The future of digital incident management

However, incident management must now evolve alongside the operational models of firms, which have significantly increased in complexity due to several factors:

1. Rapid evolution of technology, adding significant architectural complexity.

2. Increasing reliance on third parties to deliver business processes, which, in turn, have their own intricate operating models.

3. Globalisation of services and the growing desire to leverage internal services across multiple legal entities and countries (resulting in increasing challenges to prevent a local issue from rapidly escalating into a global problem).

4. Firms are also navigating an increasingly volatile macroeconomic environment, impacted by geopolitical events, fluctuations in interest rates and inflation, net zero targets and a rise in attacks on their systems, such as ransomware attacks.

5. The varying forms that incidents can take - such as operational failures, third party issues, cyber incidents and data loss. Specialist skills are required to manage these (and respond to different regulators), increasing the complexity of incident management.

Given these factors, it is unsurprising that firms have faced a notable rise in both the number and severity of incidents. These incidents have led to heightened regulatory scrutiny and increased compliance requirements. Regulators are keen to enhance digital resilience and gain better visibility into disruptions that could affect the stability of individual firms and the broader financial system - regardless of the nature of the incident.

In light of these circumstances, it is crucial for firms to evaluate whether their incident management operating models and processes are suitable for the digital age. This article explores the future of incident management, focusing on the impact of regulation on incident operating models; the need to enhance policies and better understand the IT estate to support compliance; and interoperability across incident management data, business processes and tooling.

The impact of regulation on incident operating models

Under PRA CP17/24, an ‘operational incident’ is defined as either a single event or a series of linked events that:

• disrupts the delivery of a service to an end user external to the firm; or

• impacts the availability, authenticity, integrity or confidentiality of information or data relating or belonging to such an end user.

Firms should consider reevaluating their approach to 'operational incident management', moving beyond a siloed focus based on the nature of the incident. Effective incident management necessitates coordination among SMEs to categorise issues, assess losses, and report in an insightful manner. Dependence on relatively junior IT staff for incident management is no longer adequate. For firms where incident response is primarily driven by technology, they must evaluate whether this structure remains effective and if the coordinators hold sufficient seniority to manage the complexities involved.

Incident management responsibilities should not be confined to IT. It's essential to define the roles of key stakeholders, including Information Security, Third-Party Risk Management (TPRM), Technology Risk, Operations, Resilience, and Data Privacy. This broader involvement is necessary to address the broad spectrum of incidents that may require regulatory reporting. 

Firms need to delineate between incident management teams and those responsible for reporting to regulators during incidents. Historically, regulatory liaison and incident reporting responsibilities have often resided within second-line functions. However, given the evolving landscape - with regulators seeking dynamic and timely interactions during incident responses - there is now an expectation for first-line teams, who have more first-hand detailed insights into the incidents, to input into regulatory returns or even engage more directly with regulators. This engagement ensures regulators receive accurate, timely and relevant information, enhancing confidence in the firm's incident management processes.

Firms should prioritise upskilling incident coordinators and first-line incident managers to better understand regulatory expectations related to incident notification and reporting. Additionally, fostering closer collaboration between first-line operational teams and second-line compliance teams is critical. Such collaboration will help ensure that external reporting activities do not inadvertently compromise incident resolution efforts or escalate regulatory concerns due to inadequate or inconsistent communication.

Enhancing policies and understanding the IT estate to support compliance

The recent UK regulatory consultations (FCA CP24/28, PRA CP17/24) and existing regulations such as DORA and US SEC Cyber Disclosure Rules are raising expectations on incident management. They require clearly documented and operationalised policies; granular incident classifications; stringent reporting timelines; and clear mapping of technology and business dependencies. Firms should consider making enhancements across the areas outlined below. 

Policy

Incident Management policies must outline clear, repeatable procedures for detecting, classifying, escalating, and resolving IT incidents, while meeting timeframes for notification. If consolidating different approaches to incident management into a single policy is impractical, firms should at least strive to ensure traceability and consistency across the existing policies related to incident management (IT and non-IT incidents) - while also considering the interaction between incident management and crisis management.

Thresholds

DORA and the UK consultation papers mandate granular incident classification criteria. Firms cannot afford to apply vague thresholds. Incidents must be categorised by impact and severity, triggering the appropriate response and communication cascade, including mandatory reporting to regulators within hours for major incidents.

Mapping of interdependencies

Regulations place an increased demand on firms to understand their IT estate and the business processes it supports. Too often, incident response is hampered by fragmented knowledge of:

• which technology and data assets underpin critical services (and where these assets support multiple services)

• which third-party vendors (including cloud and intragroup providers) are involved directly or indirectly

• which business services, processes or products would fail if a certain platform goes down.

Without a clear understanding of the interdependencies, an incident response will be reactive at best and blind at worst. Organisations are obliged to close these knowledge gaps. This means:

• mapping technology and third-party dependencies to key business services

• documenting the interconnections between services and systems

• establishing visibility into cloud workloads, including geographic locations, failover arrangements, and shared tenancy risks.

Continuous validation of the incident management process 

Regulators require ongoing assurance that incident management processes work effectively in real time and in retrospect. Firms must:

• monitor adherence to policies

• conduct periodic reviews of incident logs, response times, and containment strategies

• close gaps proactively whether they stem from process failures, tooling limitations, or misaligned third-party SLAs.

‘Lessons learned’ activities previously received less focus - but they are now essential, with post-incident reviews required not only to assess root cause and enhance resilience, but also to refine detection, escalation, and response mechanisms.

Consider cross-border requirements

Many firms operate across multiple jurisdictions, and designing an incident management process that addresses diverse regulatory requirements can be challenging. Reporting a cross-border incident that impacts different territories in various ways and different languages can take focus away from response activities. While striving for a unified process that accommodates all countries may seem appealing, it is essential to conduct jurisdictional analysis to identify competing and complementary regulatory requirements (even down to the format regulators require incident reporting in). Moreover, firms should critically evaluate whether certain requirements might be excessively burdensome if applied universally.

Interoperability across incident management data, business processes and tooling

Incident reporting process and alignment across incident management

The requirements proposed under the recent consultation (CP17/24) will, if implemented, drive firms with multiple incident management processes to harmonise these into a single, integrated incident reporting framework. This unification demands alignment of internal criteria, clearly defined roles and responsibilities, and standardisation of escalation and reporting mechanisms to ensure consistency across the organisation. Firms must also balance harmonisation with the need to maintain accountable ownership for incident management within operational domains, recognising potential internal resistance to changing well-established, function-specific protocols.

Technology and tooling requirements for incident reporting

The technology landscape for incident reporting has evolved significantly from manual, labour-intensive processes to advanced, AI-driven automated platforms. Firms are increasingly adopting solutions such as:

• IT service management systems

• cyber incident response platforms

• governance, risk and compliance solutions

• regulatory reporting solutions

• advanced analytics tools for detection, classification, triage and predictive incident management.

To address the regulatory requirements, firms must integrate these diverse platforms into a consolidated reporting capability. The ongoing shift to automated, AI-driven reporting processes offers significant opportunities for real-time insights, reduced manual effort, enhanced accuracy, and proactive incident prediction. However, it also introduces challenges around data management, system interoperability, governance, and demonstrating regulatory compliance across automated processes.

Data requirements for efficient reporting

Incident reporting will demand robust data inputs, not only from IT and technology systems (such as timestamps, outage durations, system logs) but also non-technical operational data, such as the impact on Important Business Services (IBS), financial costs of disruptions and customer harm assessments. Gathering, consolidating and analysing this diverse data set requires clearly defined data models, effective governance and a greater level of collaboration across different data owners.

Practically, firms need to build a comprehensive and unified incident reporting data model capable of handling structured and unstructured data from multiple sources. Data quality management, timely data collection, and consistent data formats will be essential. Therefore, firms must establish processes for defining, collecting, validating, and reporting incident data, ensuring that internal and external reporting obligations are met reliably and effectively.

Practical implementation: integrating process, technology and data

Implementing the incident reporting requirements successfully will require firms to align their incident reporting processes, technology stack, and data models. Practically, this implies:

• Reviewing, harmonising, and possibly redefining existing incident classification thresholds, reporting timelines, and criteria to align closely with regulatory parameters.

• Ensuring effective interoperability between multiple incident management tools, through technical integration, middleware deployment, or by adopting enterprise reporting solutions.

Organisations will need a carefully planned and phased implementation programme, recognising the interdependencies between process harmonisation, technology deployment, and data readiness. Effective governance, strong senior leadership support, stakeholder buy-in across operational domains, and targeted change management efforts will be critical enablers for successful regulatory alignment.

Growing technological complexity, third-party reliance, globalisation and increasing regulatory scrutiny require firms to take a more integrated and proactive approach to incident management. Firms which view incident management as a strategic capability and not just a regulatory checkbox have an opportunity to become more trusted, robust, and future-ready.

Firms have not previously encountered such substantial changes within their internal operating models while simultaneously adapting to an ever-evolving external landscape. It is essential for firms to recognise both internal and external factors, ensuring that their incident management processes are effectively tailored to the current operational environment. Acknowledging the necessary transformation is crucial for developing a fit-for-purpose incident management capability that adequately addresses today's complex challenges.