[OR] [C2] Defining the Mandate

Chapter 2

Defining the Mandate

Why the Mandate Matters

Before assembling committees, appointing leads, or launching service-mapping workshops, a financial institution must answer a fundamental question: 

What exactly is the Operational Resilience (OR) function accountable for?

Without a clearly articulated mandate, operational resilience becomes:

• A duplicated extension of Business Continuity Management
• An IT-led disaster recovery enhancement
• A risk reporting exercise
• Or worse, a compliance project without strategic ownership

A defined mandate establishes purpose, scope, authority, reporting lines, and decision rights. It transforms operational resilience from a conceptual aspiration into an institutional responsibility.

Aligning with Regulatory Expectations

Across jurisdictions, supervisory authorities have shifted focus toward protecting critical financial services. Guidance influenced by the Bank for International Settlements emphasises:

• Identification of Critical Business Services (CBS)
• Setting impact tolerances
• Testing resilience under severe but plausible scenarios
• Board-level accountability

The OR mandate must explicitly reflect these expectations.

This ensures that operational resilience is not merely aligned to internal risk appetite but also demonstrates supervisory readiness.

Defining the Purpose of Operational Resilience

The mandate should articulate a clear purpose statement. For example:

“To ensure the institution can deliver its critical business services within approved impact tolerances during severe but plausible disruptions.”

This statement clarifies three essential elements:

1. Focus on services (not functions)
2. Focus on tolerances (not just recovery times)
3. Focus on disruption management (not prevention alone)

A concise purpose anchors all subsequent structural and governance decisions.

Establishing Scope Boundaries

One of the most common implementation failures arises from undefined scope.

The mandate must clarify:

1. Organisational Scope

• Entire legal entity?
• Regional operations?
• Specific subsidiaries?

2. Service Scope

• Customer-facing services only?
• Internal enabling services?
• Market infrastructure services?

3. Risk Scope

• Technology disruptions
• Cyber incidents
• Third-party failures
• Operational process failures
• Facility outages
• People-related disruptions

Without scope clarity, the OR team may face either underreach or unrealistic expectations.

Clarifying Ownership and Reporting Lines

Operational resilience cuts across multiple domains:

• Risk
• Operations
• Technology
• Cybersecurity
• Compliance
• BCM

Therefore, defining ownership is critical.

Key considerations include:

• Does OR report to the Chief Risk Officer (CRO)?
• Is it under the Chief Operating Officer (COO)?
• Is it an independent function reporting to the Board Risk Committee?

The mandate must specify:

• Primary executive sponsor
• Reporting frequency to senior management
• Escalation pathways
• Approval authority for impact tolerances

Ambiguity in reporting lines weakens authority and slows decision-making.

Differentiating OR from Existing Functions

To prevent duplication, the mandate must clearly distinguish operational resilience from related disciplines.

Business Continuity Management (BCM)

Focus: Recovery planning and recovery time objectives

IT Disaster Recovery (ITDR)

Focus: System restoration

Enterprise Risk Management (ERM)

Focus: Risk identification and risk reporting

Cybersecurity

Focus: Threat prevention and detection

Operational Resilience

Focus: Ensuring end-to-end delivery of critical services within impact tolerances during disruption

Operational resilience integrates the above functions but does not replace them. The mandate should emphasise coordination and integration rather than control takeover.

Defining Key Responsibilities

A well-defined OR mandate typically includes responsibility for:

1. Identifying and maintaining the inventory of Critical Business Services
2. Recommending impact tolerances for Board approval
3. Coordinating end-to-end service mapping
4. Designing and facilitating severe but plausible scenario testing
5. Consolidating resilience metrics and dashboards
6. Tracking remediation of resilience gaps
7. Reporting to senior management and Board committees
8. Supporting regulatory engagement on operational resilience

The mandate must make clear that OR owns the framework and governance, while business and technology owners remain accountable for service delivery and remediation.

Authority and Decision Rights

A mandate without authority is symbolic.

The OR function must have authority to:

• Request data across departments
• Convene cross-functional workshops
• Escalate unresolved resilience gaps
• Challenge assumptions on recovery capability
• Present independent findings to senior management

This authority must be formally documented in the OR Charter or Terms of Reference.

Integrating with Enterprise Strategy

Operational resilience should not operate as a reactive function.

The mandate should ensure OR engagement in:

• New product approval processes
• Digital transformation initiatives
• Outsourcing and third-party onboarding
• Mergers and acquisitions
• Major system migrations

Embedding OR early prevents retroactive remediation and demonstrates proactive governance maturity.

Resource and Capability Definition

The mandate should also define:

• Expected team size or structure
• Required competencies
• Budget ownership
• Technology support tools (e.g., mapping software, GRC platforms)

Under-resourcing operational resilience undermines credibility and implementation effectiveness.

Measuring Success

The mandate must define measurable outcomes, such as:

• Percentage of CBS mapped end-to-end
• Number of scenario tests conducted annually
• Closure rate of identified resilience gaps
• Time taken to escalate material disruptions
• Board reporting frequency and quality

Without defined success metrics, operational resilience risks becoming theoretical rather than performance-driven.

Common Pitfalls When Defining the Mandate

Financial institutions frequently encounter:

Overly Broad Mandate

Attempting to cover all operational risk areas immediately.

Overly Narrow Mandate

Limiting OR to documentation review only.

Ambiguous Accountability

Failing to distinguish between governance ownership and execution ownership.

No Executive Sponsorship

Mandate exists on paper but lacks leadership backing.

A balanced mandate should be realistic, phased, and aligned with institutional maturity.

Formalising the Mandate

The mandate should be documented in:

• Operational Resilience Charter
• Committee Terms of Reference
• Board-approved governance framework
• Internal policy documents

Board endorsement is critical. It signals institutional commitment and establishes accountability at the highest level.

Defining the mandate is the architectural blueprint of operational resilience.

It clarifies:

• Why does the function exist
• What it covers
• Who does it report to
• What authority does it hold
• How success will be measured

Without a clearly defined mandate, subsequent efforts—team formation, committee establishment, service mapping, and testing—will lack cohesion and direction.

With a well-articulated mandate, the institution establishes not only a governance structure but a strategic capability designed to safeguard critical business services under stress.

Key Insight:

The mandate is not a formality. It is the institutional contract that empowers operational resilience to move from policy intent to operational execution.

Building Operational Resilience in Financial Institutions: A Practical Guide to Governance, Team Structure and Sustainable Implementation
C1	C2	C3	C4

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About Operational Resilience Course OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer [OR-3] course and the  OR-5000 Operational Resilience Expert Implementer [OR-5] course.

	If you have any questions, click to contact us.