Regulators view operational resilience as a top priority. This is not surprising as according to Sophos, in 2024 nearly two-thirds of energy, oil, gas, and utilities organisations reported ransomware attacks, with average recovery costs rising to around $3 million. This is a clear reminder that real-world disruptions are already affecting the sector. As a result, utilities and trading firms can no longer rely on policies, plans, or high-level diagrams as evidence of resilience and must show that resilience works in practice, has been tested in realistic conditions, and is supported by clear evidence.
This reflects the critical role these organisations play in the economy. Utilities support public safety and essential services, while trading operations are central to energy markets and financial stability. Disruption in either area can have widespread consequences. Regulators are therefore paying closer attention to whether these organisations can withstand major shocks and recover within defined limits.
A series of recent incidents at South East Water has further highlighted why regulators are pushing for demonstrable, operational resilience rather than theoretical assurance. The prolonged outage that followed the shutdown of a treatment facility already flagged as high risk and affected 24,000 households for two weeks, was later deemed entirely predictable by regulators. Only weeks later, more than 30,000 customers across Sussex and Kent faced extended disruption as ageing infrastructure fails under seasonal pressure. These failures underscore the systemic risks that emerge when maintenance backlogs, structural weaknesses and untested contingencies converge. They also reinforce the regulator’s position that resilience must be evidenced through real world performance, not assumed from documentation.
Why resilience audits are intensifying
Across the UK and Europe, regulators are aligning around the need for proof. In the UK, Ofgem’s oversight of critical infrastructure increasingly overlaps with the Financial Conduct Authority’s expectations for market-facing trading entities. At a European level, frameworks such as DORA make it clear that ICT and operational risk are seen as potential sources of systemic harm and not just technical issues.
This has changed expectations at senior levels. Operational resilience is no longer something that can sit solely with risk, compliance, or IT teams. It is now treated as a governance matter, with direct implications for licences, market participation, reputation and investor confidence.
What regulators audit
Although frameworks differ across regions, resilience audits in utilities and utility trading firms tend to focus on the same core areas:
- Critical services and real-world impact
Regulators expect organisations to clearly identify their most important services based on external impact, not internal structure. This includes areas such as grid control, generation management, billing, trade execution, and settlement. Auditors look for evidence that these services are prioritised according to potential harm to customers, markets, and public safety. - Achievable impact tolerances
Firms must define how much disruption they can tolerate for each critical service and show that these limits can realistically be met under stress. Regulators often challenge whether stated recovery objectives are achievable, whether they align with public and market impact, and whether they are genuinely owned at board level. Tolerances that exist only in documentation are a frequent cause of audit findings. - Dependency mapping across IT, OT, and third parties
Utilities typically operate complex environments that combine legacy operational technology, modern IT systems, cloud services, and external providers. Regulators now expect these dependencies to be mapped end to end, including people, sites, data flows, manual processes, and suppliers. Audits regularly uncover single points of failure, particularly where outsourcing arrangements have developed over time. - Scenario testing and operational validation
Testing is now a central focus of resilience audits. Regulators expect scenarios that are severe but plausible, such as a cyber incident during peak demand, extreme weather combined with market volatility, or the loss of a critical supplier. They also look at whether tests reflect real operational constraints and whether results lead to meaningful remediation. Tabletop exercises alone are increasingly seen as insufficient. - Third-party oversight
Outsourcing does not reduce accountability. Utilities and trading firms are expected to show clear due diligence on critical suppliers, ongoing monitoring of supplier resilience, contractual rights to audit and test, and credible exit or substitution plans. Regulators are explicit that reliance on third parties is not an acceptable explanation for service failure. - Governance and continuous improvement
Auditors pay close attention to governance arrangements, including senior accountability, board visibility, and how issues are tracked and resolved. Weak governance is often treated as a sign of wider operational risk. Regulators expect resilience to be managed on an ongoing basis, not as a one-off compliance exercise.
The consequences of falling short
Failing a resilience audit rarely stops with the audit itself. Financial penalties and mandated remediation programmes are often followed by increased supervisory oversight, including more frequent inspections, prescriptive requirements, and reduced tolerance for future incidents.
There can also be commercial consequences. Trading counterparties may reassess exposure, customers may review contractual commitments, and future tenders can be affected during due diligence.
Reputational impact is often the most lasting. Resilience failures that affect consumers or markets can attract media and political attention. In interconnected energy markets, loss of trust can spread quickly and take years to rebuild.
Bridging the gap between policy and performance
Resilience audits consistently reveal a gap between what organisations say they can do and what they demonstrate in practice. Closing this gap requires more than compliance knowledge. It depends on a clear understanding of how utilities and trading operations actually function under stress, including the interaction between systems, people, and third-party providers.
Managed service providers with sector-specific experience can play an important role here. The challenge is greater than designing resilient environments, and extends to operating them effectively, testing them thoroughly, and producing evidence that stands up to regulatory scrutiny.
Experience at 11:11 Systems shows that true resilience comes from treating it as fundamental infrastructure, not an optional layer bolted on at the end.
The integration of Sungard Availability Services, together with 11:11 Systems’ additional acquisitions, has further strengthened this end-to-end approach, unifying impact analysis, architecture design, disaster recovery, cyber recovery, and regulator-grade testing within a single lifecycle.
The value of this approach lies in understanding regulatory expectations and translating them into operational capability that can be demonstrated, measured, and improved over time.
Resilience as a strategic asset
Operational resilience is often seen mainly as a defensive requirement, focused on avoiding regulatory action or penalties. In practice, organisations that invest in credible, tested resilience see wider benefits. These include greater confidence in transformation programmes, stronger relationships with regulators and counterparties, and improved trust with customers and investors.
Regulatory expectations will continue to rise as utilities digitise further and energy markets become more complex and volatile. Organisations that perform well will be those that treat resilience as an ongoing capability, supported by partners who understand both regulatory demands and operational reality.
In today’s environment, resilience that cannot be demonstrated is unlikely to meet regulatory expectations and audits increasingly reflect this shift from intention to evidence.
