Three operational resilience predictions we got right (and one we got wrong) in 2024

Not every forecast holds up. But when they do, it pays to highlight why.

In our Operational Resilience Outlook Report 2024, we outlined the shifts we expected to see across regulation, risk, and organisational maturity. A year later, some of those predictions have become reality while others were underplayed.

Here’s what we got right, what we missed, and what it means for the road ahead.

1) Third-party risk became impossible to ignore

What we predicted: Third-party dependencies would dominate the risk agenda, and failures would ripple far beyond IT.

What happened: Microsoft estimated the CrowdStrike outage in July 2024 knocked about 8.5 million Windows devices offline — grounding flights, freezing ATMs and disrupting services globally.

UK supervisors followed up with explicit lessons for firms: third-party issues were the leading cause of operational incidents reported to the FCA, and the March 2025 deadline to operate within impact tolerances remained in force. Supplier disruption is now firmly established as part of resilience planning, not an edge case.

Australian institutions faced their own crises. Westpac suffered multi-day app and internet-banking outages in October 2024, prompting attention from the Australian Financial Complaints Authority. And the Australian Retirement Trust apologised after around 20,000 members had pension payments delayed.

Prediction confirmed: Regulators and firms alike now treat supplier disruption as a governance issue, not a technical footnote.

2) Enforcement, not just expectation, became the norm

What we predicted: Boards would face direct consequences if resilience fell short.

What happened: The FCA reiterated that by 31 March 2025 firms must operate within impact tolerances (not merely plan towards them). Falling short risks supervisory action.

In November 2024, the UK regulators finalised the Critical Third Parties regime — gaining direct oversight of systemic providers while stressing accountability remains with firms’ boards and senior management.

Regulators also moved to tighten reporting. The PRA’s CP17/24 proposed standardised, more consistent reporting of operational incidents and material third-party arrangements; the FCA’s CP24/28 did likewise on the conduct side. Together they point to higher-quality resilience data landing on regulators’ desks. 

The trajectory is clear: Accountability is already real — and the paperwork is getting teeth.

3) Capability, not intent, became the bottleneck

What we predicted: The handbrake wouldn’t be enthusiasm; it would be skills and process.

Our 2024 survey put the skills/knowledge gap as the top execution challenge (with scenario testing close behind) and found 42.3% still running resilience on documents/spreadsheets while only 7.7% used a dedicated solution. The 2024 report also captured a striking optimism about resilience programs, which we flagged as a concerning 'perception gap'.

What happened: That’s exactly where 2025 bit. Supervisors kept the line on outcomes while acknowledging delivery strain. In Australia, APRA CPS 230 came into force 1 July 2025, but some smaller institutions were given extra time on selected elements to 1 July 2026—a nod to implementation capacity and the lift involved in mapping, testing and supplier coverage.

In the UK, the FCA’s post-deadline Operational Resilience insights/observations called out uneven readiness and the need for credible mapping, testing cadence and remediation owned by senior management.

Prediction confirmed: The constraint is people and practice. Until teams close the capability gap with cross-functional skills, a repeatable testing process, and systems that turn work into evidence, the proof burden will bite.

BONUS

What we underplayed: Disruption is constant, not occasional

What we said (fair at the time): In the 2024 Outlook we used PwC’s two-year incidence stat—“91% of organisations experienced at least one disruption over the last two years (excluding the pandemic)”—to show how widespread disruption had become. It did that job, but it soft-pedalled frequency.

What changed: By 2025, enterprise data reframed the reality: organisations report an average of 86 outages per year - weekly (or even daily) for many large companies. That’s a totally different operating tempo (State of Resilience 2025, Cockroach Labs).

Why it matters: If disruption is constant, your resilience programme can’t be episodic. Testing and remediation need to run as a cadence, not a campaign (scenario testing as BAU; evidence tied to impact tolerances) - exactly the direction the FCA has pushed for in its post-deadline guidance.

Call it: We underplayed the cadence. The headline isn’t “disruption happens”; it’s “disruption rarely stops.” And is your testing and remediation process fast enough to keep up.

Practical next steps

The story is simple. Third-party failures are a board problem, not an edge case. Enforcement has arrived, and the data you report is getting standardised. The limiter is execution capacity—mapping, testing, evidence—week in, week out.

Drova’s Operational Resilience & Compliance platform is built to make the evidence the easy part: map important services, set and monitor impact tolerances, record scenario tests (including AI-assisted test generation), and produce board- and supervisor-ready reports - all aligned to with regulatory compliance frameworks like APRA's CPS230 or the FCA's PS21/3.

Simply start for free and scale from there.