[OR] [C6] Common Implementation Challenges

Chapter 6

Common Implementation Challenges

Introduction: From Design to Reality

Designing governance architecture, defining the mandate, and identifying team competencies are structured exercises. Implementation, however, introduces organisational realities.

Operational resilience (OR) is not implemented in a vacuum. It intersects with:  

• Existing control functions
• Resource constraints
• Competing transformation priorities
• Cultural resistance
• Regulatory pressure

Supervisory thinking shaped by institutions such as the Bank for International Settlements has elevated operational resilience to a Board-level issue. Yet translating this expectation into enterprise-wide execution is often complex.

This chapter examines the most common challenges financial institutions encounter during implementation and why they arise.

Challenge 1: “We Already Have BCM”

One of the earliest forms of resistance is conceptual.

Senior leaders may question:

• How is operational resilience different from Business Continuity Management (BCM)?
• Are we duplicating effort?
• Is this simply regulatory rebranding?

The challenge stems from misunderstanding the distinction:

• BCM focuses on recovery plans and recovery time objectives.
• Operational resilience focuses on maintaining critical business services within defined impact tolerances during severe disruption.

Without clear differentiation, OR initiatives risk being absorbed into existing BCM programmes without achieving systemic integration.

Challenge 2: Ambiguous Ownership

Operational resilience cuts across:

• Risk
• Operations
• Technology
• Cybersecurity
• Compliance
• Third-party management

This creates uncertainty:

• Should OR sit under the Chief Risk Officer?
• Should it be operationally driven by the COO?
• Is it technology-led?

If ownership is not clearly defined at the outset, implementation stalls due to decision paralysis. Departments may defer responsibility, waiting for formal direction.

Clarity in executive sponsorship is critical to overcoming this barrier.

Challenge 3: Siloed Organisational Structures

Financial institutions are often structured by business lines and functional silos. Operational resilience requires cross-functional mapping of:

• Systems
• Vendors
• People dependencies
• Facilities
• Data flows

Siloed structures make it difficult to:

• Obtain complete information
• Identify shared infrastructure
• Detect concentration risks
• Coordinate remediation

Departments may also be reluctant to expose vulnerabilities that could reflect poorly on performance metrics.

Breaking silos requires strong governance authority and structured facilitation.

Challenge 4: Defining Critical Business Services (CBS)

Identifying CBS is frequently contentious.

Common debates include:

• Should revenue size determine criticality?
• Are internal support services considered critical?
• Does regulatory importance override profitability?
• How do we treat newly launched digital products?

Different stakeholders may prioritise different services based on strategic interest.

Without objective criteria, CBS identification can become political rather than analytical.

Clear criticality criteria aligned to customer harm, financial stability, and regulatory impact are essential.

Challenge 5: Quantifying Impact Tolerances

Operational resilience introduces the concept of impact tolerances—thresholds beyond which disruption becomes intolerable.

This presents practical difficulties:

• Limited historical disruption data
• Difficulty modelling reputational impact
• Uncertainty in estimating customer harm
• Lack of financial loss modelling capability

Impact tolerance discussions may become speculative without robust analytics.

Institutions often underestimate the level of cross-functional data required to support credible tolerance setting.

Challenge 6: Data Fragmentation

Operational resilience relies on consolidated information from:

• IT asset inventories
• Vendor databases
• Risk registers
• BCM documentation
• Incident logs

In many institutions, these data sources are inconsistent, incomplete, or maintained separately.

Data fragmentation leads to:

• Incomplete service maps
• Misaligned recovery assumptions
• Inaccurate reporting

Establishing reliable data integration processes is often more resource-intensive than anticipated.

Challenge 7: Resource Constraints

Operational resilience requires:

• Cross-functional workshops
• Dedicated mapping activities
• Scenario testing exercises
• Remediation tracking
• Ongoing governance reporting

Business units may prioritise revenue-generating initiatives over resilience initiatives.

OR roles are sometimes assigned as secondary responsibilities, leading to insufficient focus and delayed milestones.

Sustainable implementation requires dedicated time and budget allocation.

Challenge 8: Governance Fatigue

Senior executives often participate in multiple committees:

• Risk Committee
• Audit Committee
• IT Steering Committee
• Compliance Committee

Introducing an additional Operational Resilience Committee may encounter resistance.

Without integration into existing governance forums, OR risks being perceived as administrative overhead rather than a strategic necessity.

Governance design must balance oversight discipline with practical efficiency.

Challenge 9: Cultural Resistance to Transparency

Operational resilience testing exposes weaknesses.

Scenario exercises may reveal:

• Inadequate failover capacity
• Over-reliance on single vendors
• Unclear escalation triggers
• Insufficient documentation

In some organisational cultures, identifying weaknesses may be perceived as failure rather than proactive risk management.

Creating a psychologically safe environment for vulnerability identification is essential for resilience maturity.

Challenge 10: Demonstrating Value to Senior Management

Operational resilience is preventive in nature. Its success is often measured by the absence of catastrophic failure.

Executives may ask:

• What is the return on investment?
• Why allocate resources to hypothetical scenarios?
• Are we over-engineering controls?

Without a clear articulation of customer, regulatory, and financial risk implications, OR may struggle to secure sustained sponsorship.

Linking resilience gaps to potential financial exposure strengthens the business case.

Challenge 11: Integration with Digital Transformation

Financial institutions are simultaneously pursuing:

• Cloud migration
• API integration
• Digital banking expansion
• Fintech partnerships
• Artificial intelligence adoption

Rapid transformation introduces new dependencies and vulnerabilities.

If operational resilience is not embedded in transformation governance processes, mapping and impact tolerance design may quickly become outdated.

Resilience must evolve in parallel with digital innovation.

Challenge 12: Sustaining Momentum After Initial Rollout

Many institutions experience strong early momentum driven by regulatory deadlines. However, after initial CBS identification and mapping:

• Scenario testing frequency declines
• Reporting becomes routine
• Remediation tracking slows
• Senior engagement decreases

Operational resilience must be embedded into annual planning cycles, performance objectives, and continuous improvement frameworks to remain effective.

Indicators That Implementation Is Struggling

Warning signs include:

• Incomplete or outdated service maps
• Limited cross-functional attendance at OR workshops
• Repeated postponement of scenario testing
• Minimal Board-level challenge
• Lack of documented remediation progress
• Confusion over ownership

Recognising these signals early enables corrective action.

Implementation challenges are not signs of failure; they are indicators of organisational complexity and maturity progression.

Operational resilience requires:

• Cultural alignment
• Data discipline
• Cross-functional collaboration
• Executive sponsorship
• Sustained governance attention

Financial institutions that anticipate and manage these challenges build stronger, more integrated resilience capabilities.

Key Insight:

The true test of operational resilience lies not in drafting frameworks, but in overcoming organisational resistance, integrating silos, and embedding resilience thinking into everyday decision-making.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About Operational Resilience Course OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer [OR-3] course and the  OR-5000 Operational Resilience Expert Implementer [OR-5] course.