FCA Operational Resilience Insights from Firm Self-Assessments

- Growth

Make sure your firm is continuing to comply with our operational resilience rules. Use our observations from firms’ self-assessments to help review and evolve your firm’s approach to being resilient.

---

Introduction

We’re now almost a year on from the end of the operational resilience transition period on 31 March 2025. By that date, firms were required to have completed mapping and testing so they can remain within impact tolerances for each important business service.

We reviewed firms’ annual operational resilience self-assessments and have set out our observations and insights on how firms are continuing to strengthen their operational resilience under our rules and guidance since the transition period ended.

We’ve seen examples of good practice as well as areas where further improvement is needed, and we’re engaging directly with firms in scope of our rules on these findings. However, there is information here that all firms could benefit from considering, even those not in scope of these rules.

Share

• 
  Quick tip Highlight content for instant share

  Operational resilience: insights and observations one year on

• Who this applies to

• Why we’re sharing this

• Overall status

• Operational disruptions in 2025 emphasise the importance of resilience

• Operational resilience and boards’ decision-making

• Our findings

• Conclusion

• Related content

  • Operational resilience
  • Operational resilience: insights and observations for firms

Make sure your firm is continuing to comply with our operational resilience rules. Use our observations from firms’ self-assessments to help review and evolve your firm’s approach to being resilient.

---

Introduction

We’re now almost a year on from the end of the operational resilience transition period on 31 March 2025. By that date, firms were required to have completed mapping and testing so they can remain within impact tolerances for each important business service.

We reviewed firms’ annual operational resilience self-assessments and have set out our observations and insights on how firms are continuing to strengthen their operational resilience under our rules and guidance since the transition period ended.

We’ve seen examples of good practice as well as areas where further improvement is needed, and we’re engaging directly with firms in scope of our rules on these findings. However, there is information here that all firms could benefit from considering, even those not in scope of these rules.

---

Who this applies to

The rules currently apply to:

• banks
• building societies
• designated investment firms
• enhanced scope SMCR firms
• Solvency II firms
• UK recognised investment exchanges
• electronic money institutions
• payment institutions
• registered account information service providers
• consolidated tape providers (collectively referred to as ‘firms’).

---

Why we’re sharing this

Firms’ operational resilience is their ability to avoid intolerable harm to consumers and threats to market integrity when their services are disrupted. Firms need to reflect on how these harms could come about, based on their business model – including the services they provide, the types of customers they have, and their place within the markets they operate in. They then need to ensure that those services can continue or recover from a disruption before these harms are caused.

---

Overall status

By 31 March 2025, firms had done a significant amount of work to strengthen their operational resilience and gain assurance that in the event of a severe but plausible disruption, they could recover important business services within impact tolerances.

We have seen strong engagement and good progress across all areas of the operational resilience requirements.

---

Operational disruptions in 2025 emphasise the importance of resilience

Recent high-profile incidents and outages have reinforced the need for strong resilience and its role in maintaining trust and stability in the sector.

This has included outages among cloud service providers such as Amazon Web Services, Microsoft Azure and Cloudflare – as well as high-profile cyber-attacks in other sectors, such as on Jaguar, M&S, and the Co-op.

While these examples are severe, they are plausible scenarios firms should be considering in their testing.

We understand that preparing to comply with our operational resilience rules compelled many firms to rethink their own resilience and risks, driving them to innovate and adopt new practices.

Operational resilience has become a central part of many firms’ risk frameworks and planning, leading firms to test more rigorously the resilience and vulnerabilities of their third-party providers and supply chain. In some cases, firms have done so jointly with their third parties.

Firms have invested in data vaulting, immutable back-ups, standby data centres, and new processing centres to help ensure that they can recover important business services within impact tolerances and maintain critical operations following disruptions caused by cyber attacks.

---

Operational resilience and boards’ decision-making

Boards play an important role in strengthening firms’ operational resilience.

The self-assessment gives them the information they need to understand their firm’s approach, who’s responsible for it, and the organisation’s ability to recover important business services within impact tolerance.

Firms do not usually include every piece of evidence in the self-assessment document, provided the information they include is clear enough for the board to understand and decide what to prioritise and invest in to build and maintain operational resilience.

We recognise that many firms would find it a complex challenge to remain within impact tolerance for some scenarios, particularly in the event of a severe cyber attack or significant outage at a third-party provider.

We encourage firms to continue to address this by remediating individual firm-specific vulnerabilities and working collaboratively with industry groups. We published examples of effective practice we have observed in these areas with the PRA and Bank of England in 2025.

We are also focusing on addressing gaps within individual firms, specifically where firms need to strengthen and embed operational resilience to avoid causing intolerable harm to consumers and threats to market integrity.

---

Our findings

Below we’ve set out examples of good practice and areas for firms to improve, based on some firms’ most recent operational resilience self‑assessments.

---

1. Important business services and impact tolerances

Firms must identify their important business services, set impact tolerances for each of them, and regularly review both.

Everyone involved in defining, delivering, and reviewing important business services and impact tolerances should have the same clear and consistent understanding of what each service comprises. They should also understand how it might cause intolerable harm to consumers and/or threaten market integrity.

This shared understanding improves the organisation’s communication and decision-making. Firms should determine the point at which disruption would cause harm to consumers or threaten market integrity so they can respond effectively in the event of a disruption.

---

Good practice we’ve observed

• Clear, strong methodologies and rationale for defining important business services and setting impact tolerances. These include assumptions, harm thresholds, and the increased use of quantitative non-time-based metrics when setting impact tolerances (e.g. transaction volumes, financial thresholds) alongside time-based measures, informed by real-world incidents.
• Documented review cycles, with firms reassessing important business services and impact tolerances each year or following material changes to the business.
• Scenario testing and real-world incidents informing impact tolerance calibration so firms can better assess the validity of each one.

---

Areas for improvement

• Not establishing distinct impact tolerances for market integrity and consumer harm. Firms should be able to identify when harm would occur to consumers and when it would impact the market.

---

2. Mapping resources

Firms must identify and document the people, processes, technology, facilities, and information needed for delivering each of their important business services. This includes any relationships with third parties which could threaten their ability to remain within impact tolerance.

Without comprehensive mapping, firms cannot accurately assess vulnerabilities or design effective testing scenarios. Providing details on methodology and a summary of mapping in the self-assessment gives the board confidence that mapping has been carried out effectively. This information should be clear and detailed enough for board members to understand and challenge the firm’s approach.

---

Good practice we’ve observed

• Firms have taken on regulatory feedback and matured their approaches to mapping – they’re now more detailed and clearer:
  • Self-assessments include explanations of the methodologies firms have used. This assures boards that the processes and resources supporting the delivery of each important business service are documented, with multiple data sources used to ensure accuracy and comprehensive coverage.
  • Third-party dependencies have been assessed sufficiently to mitigate external risks.
  • Firms are using mapping outputs to help identify vulnerabilities and guide resilience testing.
  • Self-assessments detail planned enhancements, showing awareness of process gaps, supporting continuous improvement.
• Clear ownership and accountability of mapping data reduce the risk of outdated or inaccurate information, which could compromise resilience planning.
• Firms are reviewing the concentration of staff in single locations, reducing operational risk by diversifying where key staff are based.

---

Areas for improvement

• Mapping has been largely focused on technology used to support the delivery of important business services. However, firms should make sure they also include factors such as facilities, people, processes, information, and third-party resilience or testing outcomes.
• There is more work to do on identifying, assessing and remediating third party vulnerabilities.

---

3. Scenario testing

Firms must develop and maintain testing plans that show they can remain within impact tolerances for each important business service through severe but plausible disruptions. They must test scenarios that vary in nature, severity, and duration, and are aligned to the firm’s risks and vulnerabilities.

---

Good practice we’ve observed

• Firms have been expanding scenario testing to include a broader range of cyber threats and alternate scenarios than those tested in the previous year. They have considered alternative ways to recover from cyber attacks, third-party failures, and other operational outages, making sure they’re prepared for emerging risks.
• Scenarios include events which would breach impact tolerances if not recovered, with mitigation plans documented along with explanations of longer-term plans to remediate vulnerabilities and enhance resilience.
• Testing plans in the self-assessments are clear, concise, and tailored for board-level review, enabling informed investment decisions. Testing outcomes are integrated into remediation planning and governance reporting, showing the link between testing and resilience improvements.
• Clear documentation of methodology, assumptions, and rationale for scenario selection and recovery times, workarounds, assumptions made, and affected important business services enables boards to understand the firm’s true resilience position and challenge assumptions effectively. It also promotes transparency and confidence in governance decisions.
• Self-assessments include confidence ratings in testing output, to help understand how mature resilience approaches and options are.

---

Areas for improvement

• Some firms state in self-assessments that there’s no scenario that they wouldn’t be able to recover from, but don’t include evidence of having tested this using sufficiently severe scenarios. This means that there is not enough information to give boards the assurance that they need.

---

4. Vulnerability management

Firms’ mapping and scenario testing should identify vulnerabilities that could prevent them from remaining within impact tolerance during a disruption. The self-assessment should include enough detail for the board to make informed decisions about where firms prioritise making improvements to ensure that they can remediate these vulnerabilities.

---

Good practice we’ve observed

• Self-assessments explain the vulnerability management process and acknowledge any gaps and remediation underway.
• Self-assessments clearly explain how vulnerabilities are identified through mapping and testing, which important business services they affect, and how firms intend to remediate any outstanding issues.
• Remediation activities are tracked and closed, with ongoing monitoring, testing and mapping feeding into the vulnerability management process.
• Clear frameworks and ownership reduce the risk of delays or incomplete remediation, strengthening accountability and governance.

---

Areas for improvement

• Some self-assessments do not include details on the framework or end-to-end process for vulnerability identification and remediation, including how this is informed by second and third lines.
• When firms report few or no outstanding vulnerabilities, and there is a lack of information or evidence on mapping, testing, and vulnerability management in their self-assessments, it makes it difficult to check whether they’ve identified vulnerabilities properly.

---

5. Communications plans and strategy

Firms must maintain an internal and external communications strategy that delivers clear, timely and relevant messaging during operational disruptions.

Firms should have clear, tested plans so teams know what to do when important business services are disrupted, including when usual communication channels aren’t available. Not having such a plan can worsen the impact of operational disruption, cause uncertainty and increase the risk of misinformation and disinformation during and after the incident. This can threaten confidence in our markets.

---

Good practice we’ve observed

• The more mature firms demonstrated a strong focus on how communications can reduce harm during incidents.
• Communications strategies have matured and been tested, with evidence of additional work to further evolve playbooks and track recommendations for improvement.
• External communications are embedded within frameworks, strategies, playbooks, scenario testing, and business continuity plans. Firms are considering both internal and external audiences in their communications strategies, focusing on roles, responsibilities and triage processes. They clearly define core elements of the communications strategy, such as thresholds, escalation points, and activation protocols.
• During live incidents, firms have learned whether their communications strategies are effective and incorporated lessons from post-incident reviews into their resilience planning.

---

Areas for improvement

• Limited evidence that communications strategies are tested as part of scenario exercises, or that firms have plans to mitigate the loss of their usual communication channels.
• Not considering in detail the alternatives or workarounds when their usual communication channels are unavailable during disruption.

---

6. Governance

Boards must review and approve the self-assessment documentation. Board and senior-level accountability and responsibility helps embed operational resilience into strategy and risk frameworks. Strong governance makes decision-making clear and aligned with regulatory expectations. This protects consumers and markets even during the most severe disruptions.

Transparency in the self-assessment process enables boards to understand how firms have approached defining and mapping their important business services, setting impact tolerances, managing interdependencies, remediating vulnerabilities, and overseeing scenario testing. It gives them enough information to challenge and oversee remediation plans, making resilience a business priority. This transparency means firms can demonstrate resilience and provides clear reporting and evidence for regulators as well as boards.

---

Good practice we’ve observed

• Clear, structured governance frameworks with defined reporting channels, supported by board-level oversight, Senior Management accountability, and second/third line involvement.
• Operational resilience is embedded in business-as-usual processes, with regular reviews and lessons learned exercises based on scenario testing and live incident information.
• Governance committees and boards provide effective challenge.
• Dashboards are used to make key metrics and progress more visible.

---

Areas for improvement

• Unclear board engagement, approval processes, and document review trails.
• Unclear responsibility for monitoring remediation or other action plans. Some firms lack recorded remediation actions, owners, or target completion dates.
• Uncertainty about board/senior manager understanding of operational resilience responsibilities and commitment to action/investment.
• Little or no evidence of input from second or third line of defence in self-assessment.

---

---

Conclusion

Operational resilience is not static. The external environment continues to evolve and scenarios that seemed implausible in the past may now be more likely. This underscores the importance of firms taking a dynamic approach including regularly reviewing operational resilience measures.

Investing in operational resilience helps drive long-term growth. Firms that prioritise resilience are better positioned to innovate, attract customers, and support market confidence.

Many firms demonstrate maturity in governance, but all firms should continue to focus on board engagement, robust frameworks, and evidence-based self-assessment for sector-wide improvement.

Firms must assess their ability to remain within impact tolerance annually but should also consider how well they’re prepared for – and the impact of – disruptions in the markets they operate in and those further afield. This is key to maintaining resilience in a changing landscape.

Firms need to continue to move beyond compliance and embed operational resilience into how they design products and services and, more broadly, how they conduct business.

They should treat resilience as a core business capability, integrated into strategic planning, product development, and customer engagement, rather than as a standalone exercise.

This will help them not only meet regulatory expectations but also strengthen trust, protect consumers, and safeguard market integrity in the face of future disruptions.

Glossary

| Operational resilience rules and guidance | These are contained in SYSC 15A of the FCA Handbook. |
| Board / Governing body | The rules refer to ‘the governing body’ which is defined as ‘the board of directors, committee of management or other governing body of a firm or recognised body, including, in relation to a sole trader, the sole trader.’ We refer to this as ‘the board’ and ‘board members’ in this publication; if your firm does not have a board of directors, please take this to mean the relevant governing body. |
| Impact tolerance | The maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets. |
| Important business service | A service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:

1. Cause intolerable levels of harm to any one or more of the firm’s clients; or
2. Pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets. |

---

Was this page useful? Yes No What can we do to improve pages like this? What did you find helpful? Submit Feedback