Operational resilience: from compliance to culture

As firms across the financial services sector shift from implementation into BAU, operational resilience is now firmly in the regulatory spotlight. With the FCA and PRA’s 31 March 2025 implementation deadline behind us, the focus turns to how firms will embed resilience into their day-to-day operations and governance.

In this blog, Victoria Ng, Operational Resilience Specialist and Associate Director in fscom’s Capital Markets team, addresses the key question now facing firms:

What do UK financial institutions need to do to demonstrate and sustain operational resilience post-deadline, and how can they turn compliance into a strategic advantage?

The evolution of operational resilience in UK regulation

The UK’s regulatory journey on operational resilience started with growing concern from the Bank of England, FCA and PRA over the systemic impact of major operational disruptions. A number of high-profile IT failures and cyber incidents in the late 2010s underscored how critical service continuity is – for both consumers and market stability.

Regulators responded by introducing a formal operational resilience framework in March 2021, requiring firms to identify their most important business services (IBS), set impact tolerances, and plan for severe but plausible disruption scenarios.

Firms were given until March 2025 to complete implementation and demonstrate they could remain within their impact tolerances. This marked a shift from theory to practice, moving operational resilience from a back-office function to a front-line strategic imperative.

Where firms are now: from plans to proof

Most firms have completed the foundational work by now: identifying IBS, setting tolerances, mapping dependencies and running initial scenario testing.

Post implementation deadline, regulators are will be looking for evidence of effectiveness of resilience frameworks, not just completion. They will ask:

• Are impact tolerances meaningful and achievable?
• Do scenario tests reflect real-world conditions?
• How are lessons learned being fed back into the framework?

Firms should also be prepared to demonstrate how resilience is governed at board and senior management level, with clear reporting lines and accountability.

What good looks like: key components of a mature framework

Firms aiming for maturity in their operational resilience programmes should focus on the following:

• Governance and oversight: Resilience should be owned at the top, integrated into existing risk governance structures.
• Scenario testing: Use a range of severe and plausible scenarios to test limits and refine response capabilities.
• Third-party resilience: Ensure key suppliers can meet your IBS tolerances. This may include contractual changes and joint testing.
• Incident response and communication: Have a tested and up-to-date plan for timely, coordinated action during disruption.
• Continuous improvement: Resilience should evolve alongside your business and the threat landscape.

The goal is not to avoid all disruption, but to ensure continuity of important services during and after disruptive events while minimising harm to stakeholders.

What’s next: post-deadline priorities

With the implementation deadline now passed, regulators expect firms to:

• Revisit and adjust impact tolerances and continuity plans in light of testing results and lessons learned from real incidents.
• Expand scenario testing to include complex or sector-wide events.
• Enhance oversight of third-party providers, especially those supporting critical services.
• Embed resilience into change management, so new products and services meet the same standards.

2025 marks the beginning of ongoing supervisory engagement on operational resilience. Firms should expect thematic reviews, skilled person reviews, and increased scrutiny in regulatory interactions.

The bigger picture: resilience as strategic advantage

Operational resilience is no longer just about regulatory compliance. As financial services become more digital, more interconnected, and more reliant on third parties, resilience is fast becoming a differentiator.

Well-prepared firms are already treating resilience as a strategic enabler:

• Building customer trust through reliability and transparency
• Strengthening board-level risk oversight
• Aligning resilience with business continuity, cyber security, and change management.

Firms that embed resilience into their business models will not only meet regulatory expectations, they will also gain competitive advantage.

Looking ahead

Regulatory focus on resilience is not going away. Instead, it is becoming more nuanced, extending into areas like third-party risk, comprehensive end-to-end testing, and operational risk capital.

Looking ahead, firms should expect:

• Greater alignment between resilience and other regulatory frameworks (e.g. DORA, SMCR, Consumer Duty)
• Increased scrutiny of outsourced technology providers
• More demanding expectations around testing and assurance.

The firms that succeed will be those that treat resilience not as a compliance obligation, but as a long-term investment in operational integrity.

If you would like to benchmark your framework, explore best practice, or understand the expectations ahead, please reach out to Victoria Ng or your usual fscom advisor.