Forging Resilience: The Future of Business Continuity in Japan's Financial Sector

Japan's financial institutions operate in a landscape where static business continuity plans are a liability, and dynamic resilience is the only viable path to ensuring institutional survival and market stability. The convergence of persistent seismic threats, climate-related disasters of increasing frequency and severity, and highly sophisticated cyber-attacks creates an intensifying risk environment where ensuring the stability of financial services is a strategic imperative of the highest order.

The latest Financial System Report Annex analyzes the evolution of business continuity management (BCM) within the Japanese financial sector, drawing on key findings from the Bank of Japan's comprehensive 2025 survey of 381 financial institutions. It provides a data-driven assessment of the industry's current state of readiness, comparing preparedness levels against a similar survey conducted in 2014 (!). Furthermore, it examines the transformative impact of the COVID-19 pandemic, which served as a real-world stress test for long-duration crises.

Ultimately, this post charts the critical shift occurring within the industry—a move away from traditional, cause-based BCM and toward a more holistic and dynamic operational resilience framework. The goal is to provide financial executives with actionable insights to benchmark their own efforts and build future-proof resilience strategies capable of safeguarding their institutions and the customers they serve in an era of unprecedented uncertainty.

1. The Evolving Threat Landscape: From Natural Disasters to Multi-faceted Crises

Accurately perceiving and planning for a broadening range of threats is fundamental to effective resilience. A static risk register is a relic; resilience now demands a dynamic threat intelligence posture. The latest survey data reveals a clear expansion in the types of crises that firms are actively preparing for, reflecting a more complex and interconnected world.

The primary threats identified by financial institutions in the 2025 survey show a continued focus on foundational risks alongside a growing awareness of emerging dangers. The most widely anticipated events include:

• 震災 (Earthquakes): A near-universal concern, deeply embedded in the risk consciousness of Japanese institutions.
• 感染症 (Infectious Diseases): Elevated to a top-tier threat for virtually all firms following the global pandemic.
• サイバー攻撃 (Cyber-attacks): A prominent and growing concern as digitalization accelerates.
• 風水害 (Floods and Wind Damage): A significant threat, reflecting the increasing impact of severe weather events across the country.

A Decade of Shifting Perceptions

A comparison with the 2014 survey data reveals a significant evolution in how financial institutions perceive risk. While traditional threats remain central, the last decade has seen a marked increase in the prioritization of newer, more complex challenges, as demonstrated by the sharp rise in the percentage of firms planning for them.

Heightened Focus on Seismic Risk

Beyond a general concern for earthquakes, institutions are focusing their planning on specific, high-impact scenarios. The 南海トラフ地震 (Nankai Trough Earthquake) is a primary concern, particularly for institutions located in the Shikoku and Kinki regions, where preparedness is a top priority. Notably, interest in this specific threat was amplified across the country following the Hyuga-nada earthquake in August 2024, which triggered a "Nankai Trough Earthquake Extra Information (Giant Earthquake Alert)" and served as a powerful reminder of the ever-present seismic risk.

This evolving threat perception sets the stage for a deeper analysis of how institutions are translating awareness into tangible preparedness.

2. Assessing the State of Preparedness: Progress and Persistent Gaps

Understanding the current state of BCM maturity across different types of financial institutions is crucial for identifying systemic strengths and vulnerabilities. The 2025 survey provides a clear picture of preparedness across three core pillars: personnel, systems, and the interconnected third-party ecosystem. While significant progress has been made, persistent gaps remain.

2.1 Personnel and Training: The Human Element of Resilience

Effective crisis response is fundamentally reliant on people. The survey reveals a divergence in the maturity of personnel planning. While 80% of Major Banks report having fully identified emergency staff and confirmed their ability to assemble during a crisis, many Regional and Shinkin Banks lag behind. Over 60% of these institutions have identified emergency personnel, but have not yet completed the critical steps of confirming assembly feasibility or have yet to quantify the surge in manual processing required when automated systems fail.

The execution of training and drills further illustrates this gap between planning and validated capability:

• Emergency Contact Drills: This foundational practice is widespread, with most institutions conducting regular drills via emergency contact systems. A smaller subset enhances realism by performing unannounced drills.
• Assembly Drills: While over 60% of Major and Regional Banks conduct assembly drills for headquarters staff, this practice is significantly less common among Shinkin Banks.
• Executive-Level Engagement: A critical gap exists at the leadership level. Drills specifically for executives are conducted by less than half of institutions in any category. Similarly, while cross-departmental exercises are common, they are typically performed with pre-disclosed scenarios. Institutions report that organizing more complex, unannounced drills involving executive participation is challenging. This lack of executive-level testing directly correlates with the widespread uncertainty revealed later in this analysis, where 60-80% of institutions admit their BCP's effectiveness is either partially insufficient or simply unknown until a real crisis strikes.

2.2 Systems and Infrastructure: The Technological Backbone

The technological resilience of the financial sector has advanced considerably. The survey highlights high adoption rates for critical infrastructure redundancy:

• Offsite Backup Systems: The deployment of geographically separate backup centers is now standard practice for the most critical systems. Over 90% of institutions across all categories have established remote backups for their 勘定系 (core banking) systems. For インターネットバンキング (internet banking) systems, adoption exceeds 70% for most institutional types.
• Core System Failure Readiness: Most institutions report that they are continuously verifying their information-sharing protocols and recovery procedures to prepare for core banking system failures, ensuring that both technical and human processes are ready.
• Advanced Physical Redundancy: Major Banks are leading the way in enhancing the resilience of administrative functions by implementing バックアップオフィス (backup offices) and デュアルオペレーション体制 (dual-operation systems), which allow critical back-office work to continue seamlessly from an alternate location.

2.3 Third-Party Risk Management: The Interconnected Ecosystem

Financial services are delivered through a complex web of external partners and suppliers. While institutions have made progress in managing this interconnectedness, significant vulnerabilities remain. The survey shows a strong focus on risk management for critical third parties related to core banking and internet banking systems, with most firms incorporating this into their BCM frameworks.

However, a critical gap emerges when considering the broader ecosystem. The oversight of その他の重要なサードパーティ (other important third parties) is far less mature, with a significant number of institutions reporting this as merely "under consideration" or "not planned." This blind spot represents a potential source of systemic risk, as a failure in a less-obvious but still critical supplier could cascade through the system.

This assessment of preparedness highlights a sector that has built a strong foundation but must now address the nuances of human readiness and ecosystem-wide risk, a challenge brought into sharp focus by the COVID-19 pandemic.

3. The COVID-19 Catalyst: Accelerating the Shift to Dynamic Resilience

The long-duration, systemic disruption of the COVID-19 pandemic served as an unprecedented real-world stress test for the global financial system. It moved beyond traditional disaster recovery scenarios—which often assume a geographically contained, short-term event—and forced a fundamental re-evaluation of business continuity. The experience became a powerful catalyst, accelerating the shift toward more dynamic and flexible resilience strategies.

The response from Japanese financial institutions was decisive. A significant majority revised their Business Continuity Plans (BCPs) in light of the pandemic's lessons: approximately 90% of Major and Regional Banks and just under 70% of Shinkin Banks undertook formal reviews and updates.

These revisions were not merely cosmetic; they reflected key strategic shifts in thinking:

• Long-Term Scenario Planning: Institutions reviewed and refined their plans to account for long-duration events, moving beyond the traditional 24- or 48-hour recovery mindset.
• Remote Crisis Management: The necessity of decentralized operations led to the formal establishment of protocols for information sharing and crisis response using remote work technologies, ensuring that command-and-control functions could operate effectively without a central physical presence.

Crucially, the adaptations forced by the pandemic have yielded lasting operational benefits. The widespread adoption of remote work spurred permanent improvements in IT infrastructure and fostered an expansion of non-face-to-face customer services. This has inherently increased the sector's operational flexibility and resilience. As one key insight from the survey period noted, "the scope of operations that can be continued without requiring the assembly of emergency personnel during a disaster has expanded." This operational evolution directly addresses the challenges identified in personnel planning, particularly for Regional and Shinkin Banks, by reducing the dependency on physical assembly feasibility—a previously noted gap in their preparedness.

The practical lessons learned during the pandemic have paved the way for the formal adoption of a more advanced conceptual framework for resilience, one that moves beyond reacting to specific causes and focuses instead on maintaining critical outcomes.

4. The Paradigm Shift: From Business Continuity to Operational Resilience

The lessons of the past decade, culminating in the experience of the COVID-19 pandemic, are driving a paradigm shift in strategic thinking: from traditional, cause-based Business Continuity Management (BCM) to the more holistic, impact-focused framework of Operational Resilience. This advanced approach prioritizes the continuity of critical business services from the end user's perspective, regardless of the disruption's specific cause—be it a natural disaster, a cyber-attack, or a third-party failure.

In short, traditional BCM asks, “What do we do if a typhoon hits our data center?” Operational Resilience asks, “How do we guarantee we can always process payments, regardless of what happens to any single data center, system, or vendor?”

Evidence from the 2025 survey shows that the principles of Operational Resilience are already taking root within Japanese financial institutions. This trend is visible in two key areas:

1. All-Hazards Approach: Institutions are increasingly adopting response plans based on the effect of a disruption (e.g., loss of a key building, unavailability of personnel, system outage) rather than its specific cause. This "all-hazards" methodology provides greater flexibility and applicability across a wider range of potential crises.
2. User-Centric Service Levels: There is a growing practice of first identifying critical business functions from the customer's perspective and then setting minimum service levels that must be maintained, even under duress. This approach accepts that disruptions will occur and shifts the focus from preventing failure to guaranteeing a baseline of service continuity for users.

This evolution is not just a theoretical exercise; it is a necessary response to a recognized gap between planning and execution. A frank self-assessment of BCM effectiveness by the surveyed institutions reveals a significant degree of uncertainty.

This data is telling: a majority of institutions acknowledge that their plans have shortcomings or that their true effectiveness remains an unknown until a real crisis hits. The shift toward an Operational Resilience framework—with its focus on impact tolerance, rigorous testing, and end-to-end service continuity—is a direct and necessary evolution to close this significant perceived gap between planning on paper and guaranteeing performance under pressure.

5. Conclusion: Actionable Imperatives for Future-Proofing the Financial Sector

The Japanese financial sector has made significant and commendable progress in strengthening its business continuity frameworks over the past decade. However, the findings of the 2025 Bank of Japan survey make it clear that the work is far from over. An evolving threat landscape, coupled with the profound lessons from the COVID-19 pandemic, demands a relentless focus on enhancing the demonstrable effectiveness of resilience strategies. For financial executives, moving forward requires translating broad awareness into focused, decisive action.

Based on the analysis of the current landscape, the following imperatives should guide the next phase of resilience planning:

1. Embrace a Dynamic Threat Horizon: Static BCPs are no longer sufficient. Leadership must champion a culture of continuous reassessment, actively scanning for and incorporating emerging threats—from sophisticated cyber warfare and the cascading effects of climate events to geopolitical instability—into scenario planning and testing.
2. Close the "Effectiveness Gap" Through Rigorous Testing: The survey's self-assessment data, which shows that 60-80% of firms lack full confidence in their plans, is a call to action. Executives must move beyond compliance-driven drills and champion comprehensive, unannounced, and cross-departmental training exercises that genuinely test decision-making capabilities at the leadership level.
3. Harden the Entire Ecosystem, Not Just the Core: The identified weakness in managing risks associated with "other important third parties" is a critical vulnerability. Resilience oversight must be extended across the entire value chain, demanding greater transparency and demonstrable preparedness from all critical partners, not just primary IT vendors. This isn't merely a supply chain issue; it's a systemic stability issue. A failure in an unmonitored "other important third party" could be the next black swan event for the sector.
4. Operationalize the Lessons of COVID-19: The flexible operating models and remote work capabilities developed during the pandemic should not be viewed as temporary measures. They must be permanently embedded into the organizational structure to create a more agile and resilient posture that enhances the ability to respond to all types of disruptions, not just public health crises.
5. Accelerate the Shift to an Operational Resilience Mindset: This is the ultimate strategic goal. The paradigm must shift from developing siloed recovery plans for specific threats to building an integrated, firm-wide capability focused on a single, non-negotiable outcome: ensuring the continuity of critical services for customers and the market, under any and all circumstances.

Cybersecurity Self-Assessment of Japanese Regional Banks

The Bank of Japan has published an annex to its “Financial System Report” focusing on the results of a cybersecurity self-assessment (CSSA) for regional financial institutions in Japan during fiscal year 2023. 1. Introduction & Background * Purpose of the Report: The Bank of Japan (BOJ) and the Financial Services Agency (FSA)

Japan FinTech ObserverNorbert Gehrke