Board and Senior Management Oversight: Information and Updates from the Operational Resilience Team
Introduction
In today’s rapidly evolving risk landscape, operational resilience has become a top priority for boards.
Regulators globally, including those aligned with the Basel Committee on Banking Supervision (BCBS), expect the Boards of Directors and Senior Management of financial institutions to oversee and guide their resilience strategies actively.
This oversight is not passive; it requires timely access to key information, critical analysis of the resilience posture, and informed decision-making based on operational risks and emerging threats.
To support this governance expectation, the operational resilience team must establish a structured, recurring communication process with the bank’s leadership.
This includes providing focused updates, scenario test outcomes, CBS reviews, and incident summaries—all designed to inform strategic oversight and support a culture of preparedness and accountability.
Purpose of Chapter
This chapter outlines the types of reports and updates that should be delivered to the Board and Senior Management, their frequency, and the strategic purpose each serves. It also defines the expectations placed on leadership in driving resilience forward.
Effective operational resilience requires strong governance, anchored by active oversight from the Board of Directors and Senior Management.
Regulators expect senior leaders to be not only informed of resilience risks but also integrally involved in strategic decisions and oversight processes.
To support this, the operational resilience team must provide regular, structured, and actionable updates to the Board and executive leadership.
Key Reports, Updates, and Information to the Board and Senior Management
Below is a summary of the key reports, updates, and information that the Board and Senior Management should receive:
1. Operational Resilience Dashboard (Quarterly or Monthly)
A summarised, visual representation of the bank’s resilience posture, including:
-
Status of each Critical Business Service (CBS)
-
Summary of impact tolerance testing (met/exceeded/breached)
-
Emerging risks or threat trends
-
Risk rating of CBS (based on recent incidents or assessments)
-
Summary of planned vs. completed mitigation activities
2. Summary of Scenario Testing Results (Semi-annually or Annually)
A concise report detailing:
-
Types of scenarios tested (cyber, technology failure, third-party outage, etc.)
-
Results of the testing: whether impact tolerances were maintained
-
Gaps identified and corresponding mitigation actions
-
Lessons learned and organisational improvements required
3. CBS and Impact Tolerance Review (Annually or upon material change)
-
Updated list of Critical Business Services
-
Rationale for CBS selection or deselection
-
Changes to impact tolerances, with justification
-
Summary of business and technology dependencies
4. Risk Mitigation Plans and Progress Report (Quarterly)
-
Current status of identified risk treatment plans
-
High-risk areas needing board attention or investment
-
Progress on control enhancements and system upgrades
-
Dependencies on external vendors or third parties
5. Resilience Governance Review (Annually)
-
Review of governance structure effectiveness
-
Summary of roles and responsibilities across the 3 Lines of Defence
-
Status of policy updates or process improvements
-
Overview of training and awareness initiatives at all levels
6. Incident and Disruption Summary (As Needed)
-
Notification of material disruption events
-
Post-incident review outcomes and corrective actions
-
Regulatory notifications made (if applicable)
-
Trends and recurrence analysis (if part of ongoing issues)
Key Expectations from the Board and Senior Management
Regulators expect the Board and Senior Management to:
-
Challenge the assumptions and results presented by the resilience team.
-
Approve key elements of the resilience framework, including CBS, impact tolerances, and recovery strategies.
-
Ensure funding and resourcing for critical mitigation plans.
-
Embed resilience into the broader strategic, operational, and risk management agendas.
-
Drive a culture of preparedness, accountability, and learning from disruptions.
This structured engagement ensures that resilience is not siloed within operations or IT, but is recognised as a strategic priority under the leadership and stewardship of the bank’s most senior decision-makers.
Table 1-1: Board and Senior Management Oversight: Information Flow from the Operational Resilience Team
| Type of Report/ Update | Frequency | Content Summary | Purpose for Board/Senior Management |
|---|---|---|---|
| Operational Resilience Dashboard | Monthly / Quarterly | - Status of Critical Business Services (CBS) - Impact tolerance status (met/breached) - Key risk indicators - Summary of mitigation progress |
To provide an at-a-glance view of the bank’s overall resilience posture and emerging risks |
| Scenario Testing Results Summary | Semi-annually / Annually | - Scenarios tested - Tolerance breaches - Gaps and vulnerabilities - Remediation actions and timelines |
To assess if CBS can remain within tolerances under stress, identify weak areas requiring intervention |
| CBS and Impact Tolerance Review | Annually / Upon Material Change | - Updated CBS list and justifications - Changes in impact tolerances - Dependency changes (systems, third parties) |
To approve or review key service priorities and resilience thresholds |
| Risk Mitigation Plans and Progress Report | Quarterly | - Status of risk treatment plans - Outstanding actions and delays - Investment and resourcing needs - Escalated risks needing board attention |
To monitor progress and ensure accountability in closing resilience gaps |
| Resilience Governance Review | Annually | - Effectiveness of governance structure - Policy/process updates - Status of 3LoD responsibilities - Awareness/training status |
To ensure governance and oversight structures support effective resilience implementation |
| Incident and Disruption Report | As Needed (Post-event) | - Summary of major incidents - Post-incident review results - Regulatory notifications - Trends or recurring disruptions |
To keep leadership informed on disruptive events and how they are managed or prevented |
Table 1-2: Board and Senior Management Expectations
| Responsibility Area | Key Expectations |
|---|---|
| Strategic Oversight | Approve CBS, impact tolerances, and resilience strategy alignment with business priorities. |
| Challenging Assumptions | Critically evaluate scenario assumptions, risk assessments, and mitigation adequacy. |
| Resource Allocation | Ensure sufficient funding and staffing for resilience initiatives |
| Governance & Accountability | Monitor roles and responsibilities under the 3 Lines of Defence model |
| Culture & Awareness | Promote a culture of resilience across the enterprise through tone-from-the-top leadership. |
| Regulatory Engagement | Engage in discussions with regulators during reviews or in response to findings related to resilience and regulatory compliance. |
Summing Up ...
Operational resilience is no longer solely the responsibility of risk or IT teams; it is a strategic imperative that requires ongoing commitment from the highest levels of the organisation.
The Board and Senior Management must be equipped with the right information, at the right time, to provide effective oversight and direction.
By institutionalising a structured flow of resilience-related reporting, banks not only meet regulatory expectations but also strengthen their ability to respond to disruptions with confidence and decisiveness.
This two-way engagement—where operational teams inform leadership and leadership drives resilience priorities—ensures that operational resilience is embedded into the core fabric of the bank’s governance and strategic planning.
More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
![[OR] [P1-S5] Key Governance Requirements and Expectations](https://3893111.fs1.hubspotusercontent-na1.net/hubfs/3893111/Operational%20Resilience%20OR/OR%20Diagram/OR%20Roadmap%20Diagram/Updated%20OR%20PM%20Diagram/OR%20PM%20%5B1%5D_Develop%20and%20Embed%20Governance.png)
![[OR] [P2-S4] [1] What is Severe but Plausible Scenarios in Operational Resilience](https://3893111.fs1.hubspotusercontent-na1.net/hubfs/3893111/BCMPedia%20MorePost%20OR%20%5BOperational%20Resilience%5D/IC_OR_BCMPedia_Sever%20but%20Plausible%20Scenarios.png)
![[OR] Disclaimers and Usage of eBook](https://3893111.fs1.hubspotusercontent-na1.net/hubfs/3893111/Disclaimer%20and%20Proper%20Usage%20Morepost/IC_OR_Legal%20Disclaimer.png)
![[OR] [ISO] [C4] 22316:2017 Evaluating Resilience](https://3893111.fs1.hubspotusercontent-na1.net/hubfs/3893111/CM%20ISO22316%20Morepost/IC_CM_ISO22316_2017_Evaluating%20Resilience.png)
