Each year we see the challenges that enterprises face become more complex as they strive to keep up with the latest technologies, such as generative AI, and increasing customer expectations.  

For highly regulated industries, these challenges take on an entirely new level of expectation as they navigate evolving regulatory landscape and manage requirements for privacy, resiliency, cybersecurity, data sovereignty and more. Organizations in the financial services, healthcare and other regulated sectors must place an even greater focus on managing risk—not only to meet compliance requirements, but also to maintain customer confidence and trust.  

To do this, it’s crucial that enterprises place an emphasis on operational resilience with the aim of maintaining stability, preserving market integrity and protecting confidential data for themselves and their customers.  

Prioritizing operational resiliency

In our view, the essence of operational resilience is an assumption that disruption is inevitable, and organizations must have measures in place to be able to absorb and adapt to any shocks. This includes cyber incidents, technology failures, natural disasters and more. With more dependency on technology and third and fourth parties, expectations are increasing for organizations to continue delivering critical business services through a major disruption in a safe and secure manner. This means actively minimizing downtime and closing gaps in the supply chain to remain competitive.  

This is different from the long-standing industry practice of disaster recovery where, traditionally, companies would return to normal operations in the several days after an event with defined recovery point objectives and recovery time objectives. Although still an important practice, appetite for conventional disaster recovery approaches is diminishing across industries and especially with regulators. This is evident from emerging regulatory requirements and expectations in UK (Bank of England’s Critical Third-Party regime), Europe (Digital Operational Resilience Act), Australia (APRA CPS-230 Operational Risk Management) and Canada (OSFI – Operational Resilience and Operational Risk Management), etc. Similarly, in the U.S. the Office of the Comptroller of Currency (OCC) also indicated that the Federal Banking Agencies are considering updates to operational resilience frameworks and approaches for critical business services and for third-party services providers. 

As hybrid cloud and generative AI adoption increases, data and applications are everywhere—across multiple clouds and vendors (SaaS/Fintech), on premises and even at the edge. For this reason, it’s more important than ever for enterprises to ensure their cybersecurity and resiliency strategy incorporates their entire IT estate, no matter where it resides.  

To do this, enterprises must first prioritize the most critical business services and develop a workload and data placement strategy to determine which applications and data should reside in a certain environment based on its specific security, resiliency and data sovereignty needs. 

According to the 2024 IBM X-Force Threat Intelligence Index, attackers are increasingly shifting from ransomware to malware that is designed to steal information, which reinforces the importance of leveraging technology and approach that provides holistic view and end-to-end protection across your entire IT estate, including your partners.  

While partnerships are essential for businesses to remain competitive and tap into new entry points, enterprises must make sure third parties are thinking about security, resiliency and controls in the same way they and their regulators are.  

It’s clear trust and security must be at the foundation of decisions about where workloads and data reside—regardless of the industry. But how can an enterprise ensure these priorities remain front and center, especially when working with third and fourth parties?  

Taking an industry-specific approach to accelerating digital transformation

Hybrid cloud is now the dominant architecture adopted by enterprises, according to an IBM Study, but critical to hybrid cloud strategy is an industry cloud approach. Over the past few years, IBM Cloud® has continued to innovate on, and made significant enhancements to our enterprise cloud platform designed for regulated industries. This purpose-built approach has enabled clients to take advantage of cloud services, SaaS providers and Fintechs at a consistent level of security, resiliency and compliance to build and deliver world-class solutions for their customers, while managing third- and fourth-party risk. 

Several years ago, we took a strategic step to address the needs of our clients in regulated industries with the first industry-specific cloud platform designed to meet the needs of financial services sector. This includes the highest set of operational, resiliency, cybersecurity and regulatory standards with built-in controls informed by the industry. By meeting the stringent standards for financial services, it can be seamlessly leveraged across other industries including insurance, government, healthcare, manufacturing and telecommunications, allowing for continuous and central management of security and risk management. 

To support clients in their transformation journey, we are continuing our work with key industry organizations to further address risk and allow organizations to leverage the cloud with confidence. One of our premier industry forums is the IBM Financial Services Cloud Council, which now consists of a network of more than 160 CIOs, CTOs, CISOs and Risk and Compliance officers from over 90 financial institutions working together to develop safe, secure and compliant adoption of cloud and Gen AI.  

Moreover, we are collaborating with industry leading organizations such as the Cloud Security Alliance to advance hybrid cloud security and Gen AI adoption for enterprises. On-going engagement with regulators around the globe and private-public sector collaboration through organizations such as the U.S. Financial Services Sector Coordinating Council (FSSCC) and engagements with the Financial Stability Board Third-Party Risk group are also important in developing practical and consistent industry-wide approach to common challenges.

Shared understanding and ownership  

As enterprises continue to balance the complexities of innovation, risk and resilience, we believe the path forward will be working towards a common, risk-based understanding of the core principles that underpin effective operational resiliency. It’s essential for enterprises to take ownership of their operations and prioritize their actions and investments based on the impact to themselves, their customers and market stability, but this can’t happen in a vacuum. 

At IBM, we are committed to helping clients on this journey. We believe it takes all of us—enterprises, trade organizations, policy makers, regulatory authorities and cloud providers— to work in unison to accomplish the same critical mission: accelerating digital experiences that move the world in a secure, resilient and compliant manner. 

Want to learn more about cloud adoption within financial services?

Read Central Banking and Cloud Services: The New Frontier