

  • AI/LLM adoption is rapidly advancing and much like digital assets, people are adopting and adapting at different paces. While the broader market is untethered to the same risk/reward profile of our peers, and are making waves, financial services firms need to take a much more cautious approach.

  • As we witness a surge in AI "experts," similar to what occurred with the rise of virtual/digital asset markets, we remain cautious of a potential FTX-like failure in this field. It's essential to balance the fear of missing out with the genuine risk of falling behind competitively. This topic was addressed by our panellists at a recent AIMA webinar on AI in ODD and Internal Processes (Available for AIMA member playback Source: AIMA). We must be careful not to overextend ourselves. Although we don't have all the answers yet, we are, as always, cautiously observing and experimenting within safe, controlled environments. We are adhering to our risk-averse principles while preparing for the inevitable wave of disruptive advancements likely to propel our industry forward. We believe that while AI/LLM usage will significantly impact daily work life, technology will not completely replace us. Typically, technology and innovation drive change, but a comprehensive risk-based approach still requires human intuition to handle issues beyond mere probability and statistics. The risk of unpredictable events will persist as chaos and order continuously clash. Our experience shows that the nuanced approach required for effective risk management often serves as a better tool to manage the storm of impending uncertainty. While AI will serve as both a risk and mitigation tool, humans will still be necessary to make risk-based decisions based on increasingly detailed information made available.

• Outsourced third and fourth-party risks need to be more actively managed around nuanced threat postures. The renewed focus should be on addressing vendor dependencies and the dynamic impact of AI/LLM use, with specific managed review of due diligence, contract checkpoints, and transition readiness in case of provider concerns.

• Updated expectations from regulators (e.g., SFC, IOSCO) stress the need for actionable, scenario-driven incident response planning—including exit plans and wind-down scenarios with funding arrangements and clear roles for senior managers in managing wind down risks.

Key Recommendations for Managing Operational Risk from our paper

• Add a tiered incident response protocol focused on staff safety, client asset protection, swift containment of data breaches, and clear communication hierarchy. You can refer to our ’Don't Panic Sheet’ and Incident Hierarchy processes as a recommended operational tool for a crisis situation. We have developed this from experience with developing response processes and recovery scenario testing conducted with our clients.

• We continue to categorise the risk horizon into four critical threat areas which should be reconsidered as applicable to your firm as it grows and adapts to its environment:

  • Environmental/physical disruptions

  • System/infrastructure failures

  • Malicious actor/cyber attacks

  • Service provider/third party risks

• For AI and LLM usage, enforce technology-neutral governance. Firms should ask vendors if any proprietary or client data is used for model training, require updates on controls, and ensure in-house teams are trained on emergent digital risks.

• Business continuity plans should go beyond basic internet fall-over tests, covering data loss, geographic risk, supply chain dependencies, and tailored exercises to test real-world recovery capabilities.

• Firms should regularly reassess resilience plans for redundancy, remove single points of failure, ensure cross-training, and update documentation as required. In case of winding down or crisis, firms must maintain clear, documented exit plans as per regulator’s expectations which apply to firms of all sizes.

Having a policy is a start but it needs to be tested to breaking point if it is going to be useful.

Latest expectations on Security from SFC

In early 2025, following a thematic review, the SFC emphasized enhanced cybersecurity standards across network security, patching, encryption, access management, and overseeing third-party risks. The regulator conducted thematic reviews identifying continued vulnerabilities and outlines expectations for senior management accountability and operational resilience to protect client data and market integrity in the evolving digital landscape.

• Circular to licensed corporations - Cybersecurity review of licensed corporations | Securities & Futures Commission of Hong Kong dated 6^th Feb 2025

  • Pay attention to:

    • Network Security

    • Patch Management

    • Data Encryption

    • User Access Rights

    • Audit Logs

    • Monitoring of client accounts (unauthorised access)

    • End of Life Software and Unpatched VPNs

  • Appendix on:

    • Phishing detection and prevention

    • EOL Software Management

    • Remote Access

    • Third Party Provider Management

    • Cloud Security

  • Senior Management Responsibilities

    • Assess Qualifications of Staff

    • Policy and Procedures

    • Cyber Security Reviews

    • Contingency Plans

• Appendix: Standard of conduct expected of licensed corporations (LCs) in relation to phishing dated 6^th Feb 2025

• SFC Cybersecurity Webinar 2025

Actions for firms to consider

• Reach out to your partners and asked them what they are tackling/considering in terms of risk vectors and mitigation.

• Review and update operational resilience and continuity plans to account for new regulatory and technology risks as highlighted in our paper.

• Enhance and document vendor oversight, specifically regarding cybersecurity, data leakage, software lifecycle, and AI risk management. What are they doing to address the new risk environment and what are they doing with your data.

• Come to AIMA's Webinar on 9th of October for a summary of practical considerations and join the debate at AIMA APAC Forum 2025, 28th October.

We thank AIMA, and our broader contact group, industry partners, and engaged clients for feedback on our work. We look forward to working with you in the future to address these emerging threats and opportunities.