DE
FINMA is tightening its expectations regarding operational resilience. Starting in 2026, institutions must demonstrably define and implement their critical functions, disruption tolerances, and testing procedures.
With Supervisory Notice 05/2025, FINMA places operational resilience at the center of its supervisory practice.
From 1 January 2026, all institutions, regardless of their size or supervisory category, must have implemented concrete measures to ensure their ability to withstand disruptions.
FINMA’s analysis of 267 institutions shows significant differences in maturity, with notable gaps in the definition of critical functions, disruption tolerances, and the integration of existing frameworks.
Critical functions: focus instead of fragmentation
According to FINMA, the average number of identified critical functions is 3.5. While larger institutions define more, some exceed a reasonable scope with up to 36 critical functions. FINMA calls for clarity: a critical function is not every process but an activity whose failure has immediate effects on clients or the stability of the financial market.
Many institutions confuse processes (e.g., back office, IT operations) or resources (e.g., core banking system) with critical functions. What matters is a top-down perspective that considers strategic relevance and dependencies within the supply chain.
Practical recommendation:
A robust inventory of critical functions forms the foundation for a holistic «front-to-back» perspective, as required by FINMA. This inventory should map functions, processes, resources, and interdependencies in a transparent manner.
Disruption tolerances: from technical limits to the board’s tolerance level
FINMA criticises that many institutions define their disruption tolerances «backwards» – starting from technical recovery capability («reverse engineering») instead of from the tolerance level set by the governing body. As a result, the resilience question is viewed too operationally instead of strategically.
Most institutions define disruption tolerances between 24 and 72 hours. Values that are too low indicate a confusion with BCM metrics (RTO/RPO), while values that are too high suggest an uncritical definition of functions.
Practical recommendation:
A well-designed governance process supported by traceable data, visualisations, and clear decision logic helps to anchor disruption tolerances at a strategic level. Combining a clear methodology, structured documentation, and suitable tools creates transparency and strengthens executive involvement.
Testing: from cyber defence to end-to-end resilience
According to FINMA, 85% of institutions in supervisory categories 1 to 3 have not yet carried out any testing. Frequently mentioned scenarios include «successful cyberattack» or «supply chain disruption» – yet non-cyber-related threats often remain untested.
Practical recommendation:
Regular, scenario-based testing forms the backbone of a learning organisation. Using structured test frameworks and suitable platforms simplifies planning, execution, and evaluation, ensuring that results can be directly translated into improvement measures – a crucial step toward continuous advancement.
Operational resilience framework: time for integration
According to FINMA, only 12–15% of institutions have established an integrated framework that coordinates risk management, ICT and cyber risks, BCM, emergency planning, and third-party management. As a result, most institutions still lack the organisational foundation for a consistent «resilience-by-design» approach.
With regard to European developments such as DORA and the NIS2 Directive (EU) 2022/2555, this integration is essential. Both regulatory frameworks require tightly interconnected oversight of cyber, IT, and operational risks – marking a shift from silo thinking to risk-based end-to-end management.
Practical recommendation:
Institutions should view their operational resilience framework as an overarching steering instrument. This includes:
• Defining suitable metrics (KPIs/KRIs)
• Integrating risk management, BCM, ICT, and third-party oversight
• Automated monitoring of dependencies and interfaces
From compliance to strategic resilience
Operational resilience is more than a regulatory obligation – it is a strategic success factor. It not only protects against disruptions but also increases the capability to use crises as opportunities for learning and adaptation. With the mandatory implementation of FINMA’s requirements from 2026 onward and the harmonisation with European standards, institutions gain a unique opportunity: resilience can become a true differentiator.
Practical recommendation:
A data-driven view of risks and dependencies enables active steering of resilience. Dashboards, metrics, and analyses form the foundation for fact-based decisions – whether implemented through internal methods or supported by dedicated tools.
How technology can help without losing control
Implementing the requirements for resilience, critical functions, and tolerance definitions is complex, especially when done through Excel and manual processes. Many institutions recognise that tool-supported approaches create transparency, automation, and traceability. The GRC Toolbox from Swiss GRC enables institutions to systematically record critical functions and dependencies, define disruption tolerances, plan tests, and centrally evaluate results – all embedded in an overarching framework for operational resilience.
The focus is not on the tool itself but on the added value: an end-to-end perspective, consistent governance, and a sustainable contribution to a resilience-by-design culture.
Conclusion
Supervisory Notice 05/2025 marks a milestone in strengthening the Swiss financial market infrastructure. For institutions, this means: consolidating structures, clarifying responsibilities, and approaching resilience from a strategic perspective.
DORA, NIS2, and international best practices make it clear: resilience is not a project – it is a guiding principle. Institutions that invest today in an integrated, data-driven, and governance-oriented implementation will, in the long term, not only be compliant with regulations but also commercially robust and future-proof.
Swiss GRC supports institutions in implementing regulatory requirements for operational resilience – from the identification of critical functions to holistic management. Our experts combine regulatory know-how with technological implementation capabilities to build a resilience-by-design culture that delivers real impact. Book an appointment now: swissgrc.com/discoverycall.
