Introduction: The UK Operational Resilience Regime
The UK operational resilience regime is a supervisory framework jointly designed by the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England to ensure that firms and financial market infrastructures can prevent, adapt, respond to, recover from and learn from operational disruptions. Rather than prescribing a fixed catalogue of technical controls, the regime is outcomes-focused: it asks a firm to identify the services that matter most to its clients and to the wider UK financial system, to set the maximum level of disruption it is prepared to tolerate for each of those services, and then to prove — through testing, mapping and self-assessment — that it can remain within those limits even under severe but plausible scenarios.
The regime was published in the FCA Policy Statement PS21/3 and the corresponding PRA Policy Statement PS6/21 in March 2021, taking effect on 31 March 2022. Firms were then given a transitional period ending on 31 March 2025 to become able to remain within their impact tolerances for each important business service. This makes operational resilience one of the most significant supervisory expectations in the UK financial sector, sitting alongside — and complementing — outsourcing and third-party risk rules (SS2/21), the operational risk framework, and the Senior Managers and Certification Regime (SM&CR).
This deep-dive is written for two audiences at once: the auditor or assessor who must independently verify a firm's compliance, and the CISO, Head of Operational Resilience or Chief Operating Officer who must build and evidence the programme. It sets out what the regime is, who it applies to, its structural pillars, an exhaustive master assessment checklist, the scoping and impact-tolerance methodology, a phased implementation approach, a maturity model, the audit method, an evidence request list, roles and responsibilities, metrics, common gaps, and how the regime maps to adjacent frameworks such as DORA, the Basel Principles for Operational Resilience, ISO 22301 and NIST.
What is the UK FCA Operational Resilience Regime?
Operational resilience is defined by the UK regulators as the ability of firms, financial market infrastructures (FMIs) and the sector as a whole to prevent, adapt to, respond to, recover from and learn from operational disruptions. The central regulatory shift is from a firm-centric, risk-appetite view ('how much operational risk are we willing to run?') to a customer- and market-centric, harm-based view ('how much disruption to the services that matter can our clients and the financial system actually withstand?'). The regime assumes that disruptions will happen; the regulatory question is not whether a firm can avoid all incidents but whether it can stay within defined limits of harm when they occur.
The regime is codified for FCA-solo-regulated firms in the FCA Handbook chapter SYSC 15A ('Operational resilience'), supported by Policy Statement PS21/3 and Finalised Guidance. For dual-regulated firms (banks, building societies, PRA-designated investment firms and insurers) it is codified in the Operational Resilience Part of the PRA Rulebook, supported by PS6/21 and Supervisory Statement SS1/21 ('Operational resilience: Impact tolerances for important business services'). The Bank of England applies equivalent expectations to FMIs (recognised payment systems, central securities depositories and central counterparties).
Four defined terms carry the entire regime. An 'important business service' (IBS) is a service provided by a firm to an external end user or participant that, if disrupted, could cause intolerable harm to clients or pose a risk to the soundness, stability or resilience of the UK financial system, or to the orderly operation of financial markets. An 'impact tolerance' is the maximum tolerable level of disruption to an IBS, expressed by reference to a specific time metric and, where relevant, other measures such as the number of customers or volume of transactions affected. 'Mapping' is the exercise of identifying and documenting the people, processes, technology, facilities and information (including third parties) that support each IBS. A 'severe but plausible scenario' is a hypothetical disruption event, more extreme than a firm's day-to-day incidents yet realistic enough that it could genuinely occur, used to test whether the firm can stay within its impact tolerances.
Crucially, an impact tolerance is not the same as a recovery time objective (RTO). An RTO is an internal, firm-centric target for how quickly IT wishes to restore a system; an impact tolerance is an outward-facing regulatory ceiling on harm to clients and markets, set at board level, that the firm must not breach. A firm may have many RTOs feeding into a single impact tolerance, and the impact tolerance is deliberately set with the customer's tolerance for harm — not the firm's operational convenience — in mind.
A defining philosophical feature of the regime is the assumption of failure. The regulators explicitly acknowledge that in a complex, interconnected and increasingly digital financial system, operational disruption is inevitable: hardware fails, software contains defects, cyber adversaries are persistent and well-resourced, third parties themselves suffer outages, and human error is unavoidable. Consequently the supervisory posture moves away from an unattainable goal of preventing every incident and towards a realistic goal of limiting the harm that any given incident can cause. This is why the regime is sometimes described as 'harm-limitation' regulation. It compels boards to have an uncomfortable but honest conversation about the maximum disruption their clients and the market could actually absorb, and then to invest so that the firm never crosses that line — even in a bad-day, rather than an average-day, scenario.
The regime is also deliberately technology-neutral and control-agnostic. It does not tell a firm which firewall to deploy, which backup regime to run or which cloud architecture to adopt. Instead it tells the firm to prove — with evidence from realistic testing — that whatever architecture it has chosen keeps important services within tolerance. This gives firms flexibility but raises the assurance bar: a beautifully documented control environment counts for nothing if the firm cannot show, through scenario testing, that services actually stay within tolerance when those controls are stressed or fail.
Finally, operational resilience is a firm-wide, cross-functional discipline rather than an IT or security silo. Delivering it requires the coordinated effort of business service owners, technology and cyber teams, third-party and procurement functions, business continuity, communications, risk and internal audit, all under clear senior-manager accountability. Firms that treat it as a technology programme, or that bolt it onto an existing IT disaster-recovery function, consistently struggle to satisfy supervisors because they miss the end-to-end, client-harm perspective at the heart of the rules.
Who Must Comply: Scope of Applicability
The regime applies to a broad population of UK-authorised firms and infrastructures, though the precise rule source depends on whether a firm is FCA-solo-regulated or dual-regulated. Smaller firms below certain thresholds may benefit from proportionality but are not fully exempt from the underlying operational risk expectations.
| Firm type / entity | Applicable rule source | In scope? |
|---|---|---|
| Banks, building societies and PRA-designated investment firms | PRA Rulebook Operational Resilience Part; SS1/21; PS6/21; also FCA SYSC 15A | Yes (dual-regulated) |
| Insurers and reinsurers (Solvency II firms) | PRA Rulebook Operational Resilience Part; SS1/21 | Yes |
| Enhanced-scope SM&CR firms (larger solo-regulated investment firms) | FCA SYSC 15A; PS21/3 | Yes |
| Recognised Investment Exchanges (RIEs) | FCA SYSC 15A / REC sourcebook expectations | Yes |
| E-money institutions and Authorised Payment Institutions (larger) | FCA SYSC 15A (as applied) | Yes |
| Certain MiFID investment firms and UCITS/AIFM managers | FCA SYSC 15A per PS21/3 scoping | Yes |
| Recognised payment systems, CSDs and CCPs (FMIs) | Bank of England operational resilience expectations | Yes |
| Small, non-enhanced SM&CR firms below thresholds | General SYSC operational risk; proportionality applies | Partial / proportionate |
| Appointed representatives (principals responsible) | Principal firm's SYSC obligations | Indirect |
- Scope is determined by firm classification (enhanced SM&CR, dual-regulated, FMI) rather than by size alone, though thresholds influence which SM&CR tier applies.
- Group structures must consider resilience at both entity and group level; a UK entity cannot outsource away its own accountability to an overseas parent.
- Branches of overseas firms operating in the UK are within scope for the services they provide to UK clients and markets.
- Third parties (including intra-group service companies and cloud providers) are not directly regulated by this regime but are captured indirectly through the firm's mapping, testing and outsourcing obligations (SS2/21 and the FCA equivalent).
Structure of the UK Operational Resilience Regime
The regime is best understood as a lifecycle built around a small number of interlocking obligations. Unlike a control-catalogue standard, it does not have hundreds of numbered controls; instead it has a set of mandatory activities, each of which must be performed, documented, board-approved and reviewed at least annually (or after a material change). The table below sets out the structural pillars and their rule anchors.
| Pillar / obligation | What it requires | Primary rule anchor |
|---|---|---|
| 1. Identify important business services (IBS) | Determine which services, if disrupted, could cause intolerable harm to clients or risk to market stability | SYSC 15A.2 / PRA Op Res 3 |
| 2. Set impact tolerances | Set a maximum tolerable level of disruption for each IBS, expressed as a time metric plus relevant measures | SYSC 15A.2 / PRA Op Res 4; SS1/21 |
| 3. Map the service | Identify and document the people, processes, technology, facilities, information and third parties supporting each IBS | SYSC 15A.3 / PRA Op Res 5 |
| 4. Test the ability to remain within tolerance | Test against a range of severe but plausible scenarios; identify and remediate vulnerabilities | SYSC 15A.4 / PRA Op Res 6; SS1/21 |
| 5. Manage third parties and outsourcing | Ensure resilience of material outsourced and third-party services supporting IBS | SS2/21 (PRA) / FCA outsourcing expectations |
| 6. Respond, recover and communicate | Have incident management, internal and external communication plans to respond to disruption | SYSC 15A.5 / PRA Op Res 7 |
| 7. Self-assessment and governance | Produce a board-approved written self-assessment document; review at least annually and after material change | SYSC 15A.6 / PRA Op Res 8 |
| 8. Lessons learned and continuous improvement | Learn from incidents and testing; feed improvements back into the programme | SYSC 15A.5 / SS1/21 |
Overarching these pillars is the Senior Managers and Certification Regime: a named Senior Management Function (SMF) holder must be accountable for operational resilience under the firm's Statement of Responsibilities. In practice this is frequently the Chief Operating Officer (SMF24) or an equivalent, and the accountability cannot be delegated away even where activities are performed by the CISO, business continuity or technology teams.
Each of these pillars is not a one-off project deliverable but a standing obligation that must be maintained. The rules require the firm to review its identification of IBS, its impact tolerances, its mapping and its self-assessment at least annually and, importantly, whenever there is a material change to the firm's business or the market in which it operates. Material changes include mergers and acquisitions, the launch or withdrawal of products, significant technology migrations (for example a move to a new core banking platform or a lift-and-shift to the cloud), the onboarding of a new critical third party, and organisational restructuring. A firm whose artefacts are eighteen months out of date, or which has completed a major cloud migration without refreshing its maps and tolerances, will fail an assessment on currency grounds alone, however elegant the original documents were.
The pillars are also sequentially dependent: you cannot meaningfully set an impact tolerance without first defining the service; you cannot map without knowing which services to map; you cannot design a credible test without a map that reveals the dependencies and single points of failure to be stressed; and you cannot write an honest self-assessment without test results that show whether tolerances actually hold. Assessors therefore look for a coherent, traceable golden thread running from IBS identification through to remediation and board sign-off, rather than a set of disconnected documents produced by different teams at different times.
Master Assessment Checklist
This is the operational heart of the guide. Each subsection below corresponds to one mandatory obligation of the regime. For every obligation the auditor must confirm not only that the artefact exists but that it is current, board-approved, evidence-backed and genuinely tested. Where a firm cannot demonstrate an item, that is a finding regardless of the sophistication of its wider controls environment.
1. Identification of Important Business Services (IBS)
Identification is the foundation of the entire regime; every downstream obligation inherits any error made here. The assessor's central test is whether the firm has correctly applied the regulatory definition — an externally-facing service whose disruption could cause intolerable harm to clients or pose a risk to UK financial stability or market integrity — rather than substituting a convenient internal view such as a list of business lines, products or IT systems. A common failure mode is to list the core banking platform as an 'IBS'; the platform is a resource that supports services such as 'making payments' or 'providing access to cash', not a service in its own right. The right granularity is the service the customer or market participant actually consumes.
| What to verify | Typical evidence |
|---|---|
| A documented, board-approved list of important business services exists and uses the regulatory definition (external end user, intolerable harm) | IBS register; board/committee minutes approving the list |
| The methodology distinguishes IBS from internal/business lines/products and from mere IT systems | IBS identification methodology document; scoping rationale |
| Harm to clients AND risk to market stability/financial system are both considered as identification criteria | Harm assessment; systemic-risk analysis per service |
| Services are defined at the right granularity (e.g. 'making payments', not 'the core banking platform') | Service definitions; example service-level descriptions |
| The list is reviewed at least annually and after material change (new products, M&A, restructuring) | Review log; change-triggered reassessment records |
| Rationale for excluding candidate services is documented and defensible | Exclusion register with justifications |
2. Setting Impact Tolerances
Setting impact tolerances is where firms most often reveal whether they have genuinely internalised the regime or merely rebadged their disaster-recovery targets. A credible tolerance is anchored on the 'first point of intolerable harm' — the moment at which a disruption stops being a tolerable inconvenience and starts causing real detriment to clients (loss of access to funds, missed payments, harm to vulnerable customers) or destabilising the market. The assessor should challenge whether the metric is expressed primarily in time (for example, 'payments must be restored within X hours') and supplemented by relevant volume or value measures, and whether the number was derived from customer-harm analysis rather than from what IT believes it can realistically achieve. A tolerance that simply mirrors an existing RTO is a red flag.
| What to verify | Typical evidence |
|---|---|
| Each IBS has a quantified impact tolerance expressed by reference to a time metric | Impact tolerance statement per IBS |
| Tolerances also reference other relevant measures where appropriate (e.g. number of customers, transaction volume/value) | Tolerance metric definitions; supporting analysis |
| Tolerances are set at the point beyond which harm to clients or market stability becomes intolerable — not at operational convenience | Harm-to-tolerance mapping; customer-impact analysis |
| Impact tolerances are approved by the governing body (board), not just management | Board approval minutes |
| The distinction between impact tolerance and internal RTO/RPO is explicit and documented | Definition mapping; RTO-to-tolerance linkage |
| Tolerances are reviewed at least annually and after material change | Annual review evidence |
| For dual-regulated firms, tolerances reflect SS1/21 expectations including the 'first point of intolerable harm' | SS1/21 alignment assessment |
3. Mapping of Important Business Services
Mapping translates a service into the concrete set of resources on which it depends, and its quality determines whether testing can find anything meaningful. The rules require mapping across five resource categories: people, processes, technology, facilities and information — and, critically, the third parties (and their sub-outsourcers) embedded in each. Assessors should probe the depth of the map: a two-page block diagram that names a handful of internal systems is not sufficient. A good map surfaces single points of failure, hidden intra-group dependencies, concentration on a small number of external providers (such as a single hyperscale cloud region), and the substitutability — or lack of it — of key staff, systems and suppliers. The map should be detailed enough that a scenario designer can point to a specific node and ask 'what happens to the impact tolerance if this fails?'.
| What to verify | Typical evidence |
|---|---|
| Each IBS is mapped end-to-end across people, processes, technology, facilities and information | Service maps / dependency diagrams per IBS |
| Third-party and intra-group dependencies (including fourth parties) supporting each IBS are identified | Third-party dependency register linked to each IBS |
| Mapping identifies single points of failure and concentration risks | Vulnerability / SPOF analysis derived from maps |
| Mapping is sufficiently detailed to identify vulnerabilities and support testing (not superficial) | Granularity assessment; sample deep-dive maps |
| Data and information flows critical to the service are captured | Data-flow diagrams; information asset linkage |
| Maps are kept current and version-controlled | Change history; last-updated dates |
| Substitutability of key resources (staff, systems, suppliers) is assessed | Resource substitutability analysis |
4. Scenario Testing
Scenario testing is the evidential engine of the regime: it is how a firm proves — rather than asserts — that it can stay within tolerance. Scenarios must be 'severe but plausible', meaning materially worse than the firm's everyday incidents yet genuinely capable of occurring. The library should span diverse threat types (cyber attack including ransomware and data-integrity corruption, technology and infrastructure failure, third-party or cloud outage, loss of a key facility, loss of key personnel, and combinations or chained events) and should grow in sophistication year on year. A frequent finding is that a firm's 'operational resilience testing' is really its long-standing IT disaster-recovery test in a new folder — it restores a data centre on a sunny day and declares success, without ever stressing a third party, corrupting data, or running a genuine cross-functional crisis under time pressure. Where testing shows a service cannot stay within tolerance, that is expected and acceptable during maturation, but only if it triggers a costed, owned and time-bound remediation plan.
| What to verify | Typical evidence |
|---|---|
| A range of severe but plausible disruption scenarios is defined and documented | Scenario library; scenario design rationale |
| Scenarios cover multiple threat types: cyber attack, technology failure, third-party failure, loss of premises, loss of key staff, data corruption | Scenario coverage matrix |
| Testing determines whether the firm can remain within impact tolerance for each IBS under each scenario | Test results with pass/fail against tolerance |
| Testing sophistication increases over time and includes 'sunny day' and 'rainy day' assumptions | Multi-year test plan; escalation of complexity |
| Where a firm cannot remain within tolerance, a remediation plan with owners and dates exists | Remediation / gap-closure plan |
| Cyber-specific testing (e.g. simulated ransomware, data integrity loss) is included | Cyber scenario test reports |
| Testing engages business, technology, third-party and communications functions, not just IT DR | Cross-functional exercise records; participant lists |
| Lessons from live incidents are used to validate/refresh scenarios | Incident-to-scenario feedback log |
5. Third-Party and Outsourcing Resilience
Modern financial services run on a dense web of outsourced and third-party services, so the resilience of an IBS is often only as strong as the weakest external provider embedded in it. This obligation intersects directly with the PRA's outsourcing supervisory statement SS2/21 and the FCA's equivalent expectations, and increasingly with the UK Critical Third Parties (CTP) regime that brings systemically important providers under direct regulatory oversight. Assessors must look beyond a signed contract to evidence of genuine, tested resilience: SS2/21-aligned clauses (audit rights, sub-outsourcing transparency, business continuity, and exit), tested exit and stressed-exit plans, and a clear-eyed assessment of concentration risk where many services rely on the same hyperscale cloud provider or the same specialist vendor. Sub-outsourcing chains matter too: a firm may have contracted with a resilient primary provider that in turn depends on a fragile fourth party, and that fragility flows straight through to the IBS.
| What to verify | Typical evidence |
|---|---|
| Material outsourcing and third-party arrangements supporting IBS are identified and inventoried | Outsourcing register mapped to IBS |
| Contracts include resilience, audit, sub-outsourcing, exit and business continuity clauses (SS2/21 alignment) | Contract clause review; SS2/21 gap analysis |
| Resilience of critical third parties is tested and evidenced (not merely asserted by the vendor) | Third-party test attestations; joint exercises |
| Concentration risk across shared providers (e.g. major cloud/CSPs) is assessed | Concentration risk assessment |
| Documented, tested exit and stressed-exit plans exist for material arrangements | Exit plan documents; stressed-exit test evidence |
| Sub-outsourcing (fourth-party) chains are visible for critical services | Sub-outsourcing / fourth-party mapping |
| Alignment with the UK Critical Third Parties (CTP) regime where relevant | CTP oversight consideration; DP3/22 alignment |
6. Response, Recovery and Communications
Even a well-mapped, well-tested firm will still suffer disruptions, so the regime demands a credible ability to respond, recover and communicate when a real incident bites. This means incident and crisis management plans that are explicitly linked to IBS and their impact tolerances (so responders know which services must be prioritised and by when), clear escalation and decision authority under pressure, and — an area firms frequently neglect — internal and external communication plans covering customers, staff, the market, the media and the regulators. Regulatory notification obligations, including Principle 11 duties and material-incident reporting, must be embedded and rehearsed so that disclosure during a crisis is timely and consistent rather than improvised. Response capability should be exercised through tabletops and live simulations, not merely written down.
| What to verify | Typical evidence |
|---|---|
| Incident and crisis management plans exist and are linked to IBS and impact tolerances | Incident/crisis management framework |
| Internal and external communication plans (customers, regulators, media, market) are defined | Communication plans and templates |
| Escalation paths and decision-making authority during disruption are clear | Escalation matrix; crisis governance |
| Regulatory notification obligations (Principle 11 / material incident reporting) are embedded | Regulatory reporting procedures |
| Recovery playbooks exist for each severe but plausible scenario | Recovery runbooks |
| Response capability is exercised, not just documented | Crisis simulation / tabletop records |
| Customer harm mitigation (e.g. redress, workaround channels) is planned | Customer contingency arrangements |
7. Self-Assessment and Governance
The self-assessment document is the single artefact the regulators are most likely to request, and it is the place where the whole programme is drawn together and put before the board. The rules require a written self-assessment, approved by the governing body at least annually, that records the firm's IBS, impact tolerances, mapping, the scenarios tested and their results, the vulnerabilities identified and the remediation planned. Assessors should confirm not only that the document exists and is current but that it is a genuine board document with real challenge behind it — evidenced by second-line risk review and third-line internal audit assurance — rather than a management summary rubber-stamped once a year. The named SMF holder's accountability for operational resilience should be visible in their Statement of Responsibilities, closing the loop between the programme and individual senior-manager accountability under SM&CR.
| What to verify | Typical evidence |
|---|---|
| A written self-assessment document covering all obligations exists | The self-assessment document |
| The self-assessment is approved by the board / governing body at least annually | Board approval minutes |
| It records IBS, impact tolerances, mapping, testing results, vulnerabilities and remediation | Self-assessment content review |
| A named SMF holder is accountable in their Statement of Responsibilities | SoR extract; SM&CR mapping |
| The self-assessment is retained and available to supervisors on request | Document retention evidence |
| Second and third lines (risk, internal audit) provide challenge/assurance over the self-assessment | Risk review and internal audit reports |
| Material changes trigger an out-of-cycle refresh of the self-assessment | Change-triggered update log |
8. Lessons Learned and Continuous Improvement
| What to verify | Typical evidence |
|---|---|
| Post-incident reviews are conducted and feed structured lessons learned | PIR reports; lessons-learned register |
| Vulnerabilities identified by testing are tracked to closure with owners and dates | Vulnerability remediation tracker |
| Improvements are prioritised by severity of potential harm | Prioritisation methodology |
| Board receives regular reporting on resilience posture and open vulnerabilities | MI packs / board reporting |
| Investment decisions reflect resilience priorities | Budget / investment linkage evidence |
Scoping, Materiality and Tiering
Scoping under this regime is fundamentally an exercise in judgement about harm, not a checklist. The firm must first decide which of its services are 'important' by asking whether disruption would cause intolerable harm to clients or threaten the stability of the UK financial system. The FCA deliberately avoided publishing a fixed list of IBS so that each firm tailors identification to its own business model; however, common examples in retail banking include making payments, providing access to cash, and enabling customers to make lending decisions, while in wholesale markets they include trade execution, clearing and settlement.
- Materiality is assessed against two lenses: harm to clients (financial loss, loss of access to funds, detriment to vulnerable customers) and harm to market integrity/stability (contagion, loss of confidence, disorderly markets).
- Proportionality applies: a firm's approach should be proportionate to its size, complexity and the potential systemic impact of its failure. A small solo-regulated firm may have a handful of IBS; a large universal bank may have dozens.
- Impact tolerances effectively 'tier' services — the tightest tolerances (shortest tolerable disruption windows) apply to the most systemically or client-critical services.
- The 'first point of intolerable harm' concept (SS1/21) is the practical anchor for setting a tolerance: identify the moment at which harm shifts from tolerable inconvenience to genuine detriment.
- Group and legal-entity scoping must avoid gaps: shared services and intra-group dependencies must be mapped so that no IBS falls between entities.
There is no numeric turnover or balance-sheet threshold that switches the core obligations on or off in the way some other regimes use size bands; instead, the depth and formality expected scale with the firm's size, complexity and potential systemic footprint. A large, systemically important bank is expected to run sophisticated, chained, cyber-integrated scenario testing across dozens of IBS with granular fourth-party mapping, whereas a small enhanced-scope solo-regulated firm may reasonably operate a leaner programme covering a small number of services — provided the underlying discipline (harm-based tolerances, real mapping, real testing, board sign-off) is genuinely present. Proportionality is a modifier of effort, not an exemption from the outcomes.
Implementation Approach
A robust implementation follows a phased path. Because the regulatory transitional period ended on 31 March 2025 — the date by which firms had to be able to remain within impact tolerances for every IBS — most firms are now in a 'sustain and mature' state, but the same phases apply to any new firm entering scope, any newly-identified IBS, or any post-M&A integration.
Phase 1 — Mobilise and Identify
- Activities: establish governance and SMF accountability; secure board sponsorship; define the IBS identification methodology; produce the candidate IBS list; agree scoping and proportionality approach.
- Deliverables: operational resilience governance charter; IBS identification methodology; board-approved IBS register; project plan and RACI.
Phase 2 — Set Impact Tolerances
- Activities: define time and non-time metrics; conduct harm analysis and locate the first point of intolerable harm; draft tolerances; obtain board approval.
- Deliverables: impact tolerance statements per IBS; harm analysis; board approval record; RTO-to-tolerance reconciliation.
Phase 3 — Map Dependencies
- Activities: map people, processes, technology, facilities, information and third parties for each IBS; identify single points of failure and concentration risk; assess substitutability.
- Deliverables: end-to-end service maps; third-party dependency register; SPOF and concentration risk analysis.
Phase 4 — Test and Remediate
- Activities: design severe but plausible scenarios; run tests against impact tolerances; identify vulnerabilities; build and execute remediation plans; increase testing sophistication over successive cycles.
- Deliverables: scenario library; test reports with pass/fail; vulnerability register; costed remediation roadmap.
Phase 5 — Embed, Self-Assess and Sustain
- Activities: produce and obtain board approval of the self-assessment; embed into BAU risk management and change control; establish annual review and material-change triggers; institute lessons-learned loop.
- Deliverables: board-approved self-assessment; embedded operating model; annual review calendar; continuous improvement backlog.
Maturity / Capability Model
While the regulator does not publish an official maturity scale, assessors commonly grade a firm's operational resilience capability against a five-level model. This helps translate binary rule compliance into a picture of genuine, sustainable resilience.
| Level | Descriptor | Characteristics |
|---|---|---|
| 1 — Initial | Ad hoc | No formal IBS list; resilience conflated with IT DR; tolerances absent or expressed only as RTOs; no board self-assessment. |
| 2 — Developing | Defined on paper | IBS list and tolerances documented but not deeply tested; mapping superficial; third-party dependencies partially understood; self-assessment nascent. |
| 3 — Established | Operational | All obligations met; end-to-end mapping complete; severe-but-plausible testing underway; vulnerabilities tracked; board-approved self-assessment in place. |
| 4 — Managed | Evidenced and challenged | Testing sophistication increasing year-on-year; remediation demonstrably closes gaps; second/third line challenge; metrics reported to board; can stay within tolerance for all IBS. |
| 5 — Optimised | Embedded and predictive | Resilience integrated into strategy, change and investment; scenario testing includes complex, chained and cyber-integrity events; concentration and fourth-party risk actively managed; continuous learning demonstrably improves posture. |
Assessment and Audit Approach
- Scope and plan: confirm the firm's classification (FCA-solo vs dual-regulated vs FMI), identify the applicable rule source (SYSC 15A / PRA Op Res Part / BoE expectations), and agree the audit period and sampling approach.
- Review governance and accountability: verify the SMF holder, Statement of Responsibilities, board sponsorship and committee oversight of operational resilience.
- Test IBS identification: challenge the methodology and the completeness of the IBS list against the regulatory definition of intolerable harm.
- Evaluate impact tolerances: confirm they are quantified, board-approved, harm-based and distinct from internal RTOs.
- Assess mapping quality: sample two or three IBS and trace end-to-end maps, verifying granularity, third-party coverage and SPOF/concentration analysis.
- Examine scenario testing: review the scenario library, test results against tolerances, and whether vulnerabilities were identified and remediated.
- Review third-party and outsourcing resilience: check SS2/21 alignment, exit plans, concentration risk and CTP considerations.
- Assess response, recovery and communications: review incident/crisis plans, regulatory notification procedures and exercise records.
- Evaluate the self-assessment document: confirm it is complete, current, board-approved and supported by underlying evidence.
- Assess continuous improvement: verify lessons-learned loops, vulnerability closure and board reporting.
- Rate maturity and report: assign a capability level, document findings by obligation, and provide a prioritised, harm-weighted remediation roadmap.
Evidence Request List
The following artefacts should be requested at the outset of any assessment, organised by obligation area.
- Governance: operational resilience policy and charter; SMF Statement of Responsibilities; board and committee terms of reference and minutes referencing operational resilience.
- IBS identification: IBS register; identification methodology; harm/exclusion rationale documentation.
- Impact tolerances: impact tolerance statements per IBS; harm analysis; RTO/RPO-to-tolerance reconciliation; board approval records.
- Mapping: end-to-end service maps; dependency diagrams; third-party and intra-group dependency registers; SPOF and concentration analyses; data-flow diagrams.
- Testing: scenario library and design rationale; scenario coverage matrix; test plans; test reports with results against tolerance; vulnerability register; remediation roadmap.
- Third parties: outsourcing register mapped to IBS; sample contracts and SS2/21 clause reviews; exit and stressed-exit plans; concentration risk assessments; sub-outsourcing maps.
- Response and recovery: incident and crisis management framework; communication plans and templates; escalation matrix; regulatory notification procedures; recovery runbooks; exercise/tabletop records.
- Self-assessment and assurance: the board-approved self-assessment document; second-line risk reviews; internal audit reports; MI/board reporting packs.
- Continuous improvement: post-incident reviews; lessons-learned register; vulnerability closure evidence; change-triggered reassessment logs.
Roles and Responsibilities
| Role | Primary responsibilities |
|---|---|
| Board / Governing body | Approve IBS, impact tolerances and self-assessment; set risk appetite; oversee resilience posture and remediation. |
| Accountable SMF holder (e.g. COO / SMF24) | Overall regulatory accountability under SM&CR; ensures obligations are met; owns Statement of Responsibilities entry. |
| Head of Operational Resilience | Runs the programme; coordinates identification, tolerances, mapping, testing and self-assessment. |
| CISO / Head of Cyber | Provides cyber scenarios, tests data-integrity and ransomware resilience, links cyber controls to IBS. |
| Business service owners | Own individual IBS; validate tolerances, maps and remediation for their service. |
| Technology / IT DR | Provide system maps, RTO/RPO data, recovery capability and testing support. |
| Third-party / procurement | Manage outsourcing register, contract resilience clauses, exit plans and concentration risk. |
| Second line (Operational Risk / Compliance) | Independent challenge; monitor against risk appetite; oversee regulatory obligations. |
| Third line (Internal Audit) | Independent assurance over the design and operation of the resilience framework and self-assessment. |
| Communications / Crisis team | Own internal and external communication plans and regulatory notification execution. |
KPIs and Metrics to Track
- Number of IBS identified and percentage with board-approved impact tolerances.
- Percentage of IBS that can demonstrably remain within impact tolerance under all severe-but-plausible scenarios tested.
- Number and severity of impact tolerance breaches in testing and in live incidents.
- Percentage of IBS with complete, current end-to-end mapping (including third parties).
- Number of open resilience vulnerabilities by severity, and mean time to remediate.
- Scenario testing coverage: number and diversity of scenarios executed per IBS per year.
- Percentage of material third parties with tested exit plans and resilience attestations.
- Concentration risk exposure (e.g. share of IBS dependent on a single cloud provider).
- Time to detect, respond to and recover critical services during live incidents versus tolerance.
- Currency of the self-assessment (days since last board approval; overdue material-change refreshes).
- Percentage of post-incident actions closed on time.
Readiness Checklist
- A named SMF holder is accountable for operational resilience in their Statement of Responsibilities.
- A board-approved register of important business services exists, using the intolerable-harm definition.
- Each IBS has a quantified, board-approved impact tolerance distinct from internal RTOs.
- Each IBS is mapped end-to-end across people, process, technology, facilities, information and third parties.
- Single points of failure and concentration risks have been identified and are being managed.
- A library of severe but plausible scenarios covers cyber, technology, third-party, premises, staff and data-integrity events.
- Scenario testing demonstrates the firm can remain within tolerance for every IBS, or a remediation plan exists where it cannot.
- Material outsourcing arrangements have resilience clauses and tested exit/stressed-exit plans (SS2/21 aligned).
- Incident, crisis and communication plans (including regulatory notification) are documented and exercised.
- A written self-assessment covering all obligations is board-approved and current.
- Second and third lines provide independent challenge and assurance.
- Lessons learned and vulnerability remediation are tracked to closure and reported to the board.
Common Gaps and Findings
- Confusing impact tolerances with IT recovery time objectives, so tolerances reflect operational convenience rather than the point of intolerable customer harm.
- Defining IBS at the wrong granularity — labelling entire platforms or business lines as services, which makes tolerances and testing meaningless.
- Superficial mapping that stops at internal systems and fails to trace third-party, intra-group and fourth-party dependencies.
- Scenario testing that is really just IT disaster-recovery testing, lacking cyber-integrity, third-party-failure and chained-event scenarios.
- Vulnerabilities identified in testing that are logged but never remediated to closure, or lack owners and dates.
- Exit plans for critical outsourcing that exist on paper but have never been tested, and unmanaged concentration on a small number of cloud providers.
- A self-assessment that is a management document only, without genuine board approval or independent challenge from second and third lines.
- Failure to refresh IBS, tolerances and mapping after material change such as M&A, new products or significant technology migration.
- Communications and regulatory-notification planning treated as an afterthought, leading to late or inconsistent disclosure during incidents.
- Weak evidence trail — assertions of resilience without test results, remediation records or board minutes to substantiate them.
Mapping to Other Frameworks
UK operational resilience does not exist in isolation. Firms with international footprints must reconcile it with the EU's DORA, the Basel Committee's Principles for Operational Resilience, business continuity standards such as ISO 22301, and information-security frameworks. The table below shows the principal alignments and the key differences an assessor should keep in mind.
| Framework | How it relates to UK Operational Resilience | Key difference |
|---|---|---|
| EU DORA | Both are financial-sector resilience regimes; DORA covers ICT risk, TLPT, incident reporting and third-party (CTPP) oversight | DORA is far more prescriptive on ICT controls, mandatory threat-led penetration testing and harmonised incident reporting timelines; UK regime is outcomes-focused on IBS and impact tolerances |
| Basel Principles for Operational Resilience (2021) | UK regime operationalises many Basel principles (mapping, tolerance for disruption, third-party risk, incident management) | Basel principles are international guidance; the UK regime is enforceable rulebook obligation with self-assessment |
| ISO 22301 (Business Continuity) | BCMS supports mapping, recovery and testing; useful evidence base | ISO 22301 is firm-centric continuity of the organisation; UK regime is client/market-harm centric and sets external impact tolerances |
| UK SS2/21 Outsourcing & Third-Party Risk | Directly complementary — third-party resilience feeds IBS mapping and testing | SS2/21 governs the outsourcing relationship; op-res governs the service outcome |
| UK Critical Third Parties (CTP) regime | Extends oversight to systemically important providers whose failure could threaten IBS across firms | CTP regime regulates the provider directly; op-res regulates the firm relying on it |
| NIST CSF / ISO 27001 | Provide the security control substance behind cyber scenario resilience | Security frameworks are control-catalogue based; op-res asks whether services stay within harm tolerances despite control failures |
| SM&CR | Provides the individual accountability layer for operational resilience | SM&CR is about people accountability; op-res is about service outcomes |
Frequently asked questions
Need help with UK FCA?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
