Navigating IAIS Operational Resilience

Over the last five years, banks across the UK and Europe have undergone a profound shift in how they approach operational resilience. Regulations such as the UK PRA/FCA Operational Resilience Framework and the Digital Operational Resilience Act (DORA) in the EU have forced financial institutions to move beyond traditional business continuity planning toward a model centred on impact tolerance, critical business services, and severe but plausible scenario testing.
‍

Firms have had to: 

• Identify and document their most important business services.
• Set tolerance thresholds for disruption.
• Map interdependencies (including third-party providers).
• Conduct regular, data-driven testing to validate resilience.
• Demonstrate clear accountability at board level.
• Stand up new operating models, tooling, and control functions to monitor resilience dynamically.

Delta Capita has been at the forefront of helping Tier 1 and challenger banks alike navigate this change, providing not just advisory expertise but also the implementation capability to stand up full-scale resilience programs, toolkits, and testing models.

Now the Insurance sector faces a similar regulatory evolution with the IAIS’s draft Application Paper on Operational Resilience Objectives and Toolkit. While less prescriptive than DORA, this paper represents a global supervisory shift that requires insurers to embed operational resilience into their governance, risk management, and oversight frameworks.

Where banks are well advanced in these plans, insurers can now fast-track their journey, leveraging both the regulatory blueprint and proven playbooks from the banking world. This is where Delta Capita's cross-sector resilience experience delivers real strategic advantage.

As insurers grapple with growing digitalisation, cyber threats, and supply-chain complexity, the IAIS's new draft Application Paper on Operational Resilience represents a critical inflection point for Insurers; one in which Delta Capita’s proven resilience framework, developed initially in banking, can deliver a transformative advantage for Insurance firms.

What are some of the key IAIS requirements for Operational Resilience?

• ‍Principles vs Practice
  The IAIS stops short of prescriptive mandates, embedding resilience within existing Insurance Core Principles (ICPs). That means insurers must interpret governance, risk, and reporting requirements considering resilience; a shift demanding cultural and structural adjustments.
  ‍‍
• Critical Services Mapping
  Delineating critical services, especially in complex tech ecosystems, is no small task. Delta Capita can support insurers with tools and workshops to map services, dependencies, impact tolerances, and third-party vulnerabilities.
  ‍‍
• Scenario-based Testing
  The requirement for “severe but plausible stress tests” aligns closely with the resilience playbooks Delta Capita built for banking clients under DORA. A strategic synthesis of scenario design, execution, evaluation, and remediation helps insurers evolve from tick-box exercises to proactive risk management.
  ‍‍
• Third-Party Chains & Supply Resilience
  The toolkit emphasises BCP/DRP for third and nth-party providers. Drawing on experience advising banks on third-party oversight in their Operational Resilience and DORA endeavours, Delta Capita can help insurers establish supplier governance, concentration assessments, contract vetting, and exit strategies.
  ‍‍
• Supervisory Engagement & AI Readiness
  Supervisors are encouraged to use AI and generative tools to spot trends and systemic risk. Delta Capita’s structured dashboards, analytics, and proven platform implementation can support both insurers and supervisors in meeting this expectation.

How can Delta Capita Support Compliance?

1. Governance Alignment: Facilitate Board-level workshops tied to ICPs, resilience KPIs, and risk appetite recalibration.

2. Discovery & Mapping: Develop service inventories, impact tolerances, dependency heatmaps.

3. Scenario Testing Framework: Design modular testing frameworks with playbooks and root-cause analysis and remediation.

4. Third-Party Risk Oversight: Provide supplier risk scoring, contract clause design, and operational audits.

5. Technology & Reporting: Develop analytics dashboards, narrative reporting kits, and AI-enabled continuous controls monitoring.

6. Cultural Transformation: Run talent training, simulation exercises, and awareness campaigns, mirroring practices from banking work with regulators.
   

Why Delta Capita?

• Proven delivery of resilience tooling in regulated banking environments (especially under DORA).

• Role as implementation partner to major banks across Europe, bringing learnings ready for Insurance.

• Blend of regulatory, technological, and advisory expertise, tailored for nuanced operational-risk contexts.

• Partnered with Gieom whose advanced software empowers organisations to future-proof operational resilience by automating policy, SOP, and identity management, while mitigating risk and ensuring regulatory compliance.

Conclusion

The IAIS draft marks a pivotal shift in global Insurance supervision, expecting firms to incorporate resilient design into every layer: governance, tech, supply chains, and culture. With accountability moving upstream to boards and third-party ecosystems, insurers need more than basic checklists; they need a structured, end-to-end programme. For more information on how Delta Capita can help navigate the IAIS operational resilience requirements, please get in touch and contact Martin Hillier – Partner – Global Head of Transformation and Change.

Explore our Regulatory Hub or Transformation & Change Hub for more insights.