RiskMutation™ Strategic Roadmap: Building Operational Resilience


ACA Compliance Group

Publish Date




  • Cybersecurity
  • RiskMutation
  • BCP

For financial services firms, RiskMutation is accelerating the modernization of risk and compliance management. To effectively manage RiskMutation, firms need agility, scalability, and resilience so they can quickly adapt to circumstances and successfully seize opportunities while mitigating continuously evolving risks.

To successfully navigate the future of risk and compliance in the age of RiskMutation, ACA recommends that risk and compliance leaders adopt the following three strategies:

  • RegTech: Leverage regulatory technology (RegTech) to transform risk and compliance functions while delivering cost savings
  • Outsourcing: Achieve better results, increased agility, and scale for less
  • Operational Resilience: Build operational resilience to manage cyber threats, business disruption, and third-party risk across the enterprise and beyond

The business case for a strong operational resilience program

Firms are facing a growing number of operational risks, including global pandemics, natural disasters, geopolitical threats, economic crises, and third-party risks like supply chain disruptions. The capability to manage these risks effectively, efficiently, and promptly determines a firm’s level of operational resilience.

Operational resilience, which is the practice of ensuring that a firm can absorb and adapt to risks and shocks that mutate across functions throughout the extended enterprise, downstream and upstream, is critical to protecting against RiskMutation. Ensuring that risk and compliance functions are resilient is paramount, as regulators and investors expect firms to operate and function as required during these conditions and thereby help the financial system absorb and adapt to them. Private equity firms face similar concerns when acquiring portfolio companies.

We asked attendees of ACA's recent Fall 2020 Compliance Conference for their take on various topics related to operational resilience at their firms. Here's what we found*:

  • Firms said that the following areas related to operational resilience could benefit from better technology: vendor oversight (54%), business continuity (20%), and portfolio company risk management (20%).
  • When asked which areas related to operational resilience will require the biggest increase in risk and compliance management resources in the coming year, 65% of firms said cybersecurity and privacy and 47% said third-party risk management.

We also asked firms about their views on technology related to cyber resiliency:

Polling Question on Operational Resilience

(*Respondents were allowed to select multiple options for each poll question.) 

Achieving operational resilience in the age of RiskMutation

Our recent white paper, The Future of Risk and Compliance in the Age of RiskMutation, discusses operational resilience in detail and provides concrete action steps and guidance for investment management firms. It discusses:

  • The benefits of operational resilience
  • Key components of a strong operational resilience program
  • The business case for investing in operational resilience
  • A case study illustrating the ROI for investing in operational resilience using a real ACA client scenario
  • The strategic roadmap for building operational resilience

Download White Paper

Watch the fall conference session on demand

Watch the on-demand recording of the session The Future of Risk and Compliance in the Age of Risk Mutation from ACA's Fall 2020 Virtual Conference here.

About the Author

Mike Pappacena

Mike Pappacena is a Partner at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. Prior to ACA, Mike served as a project manager for Jefferies LLC and worked on several compliance initiatives. In addition, he spent fifteen years at Goldman Sachs, where as a vice president in the Technology Division, he managed development teams supporting the firm’s Legal, Compliance and Audit, Sarbanes-Oxley, Operational Risk, and Technology Risk departments. He also managed Fundamental Equities and Alternative Investments in the GSAM division. Earlier in his career, Mike worked as an engineer at Long Island Lighting Company (now PSEG).

Mike earned his Bachelor of Electrical Engineering degree from the Pratt Institute and his Master of Business Administration degree (Finance concentration) from Adelphi University.