The Prudential Regulation Authority’s 2026 supervisory priorities flag operational resilience as a top concern — specifically, the capacity of financial institutions to survive disruption: supply chain failure, cyber attack, loss of key people, infrastructure collapse. The framework is now in full effect. Most banks have mapped their important business functions, run their scenarios, documented their recovery procedures. And most have missed the largest vulnerability on the list: key person dependencies.
The resilience framework focuses heavily on technology and third-party risk, which are easier to model and easier to control. It mentions people in passing, usually as a line in a business continuity plan: “ensure adequate cover for key staff.” In reality, most financial institutions are structurally vulnerable to the loss of specific people — and the regulator is going to notice.
Why people create resilience risk
Organisations flatten. Budgets tighten. Specialist knowledge concentrates. A lean team is an efficient team until something breaks, and then it’s a broken team with no redundancy and nobody who knows how to fix it.
In SME banking, where teams are tight and specialist knowledge is scarce, this is acute. The relationship manager who knows the clients, the credit analyst who understands the credit book, the operations person who knows why the system works the way it does — these people have become indispensable in practice, even if they’re not indispensable in theory. If that person gets ill, retires, or is poached by a competitor, the business doesn’t just lose their output. It loses institutional knowledge that nobody else has documented.
Meanwhile, 38 percent of employees in financial services are likely to leave their role within 12 months. One in three lack confidence that they can keep pace with the skills their role will need in the future. That turnover accelerates knowledge loss. And yet most operational resilience frameworks treat people strategy as separate from operational risk — something the people function handles independently.
The PRA can test your IT systems’ ability to recover from an outage. They cannot easily test whether your business can function if three key people leave next month. But they’re going to ask.
What the regulator actually expects
The operational resilience framework requires firms to assess their important business functions and test whether they can continue to deliver during disruption. The regulator is now asking specifically: how do you maintain continuity in roles where knowledge is concentrated? What’s your plan for institutional memory? How quickly can you backfill a critical position and get someone productive?
In practice, this means the CPO needs to be able to show the regulator:
First, documentation of critical knowledge. Not just in people’s heads, but in places where someone else can access it if they leave. This sounds obvious. Most organisations are poor at it. The relationship manager has the client knowledge. The credit analyst has the credit models. The operations person has the process documentation. If they leave, the knowledge goes with them.
Second, succession depth. For every critical role, is there a backup? And is that backup prepared enough to step in if the primary person is unavailable? Not in six months after a transition. Immediately. Or close to it.
Third, knowledge transfer protocols. When someone moves roles or leaves, what happens to their knowledge? Is there a structured process for documenting and transferring what they know? Or does the knowledge just get lost?
Fourth, cross-training and role flexibility. The organisation that can function when people are unavailable is the one where knowledge is distributed, not concentrated. That requires deliberate investment in cross-training and role overlap, which feels inefficient until the person gets sick and suddenly it looks like genius.
2—3x operational disruption duration when the loss of a critical person coincides with a technology outage, compared to technology outage alone. The resilience scenario that nobody tests is: critical person leaves plus the system fails at the same time. In SME banking, it’s a plausible scenario. — Bank of England / FCA stress test analysis, 2025
The convergence problem
This is where talent hoarding, succession planning, knowledge management, and operational resilience all converge into a single governance failure. A manager who refuses to let good people move because they’re too valuable in the current role is creating resilience risk. An organisation that hasn’t documented how critical processes actually work is creating resilience risk. A business that has no backup for key positions is creating resilience risk. And yet these risks sit in different functional areas — talent management, operations, risk — with no clear owner.
The CPO who understands resilience can connect these dots. The organisation that wants to be resilient needs to deliberately trade off short-term efficiency for longer-term risk reduction: invest in documentation, develop backups, accept some role overlap, allow people to move because you’ve prepared for the gap.
The regulator is not going to accept “we tried to retain key people but they left anyway” as evidence of resilience. They will accept “we have documented knowledge, prepared backups, and tested our ability to continue without key people” — and they will want to see evidence that you’ve actually done it.
The practical starting point
If you’re a CPO whose operational resilience programme is sitting in the risk function without meaningful people strategy attached, it’s time to change that. Start here:
Map critical knowledge. For each important business function, identify the people without whom it cannot continue. That’s not the entire team — it’s the two or three people who, if they left tomorrow, would cause real disruption. Then document their knowledge explicitly.
Assess depth. For each critical role, is there a credible backup? If yes, are they prepared? If no, what would it take to prepare someone? That’s not a vague “we should cross-train” — it’s a concrete plan with timelines.
Test continuity. Run a scenario: what happens if this person is unavailable for two weeks? A month? Can the business function continue? If the answer is no, that’s a resilience gap that needs closing.
Build governance. Operational resilience is not a one-time exercise. Knowledge concentration changes. People retire. Critical roles shift. The organisation needs a standing process for understanding and managing key person risk.
The organisations that will pass regulatory scrutiny on operational resilience are the ones that treat people strategy not as separate from resilience, but as foundational to it. Your business can survive a technology outage if you have the right systems and people. But it cannot survive the loss of critical knowledge if that knowledge only exists in one person’s head. That’s not a people problem. It’s an operational risk that the regulator will eventually ask about — probably at the worst possible time.
Domi Alzapiedi is a Chief People Officer in banking, focused on the intersection of people strategy, organisational design, and commercial performance. She writes about the questions that keep leadership teams honest.