An Operational Resilience Assessment (ORA) measures your organisation's ability to keep critical services running through serious disruption. It translates the findings into the language of the board: Business impact, growth implications and regulatory relevance.
It is an assessment, not an audit. It's collaborative, blame-free and built to inform decisions, not apportion fault. Where technical assessments speak to IT teams, the ORA speaks to the people accountable for the services and the growth objectives: Operational managers, executives, risk committees and boards.
Every finding is presented in plain language, scored on the five-level CM-Alliance Resilience Maturity Model, and uniquely assessed for its bearing on your stated growth objectives through our proprietary Resilience–Growth view.
The result: A decision-ready picture of where your genuine exposures sit, which ones threaten your growth plans, what they mean for regulatory expectations, and a prioritised, costed roadmap suitable for budget and risk-register decisions.
Boards are increasingly expected to own operational resilience — but most resilience reporting arrives as technical detail the board can't act on, or reassurance it can't verify. The ORA solves both problems. Let's look at the main reasons why organisations commission one.
The ORA gives executives and risk committees a plain-language view of how resilient critical services really are and where the genuine exposures sit. The insights provided are decision-ready, not jargon-heavy.
The Resilience–Growth view explicitly links each finding to your stated business objectives. You see which exposures could slow or threaten those goals, and which strengths enable them, so investment is prioritised where it matters most.
With the UK operational resilience regime (FCA PS21/3, PRA SS1/21) now in its ongoing operational phase, firms must continuously update their mapping, testing, and self-assessments. Concurrently, the critical third parties regime (PS16/24) targets concentration risk at the sector level. DORA has been in effect since January 2025 for organisations with EU exposure. The ORA distinctly signposts exactly how your specific findings intersect with these regulatory expectations.
Dependencies on single platforms, suppliers and shared services are among the most common causes of serious operational disruption. The ORA surfaces these critical dependencies and frames their overall business consequence, before they disrupt your operations. Rather than focusing on dense technical details, the ORA exposes concentration risk by framing single-platform and third-party dependencies in plain business language that clearly defines why the board should care and what action is required.
Findings arrive with a risk heat map, prioritised roadmap, indicative timelines and effort estimates that map directly onto a corporate risk register. This gives the board a defensible basis for prioritisation and spend.
Re-assessing later evidences your movement up the maturity levels and demonstrates the return on remediation investment — a compelling story for regulators, insurers, customers and investors alike.
For UK-authorised financial services firms, the operational resilience framework is set by the FCA (PS21/3, "Building operational resilience") and the PRA (SS1/21). With the transitional period ended in March 2025, firms are now in the ongoing operational phase: mapping, testing and self-assessment must be kept current, and firms are expected to remain within impact tolerances for important business services. Separately, the critical third parties regime (PS16/24) addresses concentration and third-party dependency at sector level.
Where your organisation has EU operations, group entities, or acts as an ICT provider to EU financial entities, the Digital Operational Resilience Act (DORA) — applicable since 17 January 2025 — becomes relevant, spanning ICT risk management, incident reporting, resilience testing, third-party risk and the register of information.
The ORA signposts where your findings relate to these expectations. It is relevance signposting, not a compliance assessment — where a formal position is needed, we offer dedicated FCA/PRA and DORA readiness assessments as separate, deeper engagements.
Most assessments tell you how exposed you are. The ORA goes further: it shows you what each finding means for your growth.
Every finding is scored on two separate axes:

You learn not just where you stand, but where to invest first: The priority quadrant is where low capability meets a material threat to growth, and that's where board attention delivers the greatest return.
(Note: Growth impact is a directional prioritisation aid tied to your own stated objectives, not a financial forecast, valuation or quantified revenue prediction.)
The exact scope is agreed during a short scoping conversation. The ORA can focus on a critical business service, operational domain, technology-enabled service, regulatory exposure, growth objective or resilience programme.
Typical areas covered include:
- Critical business services and the technology that supports them
- Important operational dependencies
- Platform, supplier and concentration risks
- Business impact of severe disruption
- Growth objectives affected by resilience gaps
- Executive ownership and accountability
- Service continuity and recovery assumptions
- Risk-register relevance
- Operational resilience maturity
- Regulatory relevance, where applicable
- Roadmap for improvement and reassessment
An ORA is valuable when leadership needs a clear, business-facing view of resilience. Good triggers include:
- Before a board or risk committee review
- When launching a new critical digital service
- When entering a new regulated market
- After a major outage, cyber incident or near miss
- During operational resilience programme delivery
- When critical services depend on a small number of suppliers or platforms
- When technology risk needs to be translated into business risk
- Before major investment in resilience, continuity or recovery capability
- After completing a Technical Resilience Assessment
- When you need to evidence progress against resilience maturity
Give senior leaders a clear, plain-language view of resilience capability, business impact and priority actions. No translation needed between IT and the boardroom.
A defensible baseline today, a realistic 12-month target and re-assessment to prove the progress.
Tabletop exercises test how your organisation responds on the day. The ORA measures your underlying operational resilience — and frames it against your growth objectives and regulatory expectations. If your board has seen exercise reports and asked "so how resilient are we, really — and what should we spend on it?", the ORA is the answer.
The ORA engages your operational managers and board-level owners — the people accountable for the critical services and for the growth objectives.
Recommended participants include:
- Chief Operating Officer
- Chief Risk Officer
- Chief Information Officer
- Chief Information Security Officer
- Business service owners
- Operational resilience leads
- Business continuity leads
- Technology risk leaders
- Compliance or regulatory affairs representatives
- Third-party risk owners
- Board or risk committee representatives where appropriate
For the detailed technical picture behind the same findings, pair the ORA with its companion, the Technical Resilience Assessment (TRA), which engages your technical and IT leads.
The ORA works best when operational, technical and executive perspectives are represented. The goal is to connect how services operate in practice with the decisions senior leaders need to make about resilience, growth and risk.
An ORA is a practitioner-led assessment of your organisation's ability to keep critical services running through serious disruption, presented in the language of the board: business impact, growth implications and regulatory relevance. Findings are scored on a five-level maturity model and delivered with a risk heat map, regulatory signposting and a prioritised 12-month roadmap.
They're standalone companion assessments sharing one evidence base and one maturity scoring framework. The TRA serves technical teams with detailed findings and remediation; the ORA serves executives, boards and risk committees with decision-ready business insight. Take either on its own, or both — the two reports tell one consistent story to two audiences.
It's our distinctive two-axis scoring approach. Every finding is scored for capability (0–4 maturity) and for growth impact (▲▲ to ▼▼) — a directional indicator of how it bears on your stated business objectives. This shows you not just where you stand, but where to invest first: the priority quadrant is where low capability meets a material threat to growth.
No. Growth impact is an indicative, directional assessment tied to your own stated objectives. It is not a financial forecast, valuation or quantified revenue prediction — it's a prioritisation aid that helps the board direct resilience investment towards business goals.
Neither. It's an assessment, not an audit — collaborative and blame-free, built to find improvement, not fault. And its regulatory section is relevance signposting, not a compliance verdict: it shows where findings relate to FCA/PRA and DORA expectations, but confirming a compliance position requires a dedicated readiness assessment, which we offer separately.
One focused, facilitated session of one to two hours with your operational managers and board-level owners. We handle all preparation, facilitation and reporting.
The people accountable for the critical services and the growth objectives — typically COOs, operations directors, service owners, heads of risk and risk-committee members. Their perspective is what allows findings to be framed against real business goals.
For UK firms, findings are signposted against the FCA/PRA operational resilience regime (PS21/3 and SS1/21) and the critical third parties regime (PS16/24). Where you have EU exposure, operations, group entities or ICT services to EU financial entities, findings are also mapped to the relevant DORA themes, such as ICT third-party risk, incident detection and resilience testing.
The ORA stands alone. It's a natural next step if you've run tabletop exercises (they test the day; the ORA measures underlying resilience), and having done the ORA, the TRA is the logical companion for your technical teams — but neither is a prerequisite for the other.
A board- and risk-committee-ready document: executive summary and headline position table, findings in business terms (business impact, affected functions, why the board should care, recommended action), a risk heat map, regulatory relevance mapping, a maturity trajectory with a phased 0–12 month roadmap, and areas of strength.
Annually, or sooner after material change — a new critical service, a major platform migration, an acquisition or a significant third-party change. Re-assessment evidences progression up the maturity levels and demonstrates the return on your remediation investment.
No. Regulatory expectations are most developed in financial services, which is why the ORA's signposting focuses there — but any organisation with critical services, growth ambitions and dependency risk benefits from a board-level view of its resilience. The methodology, maturity model and Resilience–Growth view apply across sectors.
"In order for BMJ to the right way forward we looked for a VCISO to advise us on the right way to do things and give us expertise. We went to Cyber Management Alliance and it's been about a year now and we ran workshops, looked at our response to incidents, created the incident response plan and we are in a position now where we understand our way forward. Our VCISO keeps us on our toes and overall it's been a very effective way of delivering expertise into the organisation that we wouldn't have normally had."
Aaron Townsend, Service Delivery Manager, British Medical Journal
It starts with a short scoping conversation — we'll define the services in scope, capture your growth objectives, and confirm who should be in the room.