FCA operational resilience: What you need to know and how to implement it

If you’re looking to implement operational resilience in time for the Financial Conduct Authority’s (FCA) deadline of 31 March 2025, you may be dealing with:

  • A lack of time to prepare. You realise the deadline is approaching but are behind in implementing the FCA’s operational resilience framework.
  • Limited internal expertise. You’ve completed the self-assessment but are unsure if you’ve missed certain aspects or have gaps in your documentation.
  • Competing priorities. You’ve been working toward maintaining compliance in other areas of your business and don’t have the time or specialised staff needed to implement your operational resilience.

 

While implementing operational resilience is a top priority for financial services firms, it’s difficult to get the job done without the necessary resources or know-how. We know because we see it every day.

At fscom, we’re a team of senior experts with backgrounds in regulation, finance and compliance who help you meet regulations and requirements, like operational resilience.

In this article, we’ll share our expertise and cover:

 

If you’re looking for support in implementing your operational resilience to ensure you get it right, we can help. Contact us today to discover more.

What you need to know about operational resilience

Operational resilience is a framework mandated by the FCA to ensure that any business disruptions won’t harm consumers or the wider financial system.

This FCA regulatory requirement serves to protect firms and their internal stakeholders, consumers’ right to services and data privacy, and trust in the financial services sector as a whole. Cyber attacks, wars, and the Covid-19 pandemic are all unexpected operational disruptions that exemplify the importance of providing and investing in operational resilience in financial services and ensuring market integrity.

The FCA has laid out a timeline for operational resilience, which is as follows:

Operational Resilience timeline

The PS21/3, the operational resilience rules established by the FCA and put into effect on 31 March 2022, required you to complete a self-assessment document in which you had to:

  • Identify your important business services (IBSs).
  • Set impact tolerances for the maximum tolerable disruption to your business operations.
  • Carry out initial mapping and testing of operational resilience, including critical processes, technologies and third parties.
  • Spot any vulnerabilities in your resilience and consider the resources needed to mitigate them.
  • Plan for remediation of any known weaknesses with an action plan based on lessons learned from testing.

 

However, many firms have seen this identification and mapping stage as just another desktop exercise. Instead, it offers a clear course of action to strengthen your operational resilience and meet the FCA’s requirements by 31 March 2025.

For more information on the requirements, read our overview on operational resilience.

As experts in financial services compliance, we’ve seen firms underestimate the amount of work needed to comply with the FCA’s operational resilience requirements. Based on our experience, here are three of the most common aspects firms should know when implementing operational resilience.

 

1. Operational resilience is a whole firm approach (and not limited to compliance)

Disruptions can affect any department within your business. This means adhering to operational resilience compliance will require getting all departments involved, especially your tech, marketing, sales and operations teams.

A company-wide self-assessment allows you to identify where you need to invest fixing vulnerabilities to ensure resilience across your entire business.

That’s why it’s important to get senior management support from the start to avoid bottlenecks later on that could prevent you from making your firm operationally resilient. Failure to meet these requirements could result in sanctions if the FCA runs a sample check on your company.

 

2. Ensure third-party assurance and supply chain resilience (and understand how far down the supply chain you have to go)

If your IBSs rely heavily on third parties, then you’re at great resilience and operational risk. This means that, not only do you need to make your primary business operationally resilient, you also have to make sure your supply chain is just as strong.

For example, if you’re a digital payments firm you may depend on large third parties like electronic money institutions (EMIs) to deliver key services to your customers. If your EMI partner were to suffer a cyber attack, it would bring not just their business to a halt but yours, too.

You’ll also need to understand how far down your supply chain you need to go because your main suppliers may also outsource to third parties. For instance, if you offer B2B banking, your Banking as a Service supplier may depend on a payment service provider. And that payment provider may also work with third parties, like a separate payment gateway, merchant acquirer and payment processor.

Under the FCA requirements, it’s your responsibility to ensure your third parties have also tested their resilience, explored all plausible scenarios, addressed any vulnerabilities, and are constantly working toward operational resilience to ensure client delivery.

Read more: How to address the risk of critical third parties

 

3. Know that operational resilience testing differs from a business continuity plan because it’s more client focused

We see many firms confuse an operational resilience policy statement with a business continuity plan. But they are very different: operational resilience guarantees your client delivery, while business continuity minimises your risk of business losses.

Operational resilience testing enables you to identify who your most vulnerable customers are, how a disruption could impact them, and how to ensure a disruption won’t impact them. To do this, you need to simulate possible disruptions to measure the different impact to different clients.

For example, if you offer B2B digital banking, you may have small to medium-sized enterprises (SMEs) as your customer base. A technical disruption may block their funds. While this may cause minimal disruption to freelancers and gig workers who use the banking service to receive sporadic payments, a fully fledged marketplace may depend full time on your services to pay third-party suppliers. Since the marketplace can’t access their funds to pay their suppliers, client deliveries come to a halt. Between these two customer types, your marketplaces are your more vulnerable customers.

What to have in place by the 31 March deadline

For the FCA operational resilience deadline of 31 March 2025, you need to have completed your self-assessment, which proves you have:

  • Gone through the key steps within the self-assessment document
  • Tested for, identified and invested in fixing those vulnerabilities
  • A strategy in place for ongoing assessment

Operational resilience self assessment

By completing the self-assessment you’ll be indicating that you’ve done all the steps and you know have a plan moving forward. This means you’ll need tangible documentation and communications plans because the FCA could ask for and inspect it (i.e., they may choose to do a sample analysis). If you haven’t completed the documentation and you come under scrutiny, penalties could be severe, such as fines or removal of licences.

For firms in Ireland, a self-assessment isn’t required. However, you still need to prove you’ve followed all the steps and that your firm is operationally resilient.

How to approach the self-assessment (and how we help firms address them)

Many firms may consider the self-assessment as just another desktop exercise. Instead, it’s a firm-wide transformation that offers a clear course of action to strengthen your operational resilience capabilities and meet the FCA’s requirements by 31 March 2025.

Operational resilience framework

These are the main steps of the self-assessment and how to approach them:

 

1. Engage stakeholders and establish a programme of activity

For your operational resilience to work, create a plan of action and appoint the members of your staff who will be involved and responsible for its execution. Define the activities and know who is in charge of each so you can successfully complete the self-assessment documentation and remediate your vulnerabilities.

Since operational resilience is a business-wide responsibility, you’ll want to ensure you involve all areas that are critical to delivery of important business services within the self-assessment. This includes your board and their sign off on the documentation.

Finally, you’ll want to remember to align your operational resilience with your annual business planning and budgeting cycle to calculate the investments and whether there will be a transition period.

At fscom, we can help you engage stakeholders and fill any knowledge gaps surrounding completing the self-assessment documentation through bespoke consultation and workshops. We also help you understand how to integrate operational resilience into your planning and budgeting processes.

 

2. Identify and map your Important Business Services

In this second step, you want to define and map your IBSs across staff, processes, technology, third parties, and more.

What can seem like a simple exercise is actually quite complex. Here you’ll need to:

  • Identify the services that, when disrupted, can affect client delivery or even the wider market. Make sure you document reasons for not defining certain business services as important.
  • Avoid grouping services together, which could cause you to misjudge your impact tolerance (which is the next part of the operational resilience framework), miss possible risks or not make the right investments to remediate vulnerabilities. Without this distinction, you could overlook inputs to a service that, when interrupted, could jeopardise your clients or the market.
  • Analyse all the components of a specific business service that helps to deliver said service. If third parties are involved, understand how the various layers of your supply chain can affect client delivery and how deep you need to go to ensure operational resilience.
  • Document your IBSs, including who’s responsible for each component.
  • Get your board to review and approve your IBS identification and mapping.

 

Getting your IBSs right from the start can help you identify impact tolerances. Yet this requires time, expertise and resources.

For this stage, fscom can:

  • Facilitate workshops to help you identify your IBSs.
  • Identify, map and document your IBSs across staff, processes, technology, third parties, and more. We put this into a mapping document to show you which aspects you use to deliver your IBSs.

 

With fscom, we’ll help you identify and map your IBSs as quickly as required.

 

3. Set impact tolerances for your IBSs

Once you’ve identified and mapped your IBSs, you can start to define your impact tolerances. This entails not just measuring the amount of time a disruption takes (i.e., a cyberattack overwhelms your server, taking your site offline for minutes or hours) but determining the different types of impact a disruption could cause on one or more of your IBSs.

The types of impact could differ based on the IBS and your sector. For example, if you’re a blockchain payment firm, you’d want to evaluate the value or number of transactions disrupted, the tokens lost, and the number of customers affected. It’s in this phase you can better establish who your most vulnerable customers are and how they’re affected, helping you to define your impact tolerances and understand which level of disruption is tolerable, and which isn’t.

This step also enables you to identify the resources and investments needed to maintain tolerances, while reviewing them annually.

Fscom can help define your impact tolerances and make sure you understand your client base (and most vulnerable customers) through testing and simulating disruptions.

 

4. Develop threat scenarios and execute tests to gauge the extent of your operational resilience

To be really prepared (not just for a spot check by the regulators but for a genuine crisis), you need to simulate a real-world disruption to test your infrastructure. This way you can identify at what point your system and impact tolerance will break.

In this stage, go beyond simple business-continuity testing to measure your operational resilience. You’ll need to perform several tests and increase the intensity each time to create severe disruptions, allowing you to see the different levels of impact and how various parts of your business respond. This includes looking at the effect of disruption across several departments and on third parties to have a complete picture of your strengths and vulnerabilities.

This testing will provide the foundation for your IBSs to remain within tolerable impact levels. You’ll want a testing plan you can carry out, review, challenge and receive senior sign off annually.

At fscom, we can help you test various scenarios and take them to the extreme. You can either have us perform these scenarios for you or receive an outline of the scenarios so you can test them on your own in house. We even partner with specialised firms for more technical testing support, like an IT specialist firm to help with stress testing.

For instance, one of our scenario testing examples could be a ransomware request, which has hit a part of your infrastructure, and we see you respond by increasing your cybersecurity response. Then we’ll increase these simulated ransomware attacks to hit other parts of your infrastructure to study how you respond. Maybe the ransomware attacks one of your critical IT suppliers that is part of one of your IBSs. You then see how they respond to know how it affects your business, client delivery and the clients themselves, which will in turn help strengthen your cyber resilience.

 

5. Identify vulnerabilities and assess risk

Only rigorous testing will allow you to see your vulnerabilities to assess risks and identify the investments needed. For example, you may need to rework various processes, hire more resources in certain departments or change critical third-party suppliers.

Consider your vulnerability assessments as continuous gauging, learning and maturity improvement. This part of the assessment includes evaluating how to return your IBS to normal as quickly as possible following a disruption.

fscom will analyse where you’re most vulnerable during a disruption and assess risk. Our vulnerability analysis and scenario testing will help you form your lessons learned in the self-assessment documentation and framework.

 

6. Prioritise and remediate any gaps, risks and vulnerabilities

Once you’ve gone through your gap analysis, mapping, vulnerability testing, and your lessons learned, you need to remediate any shortcoming in your documentation or even refresh your business continuity plans based on your findings. This will require getting your board to agree to investments critical to fixing any gaps or vulnerabilities.

fscom can support your remediation efforts. For example, we can help achieve buy-in during senior board member discussions to increase the investments necessary to reach operational resilience and help you document it properly with a secure plan for closure.

 

7. Establish annual self-assessment review, testing, planning and board-approval cycles to ensure operational resilience as you scale your business

Operational resilience is not a once in a lifetime exercise. It needs to become part of your annual review, refresh, sign off, and more for you to stay compliant with the FCA requirements and ensure consumer delivery.

To stay operationally resilient as you grow and adapt to new market trends, you need to embed operational resilience in your business DNA.

Let’s say that after your self-assessment in March 2025, you launch a new service at the end of the same year. How are you going to ensure this new feature will be operationally resilient? And how will it affect the resilience of your current services? The answers to these questions will help you understand how to effectively review, test, and fix vulnerabilities as you develop your business.

With fscom, you’ll get our outlined reviews and testing frameworks you can apply to ensure any new processes and infrastructure you’ve implemented can meet the FCA operational resilience requirements. Our bespoke support means you’ll know how to embed operational resilience in new product development, your risk management framework, IT plans and more so you can help mitigate the effects of disruptions and ensure financial stability even as you scale or pivot your business.

You’ll also want to mature your operational resilience framework so it’s ingrained in your processes. To ensure operational resilience year over year, during business expansion (whether that’s launching new services or crossing borders) or as market trends and technology evolve, you need to have operational resilience become an organic part of your change management, without having to think about it too much.

Even though we can help you establish annual reviews and testing, we know from experience that not every firm will carry through on them. A year from now you may panic, realising you’ve failed to make good on continuous reviewing and testing.

With fscom, you’ll receive a framework to follow so you can include operational resilience as you grow and evolve. This means, whether you’re onboarding a new supplier or adding new infrastructure, you’ll have steps in place to mature your approach. This framework helps you make operational resilience part of existing processes to ensure minimal disruption to your clients and your client delivery.

Why choose fscom for your FCA operational resilience implementation

At fscom, we help firms in the financial sector operating in the UK, Ireland or both understand their business’ operational resilience and whether it adheres to the FCA’s requirements. We do a deep dive to identify all the inputs to your business and what actually helps you deliver your products and services. We then document our analysis and make sure you know how to provide and test for ongoing operational resilience.

Since we can act as both consultants and executors, we can help at any stage, whether you:

  • Are starting from scratch and need an end-to-end service
  • Have already completed your self assessment and require an analysis of your work
  • Have questions or doubts and need some expert guidance

 

This means we can analyse the existing documentation you’ve already produced and compare it against our understanding of the regulations. You’ll get a thorough analysis around each part of the regulation — for example, we’ll study how your IT documentation matches up to the new requirements.

You can also count on us to do a gap analysis to identify areas that:

  • Are already resilient
  • Still need work
  • Have been overlooked

 

After our analysis, you’ll receive an assurance and remediation priority plan, which helps you focus on the aspects to fix before beginning your implementation.

With our assurance and gap analysis, you’ll have everything you need to ensure all your documentation meets the FCA’s operational resilience requirements.

 

5 benefits of implementing operational resilience with fscom

Here are five key benefits of working with fscom to implement operational resilience:

  • Expertise and experience. fscom consists of experts with deep knowledge on operational resilience and FCA requirements. Some of our team members have first-hand experience within the FCA. This means we’re better equipped to understand the FCA’s policies and requirements and help you get the right guidance to implement your operational resilience properly.
  • Speed. You’ll get an honest and full appraisal of what your firm does well and areas to improve your operational resilience framework in a time-efficient manner (and in time for the FCA deadline). For example, we can provide the steps needed to fix gaps and vulnerabilities quickly. We can also perform scenario testing in a few days to gauge impact tolerance and create a remediation plan.
  • Reliable direction. We offer guidance to help you ingrain operational resilience in your systems. For example, we set up and facilitate workshops to ensure quick knowledge transfer and can help you embed operational resilience in your existing processes for ongoing testing and implementation.
  • Proven results. We’ve helped many firms in different sectors, from payment services and digital assets to capital management, to achieve operational resilience.
  • Operational resilience maturity. We know from experience that not every firm will carry through their annual reviews and assessments or during change management. We’ll create a bespoke framework you can follow to embed operational resilience as you grow and have steps in place to mature your approach, all without having to think about it too much.
 

Discover how we can help you kick start your self-assessment. Get in touch with us today.

 

How we helped a global startup implement operational resilience

A global startup came to us to ensure they could get their operational resilience right before they expanded their services in the UK. As an authorised payment institution, their main business service enables international expats to send and receive money instantaneously via a bank account of their choice anywhere in the world.

As a new company unfamiliar with the requirements, they chose to go through our entire process to better understand how a disruption could impact their clients.

The mapping process proved challenging because, as a payments company, the startup relied heavily on third-party technology. This meant a disruption would affect the firm’s ability to fund transfer and the speed of fund transfer, which would impact their reputation and primary business model.

We then did three days of disruption simulation that led to an identification of vulnerabilities in their existing incident response plan. We studied how they responded to disruptions and how they communicated them.

Through our analysis and testing, we came up with the lessons learned and tailored a remediation plan for them. We then assisted them with completing the self-assessment document. This included documenting:

  • Who was going to own it
  • Who was going to govern it
  • Who was going to communicate disruptions
  • The plan for remediation and the right metrics to measure
 

Our guidance meant they could continue to expand their business across borders because they have embedded operational resilience into their systems and processes.

With our end-to-end support, this startup went on to expand their business in the UK. What’s more, we’ll continue supporting them with a yearly review cycle to ensure they’re following their remediation plan and maturing their operational resilience processes into an annual cycle.

Implement operational resilience (and meet the FCA deadline) with fscom

Your company’s success and business survival depend on operational resilience, so you should not treat the FCA requirements as an add-on.

Don’t let the lack of time, internal expertise or competing priorities hold you back from meeting the March deadline. Let fscom do the heavy lifting for you, fill your knowledge gaps and clear your doubts. We’ll provide you with the skills, tools and framework you need to meet and exceed the FCA requirements in record time.

Learn how we can help you achieve operational resilience no matter what stage of the self assessment you’re in. Get in touch today.

This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.

Related Posts

CASS Audit

TISA CASS Compliance Survey

Earlier this year, TISA launched a CASS compliance survey in association with fscom, aiming to gather insights on key areas of interest related to CASS

Read More