Operational Resilience – Why It’s More Than Just a Compliance Exercise

Phil Doak
July 2025
Operations

While sitting in hospital after an op and contemplating my own “operational resilience”, I have been doing some work reading (sad I know) and came across this research “Surviving digital fallout: Operational resilience in 2025 and beyond” which I thought was a good read and provided some valuable perspectives relating to operational resilience.

It has a Euro focus with reference to DORA (Digital Operational Resilience Act) as a backdrop but closer to home APRA’s CPS230 and CPS 234 standards have set out similar expectations.

From Recovery to Resilience

Among the points noted was a shift in mindset from “disaster recovery” to “disaster prevention and operational resilience”, and investing in the infrastructure and processes to enable a pivot for financial firms from a “reactive” to a “proactive” posture. The concept of a “self-healing” technology infrastructure was of particular interest.

NZ’s Regulatory Landscape

In recent times the NZ arms of Australian entities captured by APRA’s CPS230 have been required to engage with those requirements, supporting wider Group uplifts relating to operational risk management, business continuity management, managing third party suppliers, and technology. The CPS230 approach requires a customer-centric approach to thinking about critical operations, processes and disruption tolerances.

Under the RBNZ’s Deposit Takers Act non-core standards, the expectations, while still forming and due for further consultation q1 2026, then issue early 2027, perhaps not surprisingly bear more than a passing resemblance to those of CPS230. They include standards relating to risk management, operational resilience and outsourcing.

The FMA’s standard conditions for licenced entities also span this territory covering outsourcing, business continuity and technology systems.

So, NZ is heading in a similar direction, albeit with some runway still ahead of us and, I expect, further maturing of capabilities in this area will be required.

Beyond Compliance: Building Competitive Advantage

Of note from the research was the observation that “In the most effective cases, firms go beyond compliance, and exploit regulations as a business opportunity to stimulate productivity, increase competitiveness, and reduce costs.” As we face into the prospect of dealing with whatever the next operational crisis may be, either at an industry or an individual firm level, adopting a mindset beyond that of “pure compliance” in this area at least, might see us even better positioned to respond.

Read Surviving digital fallout: Operational resilience in 2025 and beyond research document.