UK FCA Findings From Multi-Firm Review On Operational Resilience

JD Supra Finance & Banking

Published April 7th, 2026

Detected April 7th, 2026

Summary

The UK Financial Conduct Authority (FCA) published findings from a multi-firm review of operational resilience self-assessments following the transition period ending March 31, 2025. The FCA highlights good and poor practices across six categories: important business services and impact tolerance, mapping resources, scenario testing, vulnerability management, communications plans, and governance. Firms are encouraged to use these observations to review and evolve their operational resilience approaches.

View original document View source feed page

What changed

The FCA published a webpage categorizing observations from firms' annual operational resilience self-assessments under six headings. Good practice was noted in methodologies for defining important business services and diversifying staff locations, while poor practice included inadequate third-party vulnerability mapping and insufficiently severe scenario testing. The FCA expects firms to maintain tested communications strategies and ensure strong board oversight with clear accountability.

Financial services firms subject to FCA operational resilience rules should review these observations to identify gaps in their self-assessments. Firms should ensure comprehensive mapping of people, processes, technology, facilities, information, and third-party dependencies, and should be able to demonstrate to boards that sufficiently severe scenarios have been tested. Self-assessments should include clear frameworks for vulnerability identification and remediation.

What to do next

Review FCA good and poor practice observations for operational resilience
Assess current self-assessment processes against FCA findings
Address gaps in mapping, scenario testing, or vulnerability management

Source document (simplified)

April 7, 2026

UK FCA Findings From Multi-Firm Review On Operational Resilience

LinkedIn Facebook X Send Embed

The UK Financial Conduct Authority (FCA) has published a new webpage highlighting good and poor practice observed in firms' annual operational resilience self‑assessments following the end of the transition period on 31 March 2025, relating to the application of the FCA's rules. The FCA encourages firms to use these observations to help review and evolve their approaches.

The FCA's findings are categorised under six headings:

Important business services and impact tolerance: While good practice was observed in relation to methodologies and rationale for defining important business services and setting impact tolerances, documenting review cycles, and scenario testing to inform impact tolerance calibration, the FCA would like to see firms able to identify when harm would occur to consumers and when it would impact the market.
Mapping resources: Firms have matured their approaches to mapping. Good practice includes clear ownership and accountability of mapping data and diversifying where key staff are based. The FCA emphasises the need for comprehensive mapping of people, processes, technology, facilities, information and third party dependencies, noting that firms often focus too narrowly on technology and insufficiently address third party vulnerabilities.
Scenario testing: While firms have been expanding scenario testing and integrating outcomes into remediation planning and governance reporting, the FCA has observed some firms state that there is no scenario that they would not be able to recover from without including evidence of having tested this using sufficiently severe scenarios. The FCA is concerned that this means there is not enough information to give boards the assurance that they need.
Vulnerability management: The FCA notes that some self-assessments do not include details on the framework or end-to-end process for vulnerability identification and remediation. Equally, the FCA has observed that when firms report few or no outstanding vulnerabilities, and there is a lack of information or evidence on mapping, testing, and vulnerability management in their self-assessments, which makes it difficult to check whether they have identified vulnerabilities properly.
Communications plans and strategy: Firms are expected to maintain tested internal and external communications strategies capable of operating during disruption, including contingencies for the loss of usual communication channels.
Governance: Strong board oversight remains central, with boards expected to approve self assessments, understand their resilience responsibilities and ensure clear accountability, audit trails and senior oversight for remediation. [View source.]

Send Print Report

Latest Posts

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.