Financial & Operational Resilience
- Expanding Resiliency
- Continuity & Resolution
- Tolerance & Testing
- Actions
The probability and potential impact of disruptions has increased driven by evolving technologies and a growing interconnectedness between financial and nonfinancial companies. Cross-agency regulatory focus on demonstrable financial and operational risk management capabilities will likely continue in 2025 inclusive of the ability to prepare for and withstand or recover from "shocks" as well as adapt to longer-term change. Efforts to impose more stringent capital and liquidity requirements, however, may abate. Companies are, and will continue to be, required to take a risk-based approach to managing critical operations, third parties and disruptions/incident response while also establishing separate credible plans to maintain business continuity and to consider potential resolution in the event of severe distress.
1. Expanding Resiliency
In addition to concerns about the pressures that market stresses or adverse events—disruptions—can put on capital levels and liquidity sources, financial services regulators are now also focusing attention on companies’ operational resilience and preparedness to withstand or recover from disruption.
In 2025 regulators are expected to focus on:
Capital
Ongoing efforts to finalize amendments to the large bank capital requirements (Category I to IV banking organizations) may be delayed or fully tabled. Regulators via supervision may also look to related areas of:
- Governance processes, data, models, system infrastructure, internal controls, and regulatory reporting.
- Stress testing frameworks, capital planning, and balance sheet management.
Liquidity & Funding
Ongoing attention to liquidity risk management, including:
- The diversity and stability of funding sources (to ensure resilience under adverse conditions).
- Operational readiness across the crisis continuum (i.e., early warning indicators to contingency funding to reverse repurchase agreements), including procedure knowledge and collateral availability.
- Integrated and effective early warning indicators and regularly updated contingency funding plans based on market shifts or strategic changes.
- Cost of funds vs cost of lending.
Potential changes to the current liquidity framework that may be considered/ carry forward to 2025 include consideration of:
- Minimum requirements for a readily available pool of reserves and pre-positioned collateral at the discount window.
- Partial limits on the extent of reliance on held-to-maturity assets in liquidity buffers.
- Recalibration of the deposit outflow assumptions for different types of depositors.
- Changes to the scope of application (e.g., lowering the asset thresholds).
Operational Resilience
The growing threat landscape, potential failure points, and links between operational resilience and other areas of non-financial risk management (e.g., TPRM, cybersecurity) for large financial organizations as well as potential changes to supervision and oversight for large banks across risk pillars (e.g., credit, market, strategic, operational, legal, and reputational). Considerations include:
- A focus on critical operations and third parties that support them.
- Minimum requirements for critical operations, such as:
- Clear definitions for identifying “critical activities” and core business lines.
- Tolerance(s) for disruption informed by risk appetite, scenario analysis, and recovery maps.
- Scenario testing to inform tolerance parameters and understand interconnections and interdependencies.
- Governance and risk management practices, including TPRM, communications and reporting, business continuity management, and operational risk management.
Recovery/Continuity
The reasonableness and credibility of contingency and business continuity planning to preserve ongoing operations and limit losses during severe stress/ disruption scenarios given financial and nonfinancial risks and impacts. Elements of the regulators’ focus will include:
- Identification of resources (i.e., people, processes, technology, facilities, and information) required for critical operations and core business lines.
- Readiness to respond to most likely risk scenarios and coordination or response between tactical teams such as Business Continuity, Disaster Recovery, and Cyber and Crisis Management.
- Disaster recovery and business continuity testing with third parties associated with critical operations and core business lines when possible.
- Communications with internal and external stakeholders.
- Integration of risk management systems into organizational structures and decision-making processes to reduce the likelihood of operational incidents and limit losses in the event of business disruption.
2. Continuity & Resolution
Regulators are looking for companies to demonstrate that they have planned for and are prepared to weather stresses to their operations, including establishing recovery plans designed to continue business following adverse events (e.g., natural disaster, technology failures, human error) as well as resolution plans designed to carry out various steps (e.g., mergers, divestitures, dissolution) in cases where a company is in material financial distress or failure.
Business Continuity Plans
Regulatory focus is on the adequacy and effectiveness of contingency and business continuity planning to ensure ongoing operations and limit losses during severe business disruptions, including:
- Planning appropriate to size, risk profile, activities, complexity (e.g., vulnerabilities, recovery options/barriers, impact assessments, escalation procedures, communications and reporting).
- Identification of known and emerging threats, vulnerabilities, and triggers.
- Identification of resources (e.g., people, processes, technologies, critical third parties) necessary to perform critical operations and/or deliver core business lines within defined disruption tolerances and options for recovery (including execution and timing).
- Assessment of impacts and results of disaster recovery and business continuity testing (both in-house and with third parties, conducted periodically and modified as needed based on the impact assessments with tracking for remediation of identified gaps) related to critical operations and core business lines as well as to material entities and potential obstacles (e.g., legal, market, regulatory).
Resolution Plans
Expectations around robust planning, documentation, and reporting for potential rapid and orderly resolution in case of insolvency or failure. Regulators will focus on many elements in the resolution planning process including:
- Identified strategy for resolution (e.g., single or multiple point of entry), the separability of parts, and the viability of the chosen strategy.
- Failure scenario(s) for testing based on assessments of vulnerabilities, such as capital, liquidity, operational issues, etc.
- Organizational structure (e.g., legal entities, core business lines, affiliates, cross-border) and governance mechanisms (e.g., .
- Critical operations and services, core business lines, and franchise components (if applicable), as well as associated key personnel.
- Capital structure, funding sources, asset portfolios, valuations, off-balance sheet exposures, etc. (if applicable).
- Information systems, licenses, intellectual property, digital services and platforms.
Tolerance & Testing
Disruption tolerances—coupled with rigorous scenario testing and robust third-party oversight—form the cornerstone for safeguarding companies and their critical operations and core business lines/services against severe but plausible risks. Operational resilience transcends all risk pillars (e.g., credit, market, strategic, operational, legal, and reputational) and these should be factored into analysis and review/testing.
In 2025, regulators will be assessing:
Tolerance(s) for Disruption
Set at both the enterprise level and for identified critical operations and core business lines, considering:
- Risk appetite for weathering disruption from operational risks given risk profile and capabilities of supporting operational environment (e.g., systems, processes, expertise).
- Scenario analysis and recovery maps.
- Board approval/oversight of identified critical operations, core business lines, tolerance testing, evaluation, and validation.
Scenario Testing
With emphasis on testing failure scenarios that demonstrate material financial distress. Focus remains on:
- The ability to remain within set tolerances through severe, but plausible, disruption scenarios including potential risks identified through operational risk management, the internal audit function, business continuity planning, and resolution/ recovery planning.
- Understanding interconnections and interdependencies within and across critical business operations and services, and core business lines and capabilities, including third-party risks and critical technology services.
Parties & Providers
Ongoing expectations for governance and risk management of third-party arrangements, particularly those associated with critical operations and services or core business lines. Regulators will expect:
- Third-party relationships to not compromise the ability to perform critical operations and deliver core businesses within disruption tolerances.
- Verification that third parties have sound risk management practices and controls to mitigate disruption consistent with the tolerance level.
- Identification of additional/alternative third parties that may be able to assist if the current third party cannot deliver services including consideration of transition timeframes; data-related risks; joint intellectual property; and potential impacts to customers.
- Risk-based oversight, such that more rigorous oversight is afforded third parties that support higher-risk and critical activities.
4. Actions
Strengthen Operational Resilience:
- Focus on identifying and protecting critical operations and core business lines through rigorous scenario testing and validation against severe but plausible disruption scenarios.
- Invest in security measures and risk management practices to safeguard against potential threats and minimize the impact of disruptions, including identifying alternative paths/providers.
Improve Governance and Risk Management:
- Ensure that Boards and senior management are actively involved in approving the identification of critical operations, setting disruption tolerances, and overseeing the periodic review and testing of operational risks and resilience strategies.
- Prioritize investments in technologies and cultural changes that enhance operational resilience and establish clear accountability for managing resilience across the organization. Integrate technology-specific resilience measures into risk management frameworks. Develop adaptive strategies to withstand technological disruptions and regularly test and update continuity plans.
Enhance Business Continuity and Disaster Recovery Planning:
- Regularly update and test business continuity and disaster recovery plans and risk/impact assessments, including those involving third parties, to ensure they are adequate to sustain operations during severe disruptions.
- Integrate operational risk management into organizational decision-making, with a focus on identifying and mitigating risks associated with business processes, technology, and third-party engagements.
Dive into our thinking:
Get the latest from KPMG Regulatory Insights
KPMG Regulatory Insights is the thought leader hub for timely insight on risk and regulatory developments.
Explore more
Insight
Points of View
Insights and analyses of emerging regulatory issues and their impact.
Insight
Regulatory Alerts
Quick hitting summaries of specific regulatory developments and their impact.
Insight
Regulatory Insights View
Series covering regulatory trends and emerging topics
Meet our team
