As the March 2025 deadline approaches, the Financial Conduct Authority (FCA) has provided important guidance on how businesses should integrate operational resilience into their operational frameworks. At C&G, we understand the significance of this issue for firms in the UK financial services sector. This article highlights the areas where firms should concentrate their efforts to ensure compliance with regulations and long-term resilience.

 

Understanding FCA Operational Resilience

Operational resilience refers to a firm’s ability to prevent, adapt to, respond to, recover from, and learn from operational disruptions. There is an increasing emphasis on preparing for severe but plausible risks, such as cyber-attacks, technological failures, and even pandemics. The FCA’s position is straightforward: disruptions are unavoidable, and firms must be prepared to minimise their impact on consumers and the broader market.

The FCA’s operational resilience framework requires firms to identify important business services (IBS), set impact tolerances, map dependencies, and conduct robust scenario testing. By embedding these requirements into their risk management processes, firms can better prepare for the unexpected.

 

Key FCA Operational Resilience Observations for Firms

Defining Important Business Services (IBS)

Firms must identify their Important Business Services. These are the services whose disruptions would have the most significant impact on consumers, market integrity, and the firm’s stability. The FCA stresses that IBS should be viewed from the consumer’s perspective, not just the firm’s operational standpoint. The guidance from the FCA urges firms to assess the real value of their services and consistently reassess their importance in view of market changes and evolving risks.

Setting and Monitoring Impact Tolerances

Once firms have identified their IBS, they must set clear impact tolerances—limits on the level of disruption they are willing to accept. This includes setting maximum tolerances for the time within which services must be restored to avoid consumer harm. The FCA stresses that these impact tolerances should be rigorous and that firms must continually monitor and test against them. This means going beyond theoretical scenarios and adopting severe but plausible situations that could genuinely challenge the firm’s ability to operate.

Scenario Testing and Vulnerability Assessments

The FCA’s insights suggest that firms need to conduct detailed and practical scenario testing. By simulating worst-case scenarios, such as cyber-attacks, data breaches, or natural disasters, firms can identify vulnerabilities and ensure that their response mechanisms are effective. Importantly, the FCA emphasises that testing should not be considered a one-time activity. Instead, it should be an ongoing process, continuously adjusted to address emerging threats and changes in the business environment.

Mapping Dependencies and Interdependencies

Modern financial services firms are closely interconnected through third-party providers, outsourcing arrangements, and technological platforms. The FCA has noticed that many firms do not adequately map their dependencies, especially third-party relationships, which could create significant risks during disruptions. Firms are expected to understand how each part of their supply chain could affect their ability to deliver important services. This involves understanding not only their direct providers but also their providers’ providers—a detailed mapping exercise that identifies vulnerabilities across the entire ecosystem.

Effective Communication and Response Plans

During a crisis, the FCA emphasises the importance of clear communication. It is essential for firms to have well-defined and tested plans for communicating with regulators, clients, and the market during disruptions. This includes having crisis management protocols in place and ensuring that they are thoroughly rehearsed to enable swift action when real incidents occur. Resilience is not just about recovering quickly, but also about keeping clients informed, providing regulators with clear visibility into the firm’s status, and ensuring that market participants are not left in the dark.

Embedding FCA Operational Resilience into Business as Usual

The FCA’s message is clear: operational resilience cannot be treated as a one-off project. Instead, it must be integrated into the daily operations of the firm. This involves establishing a continuous feedback loop where lessons learned from past disruptions inform future strategies. Firms are encouraged to assign senior management responsibility for operational resilience, ensuring that it is integrated into the governance, risk management, and business planning processes. Regular updates, board-level discussions, and internal audits should all be part of the operational resilience journey.

Third-Party and Outsourcing Challenges

Many firms rely on external service providers for critical functions. The FCA is placing a strong emphasis on managing risks associated with these third-party relationships. Firms must ensure that these providers are held to the same high standards of operational resilience as the firm itself. Service-level agreements (SLAs) should be robust and include clear terms around disruptions, response times, and recovery expectations. Additionally, firms must consider contingency plans for when third-party services fail and should have alternative arrangements in place.

 

Final Thoughts: Preparing for March 2025

 

As the March 2025 deadline approaches, firms must ensure they are fully aligned with the FCA’s expectations around operational resilience. Failing to do so could lead to regulatory scrutiny, reputational damage, and significant operational risks.

Key takeaways for firms:

  • your board must approve plans in advance, demonstrating that you can operate within impact tolerances under severe but plausible scenarios;
  • regular reviews of important business services, impact tolerances, and mapping are essential, especially when your business or market conditions change; and
  • scenario testing should be integrated into day-to-day operations, providing ongoing evidence of your firm’s operational resilience.

At C&G, we work closely with firms across the UK financial services industry, helping them to navigate these regulatory expectations. Our team of compliance experts is on hand to provide tailored advice, from mapping important business services to conducting in-depth scenario testing.

Operational resilience is not a box-ticking exercise, it’s about future-proofing your business against the inevitable challenges ahead. With the FCA’s guidance in hand, now is the time to act.

Contact our team today for more information on how C&G can help your firm embed operational resilience.

 

References

  1. Financial Conduct Authority (2024). Operational resilience: Insights and observations for firms [https://www.fca.org.uk/firms/operational-resilience/insights-observations].
  2. FCA Policy Statement PS21/3 (2021). Building operational resilience: Feedback to CP19/32 and final rules [https://www.fca.org.uk/publication/policy/ps21-3.pdf].