Short answer: Firms do not need to turn operational resilience into a heavy compliance project. A useful starting point is to know which services are critical, who supports them, how incidents are handled, and whether recovery has been tested.

What this helps you check

Use this as a practical starting point for a calmer internal review.

  • Critical systems and supplier dependencies
  • Microsoft 365 recovery and continuity settings
  • Who owns decisions during an outage or incident

On 18 June 2026, the Reserve Bank of New Zealand - Te Putea Matua released consultation material for the Deposit Takers Standards Tranche 3 exposure drafts. One part of that package is draft guidance for an Operational Resilience Standard.

That material is written for deposit takers. It is not a checklist for every law firm, accounting practice, advisory firm, or financial advice business. Still, it points to a broader business reality: modern firms are deeply dependent on technology, cloud platforms, and external providers. If those systems stop, the firm feels it quickly.

For professional services firms, operational resilience is not an abstract policy term. It is whether people can access email, client files, practice systems, finance data, phones, identity tools, and backups when something goes wrong.

The current NZ signal

RBNZ's draft operational resilience guidance discusses critical operations, material service providers, business continuity planning, ICT incidents, and the need to understand third-party arrangements. Its May 2026 Financial Stability Report also noted a financial market infrastructure outage in the first quarter of 2026 that was resolved within three hours, while still disrupting a large volume of transactions and affecting other market infrastructure.

For EQIQ's clients, the lesson is not that a small professional services firm should copy banking regulation. The lesson is simpler: when a firm relies on a handful of platforms and providers, resilience needs to be designed before an incident, not improvised during one.

1. Name the systems the firm cannot operate without

Start with the ordinary systems that carry the working day. For many firms, that means Microsoft 365, Teams, SharePoint, accounting or practice-management software, phones, remote access, device management, internet connectivity, security tools, and backups.

A short register is enough to begin. List the system, what it supports, who owns it internally, who supports it externally, and what happens if it is unavailable for one hour, one day, or longer.

This turns vague technology risk into a practical conversation about client service, deadlines, payroll, billing, confidentiality, and team productivity.

2. Review supplier dependence before it becomes time-sensitive

RBNZ's material gives close attention to material service providers. In professional services, the same thinking applies in a lighter, practical way.

Which providers support systems that matter most? Who has administrator access? What support hours apply? Where is data stored? What happens if the provider is unavailable, the account owner leaves, or a key integration fails?

This is not about building paperwork for its own sake. It is about reducing avoidable confusion when time matters.

3. Make incident roles clear

During an outage, cyber incident, or major supplier failure, firms need fast clarity. Who decides priorities? Who contacts the provider? Who communicates with staff? Who approves recovery actions? Who keeps a record of decisions?

Small firms can handle this with a simple incident role list. The important point is that the list is current, accessible outside the affected system, and understood by the people likely to be involved.

If the plan only exists inside the system that has failed, it is not yet resilient.

4. Test recovery, not just backup status

Backups often look fine on a dashboard. The more useful question is whether the firm has restored the right data recently and knows how long recovery would take.

That includes email, SharePoint or file storage, finance data, practice records, key laptops, and cloud applications. It also includes knowing what is not backed up by default.

A short recovery test can reveal gaps early: missing data, unclear permissions, slow restores, old dependencies, or support assumptions that were never written down.

5. Treat Microsoft 365 governance as operational resilience

For many New Zealand professional services firms, Microsoft 365 is the operating layer for daily work. It carries email, documents, Teams conversations, calendars, file sharing, identity, and increasingly AI-connected features.

That means governance is not just a tidy-up task. MFA, administrator roles, guest users, shared links, retention settings, sensitivity labels, mailbox rules, conditional access, and device compliance all affect resilience.

If these settings are loose, an incident can spread further. If they are reviewed and maintained, the firm has a better chance of containing problems and continuing critical work.

6. Keep the plan light enough to use

Operational resilience should be practical for the size and complexity of the firm. A 20-person advisory firm does not need a bank-sized framework. It does need clear ownership, basic records, tested recovery, and a calm incident process.

A useful first version can be built around five questions:

  • Which services would seriously disrupt the firm if they failed?
  • Who owns each service inside the firm and who supports it externally?
  • What access, supplier, and recovery risks need attention first?
  • Who makes decisions during an outage or cyber incident?
  • When did we last test recovery for the systems that matter most?

If those answers are unclear, the next step is a focused technology review with practical improvements in priority order.

Common questions

Does RBNZ's June 2026 operational resilience material apply to every professional services firm?

No. The RBNZ consultation material discussed here is directed at deposit takers. This article draws general technology-risk lessons for professional services firms and is not regulatory advice.

What should smaller firms take from operational resilience guidance?

A practical starting point is to identify critical services, confirm who is responsible for them, review key suppliers, test recovery, and make sure incident roles are clear before pressure arrives.

Is this article legal, financial, regulatory, privacy, or compliance advice?

No. It is general information about technology risk and operational readiness. Firms should take appropriate professional advice for their own obligations and circumstances.

Source note

This article is based on official Reserve Bank of New Zealand - Te Putea Matua material: Deposit Takers Standards Tranche 3 supporting information (18 June 2026), Operational Resilience Standard draft guidance (June 2026), and the Financial Stability Report May 2026 (published May 2026, with relevant updates noted by RBNZ in May 2026).

Compliance note: This article is general information only. It is technology-risk guidance, not legal advice, financial advice, regulatory advice, privacy advice, or compliance advice. Firms should take appropriate professional advice for their own obligations and circumstances.