Takeaways from Operational Risk & Resilience Financial Services Europe 2026

Operational Resilience is Becoming an Ecosystem Visibility Problem

At this year’s Operational Risk & Resilience in Financial Services event in Amsterdam, one message surfaced repeatedly across panels, roundtables, and private conversations:

Operational resilience is becoming an ecosystem intelligence problem.

Firms are no longer struggling simply with governance, documentation, or regulatory compliance.They are struggling to maintain visibility across increasingly interconnected supplier, cloud, geopolitical, software, and operational dependencies quickly enough to support real decisions under pressure. 

Traditional resilience programs were largely designed around periodic assessments, static inventories, governance documentation, and internally bounded operational models. But modern operational environments are no longer internally bounded; critical services now depend on constantly shifting external ecosystems that most firms cannot fully observe in real time. 

As a result,  resilience can no longer sit solely within operational teams. Several speakers noted that boards increasingly require visibility into threat landscapes, prioritization decisions, and resilience strategy. 

Michael Ehrnsperger, Head of Group Protection & Resilience, Allianz SE, spoke directly to this shift, emphasizing the growing importance of end-to-end visibility and early warning capabilities as resilience becomes more central to executive and board-level decision making. 

The conversations at the event reflected a growing realization that resilience failures rarely emerge from a single isolated issue. Instead, they develop across interconnected systems, suppliers, cloud providers, software dependencies, and external market pressures that compound over time. As a result, boards and executive teams are being forced to confront risks that were once considered too operational or too technical for enterprise-level discussion.

Below are the top themes driving the need for ecosystem visibility.

Operational Resilience Is Moving Beyond Compliance

A major shift discussed throughout the event was the evolution of operational resilience itself. Many firms have spent the past several years building resilience programs largely driven by regulatory expectations. Important business services were mapped. 

But the consensus in Amsterdam was that the market is now moving into a different phase. Firms are discovering that resilience cannot remain a static annual exercise supported primarily by documentation and governance reviews. Operating environments change too quickly. Supplier ecosystems evolve continuously. Threat conditions shift daily. External dependencies fluctuate in real time.

In a roundtable hosted by Josephine Degaita, Head of Group Operational Risk, National Bank of Greece, panelists made it clear that operational resilience is now a matter of national importance and the lack of visibility itself is becoming an urgent risk. For example, if there is exposure from a shared payment system across many organizations, the risk needs to be surfaced and communicated immediately. Without preparedness frameworks - and without technology that surfaces the risks in the first place - companies and even entire countries are exposed. 

Several discussions throughout the event reflected growing concern around “decision latency” – the gap between detecting emerging risk conditions and operationalizing a response. Many firms already possess the underlying operational, cyber, vendor, geopolitical, and external intelligence signals. The challenge is recognizing how those signals connect across suppliers, cloud providers, geopolitical events, cyber activity, and operational dependencies before disruption occur.

The firms making progress are increasingly focused on reducing that latency.

The Visibility Problem Is Expanding Faster Than Most Firms Can Manage

One of the clearest operational challenges discussed across sessions was the sheer complexity of maintaining continuous visibility across modern ecosystems.

Most firms no longer operate within clearly bounded environments. Critical services depend on sprawling external networks involving technology vendors, data providers, outsourcing partners, cloud infrastructure, software libraries, logistics providers, and regional political conditions.

Lack of visibility can present in a number of ways, but two of the most urgent noted at the conference were:

• Unforeseen concentration: A firm may believe it has diversified vendors, while multiple suppliers ultimately rely on the same infrastructure provider, software component, or geopolitical region. These hidden overlaps create resilience blind spots that are difficult to uncover through traditional assessment processes.
  

• Unknown fourth and fifth party exposure: Beyond third parties sits a vast network of fourth-, fifth- and nth-party exposure. Every supplier introduces additional software dependencies , infrastructure partners, data services, contractors, and regional dependencies that often sit entirely outside direct oversight. As those relationships expand, so does the surface area for cyber incidents, operational disruptions, regulatory failures, geopolitical exposure, and service instability. 
  

In both cases, the challenge is understanding how interconnected they are before disruption occurs. Each dependency introduces its own operational risks. More importantly, each dependency also introduces additional interconnected relationships that are often difficult to observe directly.

This creates a difficult reality for resilience teams: exposure can expand faster than governance structures can adapt.

Organizations are beginning to recognize that resilience depends not only on internal controls, but on the ability to continuously synthesize external intelligence, dependency mapping, behavioral indicators, and operational signals into actionable insight.

Panelists noted that supply chain mapping is no longer being treated as static documentation for regulatory purposes. Organizations are increasingly using mapping dynamically during real-world geopolitical and cyber scenarios to understand hidden fourth-party and infrastructure dependencies. Yacine El Mhamedi El Alaoui, Head of Global Markets Operational Security & Resilience, Societe Generale CIB, shared an example where they used threat intelligence and supplier mapping during the Middle East conflict to assess indirect exposure to an impacted AWS Bahrain data center.  

The example illustrated how resilience programs are evolving from periodic assessment exercises into live operational capabilities designed to identify interconnected exposure before disruptions cascade across critical services.

Examining the Role of DORA

DORA surfaced repeatedly throughout the event, but interestingly, many discussions were less focused on compliance itself and more focused on the operational visibility gaps DORA is exposing inside large institutions.

Traditional resilience approaches often rely on periodic reviews, questionnaires, and internally reported metrics. Those approaches remain important, but they are increasingly insufficient for identifying dynamic external risk conditions across interconnected ecosystems.

Several panels focused on DORA, including, “Reflect On The Key Challenges & Successes Of DORA Implementation & Move Beyond Checklist Compliance To Living, Breathing Operational Resilience” 

Panelists spoke about the need to bring various risk vectors together into a single view, given the interconnected nature of risk today.  The framework itself needs to mirror the reality of today’s risk landscape. 

Beneath a good framework is a need for readily available data and real time analytics. The ability to quickly surface relevant data and evaluate that data effectively requires a more active approach than checklists can provide. The current integration project will only be as valuable as the ability to operationalize it.

Concentration Risk Is No Longer Abstract

One of the strongest themes throughout the event was the elevation of concentration risk into a board-level concern. Historically, concentration risk discussions often focused on financial exposure or direct vendor relationships. Today, the scope is much broader. For example, at Société Générale, operational resilience and TPRM are directly sponsored by the CEO and head of risk, reflecting how central the topic has become to enterprise strategy and regulatory oversight.  

When it comes to concentration risk specifically, organizations are increasingly dependent on a relatively small number of cloud providers, critical technology platforms, data providers, and shared infrastructure vendors. While these relationships create efficiency and scalability, they also create systemic exposure. In many cases, firms are discovering that concentration risk does not disappear through diversification – it simply moves deeper into shared infrastructure layers that are harder to discover. The issue is not simply whether a single supplier fails. It is whether multiple business functions, geographies, or services become vulnerable to the same hidden dependency simultaneously.

This is particularly challenging because many organizations still lack complete visibility into their extended ecosystems. Third-party monitoring has improved across the industry, but fourth- and fifth-party dependencies remain difficult to identify, quantify, and continuously assess. That visibility gap matters.

The Industry Is Shifting From Documentation to Decisioning

One of the clearest shifts throughout the event was the movement from framework-centric resilience programs toward operational decisioning. 

For years, resilience maturity was often measured by the completeness of policies, mappings, inventories, and governance structures. Those capabilities still matter. But they are no longer sufficient on their own.

The firms that appear most advanced are increasingly focused on questions like:

• Can we identify hidden dependency concentration before disruption occurs?

• Can we detect changes across supplier ecosystems in near real time?

• Can we connect operational, cyber, geopolitical, and third-party signals together?

• Can leadership make decisions quickly enough when conditions shift?

• Can resilience intelligence become operational rather than retrospective?
  

These are fundamentally different questions than the industry was asking even a few years ago.

Pau Prieto Marques, Head of NFR Nordics, Non-Financial Risk, Danske Bank, discussed the need for practical and flexible operational resilience frameworks that empower organizations rather than constrain them. At the same time, several discussions throughout the event reflected a broader recognition that resilience can no longer be managed purely within the boundaries of a single institution given the increasingly interconnected nature of operational risk.

What emerged from the event was a growing understanding that operational resilience is becoming a live intelligence and visibility challenge, not simply a governance exercise.

In highly interconnected environments, resilience is increasingly determined by how quickly organizations can identify hidden dependencies, interpret external change, and operationalize decisions before localized disruptions compound into broader systemic issues.

That is the next phase of operational resilience.