Most firms still treat continuity as a vertical checklist. Resilience asks a different question: “When our most important customer journeys are disrupted, how quickly can we recover to an acceptable level and prove it?” That horizontal view is the shift.
I felt this shift first-hand running the operational resilience work for Global Banking at HSBC. We stopped looking at siloed processes and mapped end-to-end journeys, on-boarding to execution to settlement, then identified the key touchpoints that, if they failed, would harm customers, markets or safety. From there: set tolerances, test severely, fix the weak links. The real value? Confidence under stress.
Global reference points
- UK (FCA/PRA): Firms must identify Important Business Services, set Impact Tolerances, perform scenario testing, and remediate.
- EU (DORA): Highly prescriptive ICT risk rules, incident reporting, advanced testing (including threat-led tests), and third-party oversight since January 2025.
UAE landscape (FSRA, DFSA, VARA, CBUAE)
- DIFC/DFSA: Clear systems & controls plus Business Continuity & Disaster Recovery expectations in the Rulebook; robust continuity, but not a full UK-style resilience regime with impact tolerances.
- ADGM/FSRA: Strengthened cyber expectations (external updates noted by the market) alongside existing risk and continuity obligations — directionally supportive of resilience outcomes.
- VARA: Technology & Information Rulebook mandates governance, annual BCDR testing, CISO accountability and, where proportionate, TLPT—a resilience-aligned testing tool.
- CBUAE: Supervisory focus on operational soundness and continuity (various notices/standards); emphasis on stable operations in the banking system.
What this signals: The UAE is evolving pragmatically, strengthening cyber/continuity controls and selective advanced testing without (yet) lifting in the UK’s full impact-tolerance construct across all sectors. It’s a sensible path: build capability, gather evidence, calibrate what works locally. Once a consolidated resilience regime lands, and it will, firms that already map services and set internal tolerances will be ready.
What it means in practice (and how you can start)
- Map the journey horizontally. Pick 5–8 customer-facing services and journeys that truly matter. Trace every dependency (people, tech, facilities, third parties).
- Set your own tolerances. What’s an acceptable maximum disruption before customers or the market are harmed? Be specific (time/volume/quality).
- Test like it’s real. Combine cyber & non-tech shocks. Include third-party and data recovery pain points. Prove recovery with evidence.
- Fix at the constraint. Prioritise the key controls that collapse service flow under stress.
- Govern the change. Board sees services, tolerances, test results, and remediation (as well as funding requirements) quarterly.
A note on DORA
DORA is intentionally detailed; it accelerates minimum practice and forces testing/third-party oversight. Some find it cumbersome; many benefit from clarity. My view: UAE will keep its pragmatic stance, monitoring developments across jurisdictions, and ultimately implement a balanced approach.
Bottom line: Move from plans on paper to evidence of recoverability for customer journeys.
If you’re in the ADGM, DIFC, VARA or mainland UAE and want a fast start or need help with operational resilience, business continuity or operational risk, Paragon Consulting Partners can help you map important services, set sensible tolerances, and run meaningful tests—without importing complexity you don’t need.
