[OR] [C4] Identifying Team Composition

Chapter 4 

Identifying Team Composition

From Governance to Capability

With the mandate defined and governance architecture established, the next critical step is identifying the right team composition.

Operational resilience (OR) is not sustained by committees alone. It requires a multidisciplinary team with the authority, technical capability, and cross-functional influence to coordinate resilience across the institution.

Unlike traditional control functions, operational resilience integrates business, risk, operations, and technology expertise around critical business services (CBS). Therefore, team composition must be deliberate—not incidental.

Designing Around Capabilities, Not Titles

A common mistake in financial institutions is assigning OR responsibility to an existing function without evaluating whether the required capabilities exist.

Rather than asking:

“Which department should own operational resilience?”

Leadership should ask:

“What capabilities are required to deliver end-to-end service resilience?”

The OR team should be structured around capability domains:

• Service mapping and dependency analysis
• Impact tolerance design
• Severe scenario testing
• Data analytics and reporting
• Third-party risk coordination
• Governance and regulatory liaison

Team composition should reflect these capabilities.

Core Roles Within the Operational Resilience Team

While size and structure depend on institutional complexity, a typical OR function includes the following core roles:

Head of Operational Resilience (OR Lead)

Primary Responsibilities:

• Own the OR framework
• Advise the executive sponsor
• Present to the OR Committee and Board
• Coordinate cross-functional stakeholders
• Ensure regulatory alignment

Required Competencies:

• Strong governance experience
• Cross-functional leadership
• Risk and operational knowledge
• Senior stakeholder engagement capability

The OR Lead must have institutional credibility and authority to challenge assumptions.

Service Mapping Lead

Primary Responsibilities:

• Map end-to-end CBS
• Identify dependencies (people, process, technology, third parties, facilities)
• Maintain service inventory

Required Competencies:

• Process mapping
• Systems architecture understanding
• Operational workflow analysis
• Documentation discipline

This role is critical to identifying systemic vulnerabilities.

Scenario Testing and Stress Testing Lead

Primary Responsibilities:

• Design severe but plausible scenarios
• Facilitate testing workshops
• Coordinate simulation exercises
• Analyse outcomes and recommend remediation

Required Competencies:

• Scenario design methodology
• Risk quantification
• Facilitation skills
• Crisis simulation experience

Testing moves OR from theoretical mapping to practical validation.

Data and Reporting Analyst

Primary Responsibilities:

• Develop resilience dashboards
• Track impact tolerances
• Monitor remediation progress
• Prepare committee reporting packs

Required Competencies:

• Data analytics
• Dashboard development
• Management information systems
• Attention to detail

Operational resilience governance depends on measurable indicators.

Third-Party and Dependency Coordinator

Primary Responsibilities:

• Align OR mapping with vendor risk assessments
• Identify concentration risks
• Monitor critical service providers
• Coordinate resilience requirements in contracts

Given increasing outsourcing and cloud adoption, this role is increasingly essential.

Extended Stakeholder Representation

Operational resilience is enterprise-wide. The OR core team must engage extended stakeholders, including:

• Enterprise Risk Management
• Business Continuity Management
• IT Disaster Recovery
• Cybersecurity
• Operations
• Compliance
• Legal
• Human Resources (for people dependency risks)

The OR function governs and integrates but does not replace these functions.

Full-Time vs. Hybrid Resourcing Model

Financial institutions typically adopt one of three models:

1. Centralised Full-Time Model

A dedicated OR team with full-time resources.

Suitable for:

Large, complex, or systemically important institutions.

2. Hub-and-Spoke Model

Small central OR team supported by designated OR champions within each business unit.

Suitable for:

Mid-sized institutions balancing efficiency and coverage.

3. Embedded Model

OR responsibilities embedded within Risk or Operations with shared accountability.

Suitable for:

Smaller institutions with limited resources.

Most mature institutions adopt a hybrid model to ensure central governance with distributed execution.

Competency Framework for Team Selection

When identifying team members, institutions should assess:

Operational resilience requires both technical understanding and strategic influence.

Positioning Within the Three Lines Model

Team composition must align with governance structure:

First Line

Business service owners are accountable for service delivery.

Second Line

Operational Resilience team is overseeing the framework and challenge.

Third Line

Internal Audit provides independent assurance.

The OR team typically operates within the second line but must collaborate closely with the first line.

Authority and Independence Considerations

For the OR team to function effectively:

• It must have authority to request data across departments.
• It must be empowered to challenge recovery assumptions.
• It must have direct access to executive sponsorship.

Without formal authority, the team risks becoming a coordination function without influence.

Common Team Composition Challenges

During team formation, financial institutions often face:

Role Ambiguity

Overlap between BCM, ITDR, and OR responsibilities.

Insufficient Seniority

Junior-level appointments lacking cross-department influence.

Resource Constraints

OR treated as a secondary assignment rather than a primary responsibility.

Skills Gap

Limited internal expertise in impact tolerance modelling and scenario design.

Proactive planning and executive backing are essential to overcome these challenges.

Phased Team Development

Institutions do not need to build a full-scale team immediately. A phased approach may include:

Phase 1: Foundation

• Appoint OR Lead
• Establish governance
• Identify the initial CBS

Phase 2: Capability Build

• Recruit or assign service mapping and testing specialists
• Develop dashboards

Phase 3: Maturity

• Expand scenario testing
• Enhance third-party integration
• Introduce advanced analytics

Phased scaling ensures sustainability.

Indicators of Effective Team Composition

An effective OR team demonstrates:

• Clear role definitions
• Defined RACI structure
• Balanced technical and governance expertise
• Strong executive access
• Cross-functional trust
• Regular scenario testing execution

The team should function as an integrator—not an isolated unit.

Operational resilience cannot be delivered by policy documents alone. It requires a structured team with:

• Clear accountability
• Cross-functional capability
• Analytical depth
• Governance discipline
• Executive support

Identifying the right team composition transforms operational resilience from a regulatory requirement into a sustainable organisational capability.

Key Insight:

The strength of operational resilience lies not in the number of committees formed, but in the capability, authority, and coordination power of the team tasked with protecting the institution’s critical business services.

Building Operational Resilience in Financial Institutions: A Practical Guide to Governance, Team Structure and Sustainable Implementation
C1	C2	C3	C4

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About Operational Resilience Course OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer [OR-3] course and the  OR-5000 Operational Resilience Expert Implementer [OR-5] course.

	If you have any questions, click to contact us.