Operational resilience in financial services

Why operational resilience matters to financial services leaders

At a HotTopics Food for Thought breakfast in partnership with Zscaler, CIOs and CISOs in financial services explored how operational resilience is evolving from a compliance exercise to core business strategy.

Operational resilience sits at the centre of regulatory scrutiny, board conversations and ongoing transformation programmes; increasingly accelerated by rapid AI adoption and the pressure not to be “left behind”.

Yet, as this HotTopics Food for Thought discussion made clear, many organisations are still wrestling with a fundamental question: is operational resilience just a compliance exercise, or is it a core design principle that shapes how the entire business operates?

Throughout the discussion three themes emerged: regulation as a catalyst rather than a cure, organisational culture and incentives as the real drivers of change, the shift from short-term projects to long-term business philosophy, and the growing pressure created by AI adoption across the enterprise.

Meet the panellists:

With Doug Drinkwater, Editorial and Strategy Director at HotTopics, moderating the HotTopics Food for Thought, the speakers included:

1. Algirdas Dineka, Willis Towers Watson
2. Eugenia Shynkevich, BNY Mellon
3. Gerald Hentschel, Western Union
4. Graeme Howard, Benefact Group
5. Neale Saldanha, Close Brothers
6. Sharada Khanna, HSBC
7. Tanvi Sethi, Techlightenment
8. Varun Ramaswamy, Lloyds
9. James Tucker, Zscaler
10. Martyn Ditchburn, Zscaler

Regulations as a catalyst

Few in the room disputed the claim that regulation has elevated operational resilience on the executive agenda; and AI regulation is accelerating that pressure even further. As one speaker put it plainly, “regulations are definitely catalysts.” Large-scale decision-making, particularly in highly-regulated industries, such as healthcare, financial services and defence, often follows applied external pressure.

However, the tone of the conversation suggested that leaders should take caution. In the case of AI, regulation is colliding with cultural enthusiasm. As one speaker observed, AI is “probably the most democratised technology of all-time,” which increases the risk of experimentation outpacing governance.

Regulation may trigger initial action, but it does not guarantee meaningful or sustained operational resilience. One participant recalled speaking to a lawyer who suggested that as long as organisations are covering the fundamentals of core regulations like the EU AI Act, “you won't be in the crosshairs of the regulators.”

That mindset, of doing just enough to avoid scrutiny, may reduce immediate risk, but it rarely builds structural operational resilience.

The global regulatory landscape further complicates matters. Different jurisdictions move at different speeds and with different philosophies. Consider the following regulations:

• The EU AI Act is considered the world’s first comprehensive legal framework for AI, establishing much stricter safety and transparency standards
• In the United States, Executive Order 14179 emerged after realisation that they lack federal laws to prioritise national security amid a surge of state-level regulations
• China has established key regulations and strict AI regulatory frameworks including Provisional Measures for the Administration of Generative AI Services (2023) and new rules on deep synthesis and human-like interaction

As one speaker observed, “regulations on the same topic do not evolve at the same rate, same scale, same level of seriousness across all countries.”

AI adoption and governance

Nowhere is that regulatory contrast clearer than in Europe, which is deliberately building a dense, intersecting digital regulatory framework rather than a single point solution. GDPR, in force since 2018, set the baseline for data protection with strict breach notification requirements.

DORA, which becomes applicable from January 2025, goes further by mandating that financial entities (and their critical ICT suppliers) can withstand, respond to and recover from operational disruption, with major ICT incidents subject to rapid reporting.

Alongside this, the EU AI Act introduces a risk-based regime for AI systems, with full applicability from August 2026, overlapping directly with both GDPR (where personal data is involved) and DORA (where AI affects operational resilience or cybersecurity).

Several of the leaders around the table noted that AI adoption is happening faster than foundational controls. One participant described organisations rolling out enterprise-wide AI training, while at the same time also struggling with data quality and governance. The concern here was not resistance to governance, but sequencing: AI innovation first, governance later.

The result is not simply “more regulation,” but a deliberately layered model in which a single incident may trigger parallel obligations across data protection, operational resilience and AI governance. For multinational organisations, this creates a patchwork of expectations that must be reconciled, and reinforces the need to treat operational resilience as a unifying discipline rather than a series of disconnected compliance exercises.

Even so, regulatory divergence does not necessarily remove accountability. Organisations operating across markets often adopt higher standards, recognising reputational and operational exposure beyond fines. Compliance may be geographically inconsistent, but operational resilience in practice must travel across borders.

There was also recognition that some organisations still misunderstand accountability. Zscaler’s James Tucker described an encounter with a financial bank customer who believed that outsourcing removed responsibility, “since we're outsourcing our security, we don't have to do it.”

That comment prompted visible skepticism in the room. The general consensus was that operational resilience cannot be outsourced; third-parties may deliver services but responsibility for continuity remains within the organisation itself - especially when notable outages (as seen with the cloud hyperscalers) can have significant business implications.

Culture, incentives and organisational momentum

If regulation provides organisations with the spark, then culture determines whether that change actually takes hold.

Several leaders around the table highlighted the power of internal incentives. In another example, Tucker described a CISO who had introduced measurable accountability across independent development teams: “He has metrics, and if anybody falls below 85 percent, the team lead, the manager, does not get their quarterly bonus.”

Zscaler’s Martyn Ditchburn argued that the CISO role needs to become more evolved, taking on a proactive stance:

“There's that reactivity that's creating this challenge and they [the CISO] should be more lockstep in revenue aims and embracing AI rather than just putting the guardrails controls down.”

The board dynamic was also central. Leaders acknowledged the challenge of sustaining attention beyond immediate crises or compliance deadlines. One speaker summarised a recurring frustration: “how do we get this discussion on the agenda?” Securing board-level focus on resilience initiatives remains difficult, unless impact is clearly articulated in business terms.

One speaker noted that commercial framing also matters, “unless you can show value on the P&L decision making, it always gets held back.” Right now, operational resilience competes with revenue-generating initiatives. If it cannot demonstrate tangible business value, it risks being deprioritised - and forgotten about.

Audits emerged as another informal metric for driving change. In heavily regulated sectors such as banking, frequent internal and external audits create this sense of constant scrutiny. One speaker described “clean audits, green audits” as a signal that often precedes or prevents significant breaches. While not a perfect measure of operational resilience, consistent audit performance can reflect organisational discipline.

On the other hand, culture goes much deeper than metrics and audits. Organisational momentum, (the “we’ve always done it that way” mindset) can obstruct resilience initiatives. Regulation may push, but cultural resistance can stall progress. As one speaker observed, what differentiates organisations is ultimately “organisational culture”.

From projects to philosophy

A particularly resonant moment came when Tucker challenged the way resilience and security initiatives are framed: “We tend to think about things in terms of projects right, my zero trust project, my AI project, and projects have a start and end.” The room recognised the implication; if operational resilience is treated as a project, it will eventually be declared complete - with no further action required.

He continued: “We all know that this is a lifelong endeavour.” That shift, from project to enduring principle, reframes the entire conversation in their view. So, operational resilience becomes less about implementation and more about embedded philosophy.

This distinction matters because disruption is not episodic - it is more structural than that. Geopolitical uncertainty, supply chain fragility, evolving regulation and technology complexity create a permanent state of flux. As Tucker described, operating in certain markets can feel like “every six months [you] pick up the goalpost and change the game from cricket to football to rugby.”

Flexibility is another component of operational resilience that requires rethinking. Speakers around the table argued that rather than continuously layering controls onto legacy systems, organisations need to pause and reassess their foundational design. Ditchburn encouraged peers to “Take a step back, think about if I was to do this again greenfield.”

Another participant reinforced the need for pragmatism: “don’t let perfection be the enemy.” Budget and resources are finite, and waiting for ideal conditions can stall progress. On top of this, quantifying progress remains challenging. One speaker admitted, “the metrics, I say, are difficult.” Absence of incidents is not always proof of strength. Scenario-thinking, on the other hand, sharpens understanding of impact tolerance.

Communication and storytelling

Throughout the discussion, communication surfaced repeatedly as a differentiator. Technical excellence alone does not secure executive alignment. They argued that resilience must be articulated in terms that resonate beyond security teams.

Several speakers linked communication and storytelling directly to third-party dependency, arguing that resilience conversations fall flat when they ignore how concentrated modern technology supply chains have become. Organisations have moved vast portions of their estates into a small number of hyperscale cloud platforms, while simultaneously layering on SaaS tools and rapidly adopted AI services — in some cases with thousands of AI applications appearing in environments year-on-year.

Tucker reflected elsewhere in the discussion, the reality is an “interconnected web” of dependencies, where a failure in a single third-party can trigger months of remediation work and expose how little visibility firms often have beyond their immediate vendors. Reliance on dominant cloud providers such as Amazon Web Services (AWS), alongside a growing dependence on a handful of major AI platforms, was seen as a resilience issue that boards increasingly need framed in business terms.

Ultimately, AI reframes operational resilience not as a defensive posture, but as a design discipline. The organisations that will navigate the next wave successfully are unlikely to be those that block innovation, nor those that rush headlong into it. They will be those that build resilience into how AI is accessed, governed and embedded.

Operational resilience, at its core, is about collective behaviour in the organisation. That means coordination across functions and clarity of purpose. As one participant reflected, what ultimately shapes outcomes is how “the culture [is] being shaped,” because that “will probably end up influencing over a much longer term.”

This HotTopics Food for Thought was hosted in partnership with Zscaler.