Operational resilience remains a central pillar of the Financial Conduct Authority’s (FCA) approach to safeguarding the UK financial sector. At C&G, we understand the ongoing significance of these operational resilience requirements for firms across the financial sector. This article highlights the areas where firms should concentrate their efforts to ensure compliance with regulations and long-term resilience.

Understanding FCA operational resilience

Operational resilience refers to a firm’s ability to prevent, adapt to, respond to, recover from, and learn from operational disruptions. The FCA has emphasised the importance of preparing for severe but plausible risks such as cyber-attacks, technological failures and pandemics. Its position is clear: disruptions are inevitable, and firms must minimise their impact on consumers and the wider financial system.

Under the FCA’s operational resilience policy, firms are expected to identify important business services (IBS), set impact tolerances, map dependencies, and conduct rigorous scenario testing. By embedding these requirements into their risk management processes, firms can better prepare for the unexpected.

Key FCA operational resilience observations for firms

Defining Important Business Services (IBS)

Firms must identify their Important Business Services. These are the services whose disruptions would have the most significant impact on consumers, market integrity, and the firm’s stability.

The FCA stresses that IBS should be viewed from the consumer’s perspective, not just the firm’s operational standpoint. The guidance from the FCA urges firms to assess the real value of their services and consistently reassess their importance in view of market changes and evolving risks.

Setting and Monitoring Impact Tolerances

Once firms have identified their IBS, they must set clear impact tolerances—limits on the level of disruption they are willing to accept. This includes setting maximum tolerances for the time within which services must be restored to avoid consumer harm.

The FCA stresses that these impact tolerances should be rigorous and that firms must continually monitor and test against them. This means going beyond theoretical scenarios and adopting severe but plausible situations that could genuinely challenge the firm’s ability to operate.

Scenario Testing and Vulnerability Assessments

The FCA’s insights suggest that firms need to conduct detailed and practical scenario testing. By simulating worst-case scenarios, such as cyber-attacks, data breaches, or natural disasters, firms can identify vulnerabilities and ensure that their response mechanisms are effective.

Importantly, the FCA emphasises that testing should not be considered a one-time activity. Instead, it should be an ongoing process, continuously adjusted to address emerging threats and changes in the business environment.

Mapping Dependencies and Interdependencies

Modern financial services firms are closely interconnected through third-party providers, outsourcing arrangements, and technological platforms. The FCA has noticed that many firms do not adequately map their dependencies, especially third-party relationships, which could create significant risks during disruptions.

Firms are expected to understand how each part of their supply chain could affect their ability to deliver important services. This involves understanding not only their direct providers but also their providers’ providers—a detailed mapping exercise that identifies vulnerabilities across the entire ecosystem.

Effective Communication and Response Plans

During a crisis, the FCA emphasises the importance of clear communication. It is essential for firms to have well-defined and tested plans for communicating with regulators, clients, and the market during disruptions.

This includes having crisis management protocols in place and ensuring that they are thoroughly rehearsed to enable swift action when real incidents occur. Resilience is not just about recovering quickly, but also about keeping clients informed, providing regulators with clear visibility into the firm’s status, and ensuring that market participants are not left in the dark.

Embedding FCA Operational Resilience into Business as Usual

The FCA’s message is clear: operational resilience cannot be treated as a one-off project. Instead, it must be integrated into the daily operations of the firm.

This involves establishing a continuous feedback loop where lessons learned from past disruptions inform future strategies. Firms are encouraged to assign senior management responsibility for operational resilience, ensuring that it is integrated into the governance, risk management, and business planning processes.

Regular updates, board-level discussions, and internal audits should all be part of the operational resilience journey.

Third-Party and Outsourcing Challenges

Many firms rely on external service providers for critical functions. The FCA is placing a strong emphasis on managing risks associated with these third-party relationships.

Firms must ensure that these providers are held to the same high standards of operational resilience as the firm itself. Service-level agreements (SLAs) should be robust and include clear terms around disruptions, response times, and recovery expectations.

Additionally, firms must consider contingency plans for when third-party services fail and should have alternative arrangements in place.

Final thoughts: Operational resilience beyond the FCA deadline

The March 2025 deadline for full compliance with the FCA’s operational resilience framework has now passed. Firms are expected to demonstrate that they are operating within their approved impact tolerances under severe but plausible scenarios — and to provide ongoing evidence of this in day-to-day practice.

Key priorities for firms:

  • Ensure that your board continues to review and approve plans for operational resilience, with regular testing and updates.
  • Review and update important business services, impact tolerances, and dependency mappings in light of changing market or internal conditions.
  • Integrate scenario testing into your risk management cycles, not as a one-off exercise but as a continuous discipline.

At C&G, we support firms across the UK financial services industry in maintaining robust operational resilience frameworks. Whether you need help with scenario design, impact assessments, or governance reviews, our team of experts is ready to assist.

Operational resilience is no longer a preparation. It’s an expectation. Let’s ensure your firm stays ready.

Contact our team today for more information on how C&G can help your firm embed operational resilience.

References

  1. Financial Conduct Authority (2024). Operational resilience: Insights and observations for firms [https://www.fca.org.uk/firms/operational-resilience/insights-observations].
  2. FCA Policy Statement PS21/3 (2021). Building operational resilience: Feedback to CP19/32 and final rules [https://www.fca.org.uk/publication/policy/ps21-3.pdf].