[MTE] [Mar 2025] [P3&P4] Decoding RBI's Operational Resilience Framework: Approaches and Challenges

Part 3: The Three Pillars of Operational Resilience: Key Compliance Themes in India

The Reserve Bank of India (RBI) Guidance Note on Operational Resilience establishes a structured framework for financial institutions to prepare for, respond to, and recover from disruptions. It is built on three fundamental pillars:

Prepare and Protect
Build Resiliency
Learn and Adapt

Together, these pillars cover 17 principles that serve as the foundation for strengthening operational resilience. While the complete set of principles is detailed in the RBI’s guidance, this blog highlights the broad compliance themes financial institutions in India are actively working on today.

Pillar 1: Prepare and Protect – Laying the Foundation for Resilience

The Prepare and Protect pillar establishes a strong governance structure, fosters a risk-aware culture, and implements proactive risk management frameworks. The key themes under this pillar include:

Governance and Oversight – organisations must have clearly defined roles and responsibilities for operational resilience at all levels, including board oversight.
Risk Awareness Culture – Financial institutions must embed resilience into their organisational culture, ensuring all employees understand their role in mitigating risks.
Comprehensive Risk Management – A structured risk assessment framework must be in place to identify, assess, and mitigate potential disruptions.

This pillar emphasizes that prevention is better than cure, focusing on identifying vulnerabilities before they escalate into significant disruptions.

Pillar 2: Build Resiliency – Ensuring Stability Through Robust Frameworks

The Build Resiliency pillar ensures that organisations can withstand disruptions and continue delivering critical services. It focuses on:

Business Continuity Management (BCM) – organisations must develop and maintain comprehensive BCM strategies, including disaster recovery plans.
Mapping of Dependencies (Internal & External) – Financial institutions must identify and manage their interconnections and interdependencies, both internally (across departments) and externally (third-party service providers and supply chains).
ICT & Cybersecurity Resilience – Given the surge in cyber threats, institutions must strengthen their IT infrastructure, implement cyber risk management frameworks, and ensure secure digital operations.
Incident Management Framework—Effective response mechanisms must be established to detect, assess, and contain incidents quickly before they cause significant disruptions.

This pillar ensures that financial institutions are not just reactive but proactive in managing risks and maintaining operational stability.

Pillar 3: Learn and Adapt – Continuous Improvement for Future Readiness

Operational resilience is not a one-time exercise—it requires continuous learning, monitoring, and adaptation to an evolving risk landscape. The Learn and Adapt pillar focuses on:

Incident Analysis and Lessons Learned – organisations must analyze past disruptions and integrate lessons learned into their risk management strategies.
Feedback Mechanisms – Implementing structured feedback loops ensures that resilience measures are continually refined.
Adaptive Risk Management - Financial institutions must stay agile and update risk strategies based on emerging threats and industry best practices.

This pillar emphasizes that resilience is a journey, requiring constant evolution to stay ahead of disruptions.

Bringing It All Together: Strengthening Operational Resilience

By integrating these three pillars, financial institutions can enhance their ability to anticipate, withstand, and recover from disruptions. The key takeaway is:

A strong governance structure and proactive risk culture (Prepare and Protect)
Robust business continuity and cybersecurity measures (Build Resiliency)
A commitment to continuous learning and adaptation (Learn and Adapt)

As Indian financial institutions align with these principles, they meet regulatory requirements and build a more resilient financial ecosystem that can sustain shocks and disruptions in an increasingly complex world.

Summing Up for Part 3 ...

The RBI's Operational Resilience framework mandates that Indian financial institutions adopt a three-pillar approach: Prepare and Protect, focusing on robust governance and risk culture; Build Resiliency, emphasizing business continuity and cybersecurity; and Learn and Adapt, promoting continuous improvement through incident analysis and feedback. By integrating these pillars, institutions aim to proactively manage disruptions, ensuring stability and adaptability in an evolving risk landscape, thereby strengthening the overall financial ecosystem.

Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.

Part 4: Expected Outcomes from the 17 Principles of RBI's Operational Resilience Framework

The Reserve Bank of India (RBI) Guidance Note on Operational Resilience outlines 17 key principles under its three-pillar framework—Prepare and Protect, Build Resiliency, and Learn and Adapt. While these principles provide a structured approach to strengthening operational resilience, organisations must focus on their practical implementation and the expected outcomes demonstrating compliance.

This blog explores the expected outcomes financial institutions should aim to achieve when aligning their processes with RBI’s operational resilience framework.

Governance and Risk Culture – Building a Strong Foundation

Key Compliance Activities:

Establishing a board-approved operational risk management framework
Defining a Code of Conduct and Ethics Policy
Assigning roles and responsibilities across the Three Lines of Defense
Implementing a structured operational risk and resilience training calendar

Expected Outcomes:

A well-defined governance structure with accountability across all levels
A risk-aware culture that integrates resilience into daily decision-making
Employees are trained and aware of their roles in operational resilience

Board Roles and Responsibilities – Strengthening Oversight and Strategic Direction

Key Compliance Activities:

Developing charters, terms of reference, and accountability metrics for the Board and senior management
Establishing and approving risk appetite and tolerance statements
Defining and approving criteria for identifying critical processes and services

Expected Outcomes:

A clear accountability structure at the senior management level
Defined risk appetite and impact tolerance metrics for critical operations
Greater Board engagement and oversight in resilience initiatives

Risk Identification and Assessment – Proactively Identifying and Managing Risks

Key Compliance Activities:

Implementing a risk identification and assessment framework
Using standardized risk identification tools
Conducting control effectiveness assessments

Expected Outcomes:

A systematic risk identification process covering all operational risks
Enhanced ability to predict, assess, and mitigate risks proactively
Evidence-based reporting on control effectiveness and risk mitigation

Change Management – Ensuring Stability During Organisational Changes

Key Compliance Activities:

Defining a comprehensive change management framework
Developing policies for managing changes across products, services, processes, and systems
Establishing a centralized monitoring system to track and oversee changes

Expected Outcomes:

A structured approach to managing operational and technological changes
Minimized disruptions from changes through predefined approval processes
Improved visibility over changes impacting business continuity and resilience

Monitoring and Reporting Framework – Enhancing Transparency and Decision-Making

Key Compliance Activities:

Establishing reporting structures for different levels (Management, Board, Regulator)
Defining reporting timelines and requirements
Implementing real-time monitoring mechanisms

Expected Outcomes:

Timely and accurate reports available for decision-making
Improved incident response through real-time monitoring
Enhanced regulatory compliance with structured reporting

Interconnections and Dependencies – Mapping Critical Relationships

Key Compliance Activities:

Conducting detailed mapping of interconnections and interdependencies
Assessing dependencies across people, processes, technology, and third parties
Identifying internal and external vulnerabilities

Expected Outcomes:

Clear visibility into critical dependencies and potential vulnerabilities
Strengthened resilience by mitigating dependency-related risks
Improved incident response by understanding systemic interdependencies

Third-Party Risk Management – Ensuring Resilience Across External Partners

Key Compliance Activities:

Conducting risk assessments and due diligence during third-party onboarding
Implementing continuous monitoring of third-party resilience
Evaluating BCP and contingency plans of third-party vendors
Establishing exit strategies for critical third-party services

Expected Outcomes:

A robust third-party risk management framework
Reduced exposure to third-party failures and disruptions
Continuous assessment of vendor resilience capabilities

Summing Up for Part 4 ...

Financial institutions aiming to comply with the RBI's Operational Resilience Framework must demonstrate tangible outcomes across governance, risk management, and operational stability. This includes establishing clear accountability structures, embedding a risk-aware culture, proactively identifying and mitigating risks, managing changes effectively, ensuring transparent monitoring and reporting, mapping critical dependencies, and implementing robust third-party risk management. Achieving these outcomes ensures a resilient operational framework capable of withstanding disruptions and maintaining financial stability.

Dr Goh Moh Heng, President of BCM Institute, summarises this webinar. If you have any questions, please speak to the author.

Summing Up for Parts 1 & 2 & 3...

Click the icon on the right for the additional questions asked by the participants. However, due to a time shortage, Dr. Goh provided the answers.

Click the icon on the left to continue reading Parts 1 & 2 & 3 of Puja Khashu's presentation.

Decoding RBI's Operational Resilience Framework: Approaches and Challenges

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.