The challenge of enforcing third‑party resilience
One of the most persistent challenges remains the enforceability of critical third‑party requirements. Large technology providers, particularly hyperscalers such as Cloud providers, continue to offera sufficient but minimum level of assurance, often arguing that existing regulatory expectations do not reflect their operating models. The distinction between node‑based architectures and traditional data‑centre thinking remains apoint of tension, with regulators and firms alike grappling with how resilience can be assured in highly distributed environments.
For financial institutions, this creates a difficult balancing act. Reliance on global providers is unavoidable, yet contractual leverage and transparency remain limited. The focus is therefore shifting from theoretical compliance to pragmatic assurance: understanding what resilience looks like in practice, what can realistically be enforced, and where firms must design compensating controls to protect critical services.
Fewer critical vendors, deeper engagement
In response, many firms are rationalising their supplier landscapes and concentrating on a smaller number of genuinely critical vendors. This is accompanied by a move away from point‑in‑time assessments towards ongoing monitoring and continuous dialogue.
This evolution reflects a broader maturity in third‑party risk management. Resilience is no longer assessed solely through annual questionnaires or contractual clauses, but through sustained engagement, shared scenario testing and an improved understanding of how disruption at a supplier would manifest across business services. Over time, this approach also supports more credible exit planning and substitution strategies, which remain a regulatory priority under both UK and EU regimes.
Rediscovering “forgotten” critical services
After several years of intense focus on Important Business Services (IBS) and customer harm, firms are beginning to rebalance their attention. There is a renewed recognition that some services, while invisible to customers, are nonetheless critical to the firm’s ability to function. Financial books & records closure activities, payroll processing and AML are frequently cited examples: operationally essential, yet historically under‑prioritised in resilience planning.
This shift is significant. It reflects a more holistic interpretation of resilience, one that acknowledges that internal services, staff welfare and operational continuity are inseparable from customer outcomes. Regulators are increasingly alert to these dependencies, particularly where prolonged disruption could undermine a firm’s safety, soundness or ability to recover.
Board reporting: from static metrics to recovery‑focused insight
Board‑level reporting remains an area of active debate. There is growing consensus that traditional metrics, often static and backward‑looking, are insufficient. Boards want, and regulators expect, a clearer view of a firm’s ability to recover from disruption, not just prevent it.
Effective resilience reporting is therefore becoming more dynamic. Metrics are evolving to reflect current risk profiles, emerging threats and changes in the external environment. Importantly, boards are being encouraged to challenge whether impact tolerances, scenarios and assumptions remain appropriate, rather than treating them as fixed artefacts. This aligns resilience more closely with strategic decision‑making and enterprise risk management.
AI: from experimentation to measurable value
Artificial intelligence has been a prominent theme in resilience discussions, but 2026 is widely viewed as the year when tangible benefits must be demonstrated. The focus is shifting away from experimentation towards practical use cases that create capacity and improve decision‑making.
In particular, AI is being applied to incident management, read‑across analysis and impact assessment. By automating elements ofdetection, triage and analysis, firms can free up specialist resources to focus on judgement‑based activities. There is also increasing interest in linking operational incidents to financial outcomes, enabling firms to articulate resilience in commercial as well as operational terms.
Regulatory scrutiny intensifies: DORA, ECB and FCA expectations
Regulatory scrutiny is no longer hypothetical. Firms are beginning to experience DORA‑related inspections by the ECB, with early attention focused on third‑party registers and self‑assessments. These reviews are testing not only completeness and accuracy, but also whether firms can evidence meaningful oversight and governance of their third‑party ecosystem.
In the UK, the FCA’s approach is consistent but distinct. There is particular emphasis on the severity of scenarios used in resilience testing and the methodologies applied to set impact tolerances. Firms are also being challenged on how the “voice of the customer” is incorporated into these judgements. Supervisors are looking for evidence that tolerances are not solely internally defined, but informed by customer experience and expectations.
As a result, many firms are recognising the value of independent quality assurance reviews. These can help identify weaknesses before regulatory scrutiny, ensure consistency of approach and provide confidence that resilience frameworks will stand up to challenge.
How Delta Capita can assist with turning resilience into a source of confidence
As operational resilience enters its next phase, the differentiator will be credibility. Firms that can demonstrate enforceable third‑party arrangements, meaningful board insight, realistic scenario testing and measurable recovery capability will be better positioned to respond to disruption and regulatory scrutiny alike.
Delta Capita brings deep expertise across operational resilience, third‑party risk management and regulatory change, working with global financial institutions to translate complex regulatory expectations into practical, sustainable solutions.
By combining industry insight with hands‑on delivery experience, Delta Capita supports firms in moving beyond compliance towards resilience that genuinely protects customers, supports strategic objectives and strengthens long‑term confidence.
To learn more about our range of Risk & Regulatory services, please contact:
.jpg)
.jpg)
.jpg)
