Knowledge Center / UK FCA
FCA / PRA / Bank of England · UK

UK FCA Operational Resilience

UK regulatory rules on operational resilience for financial firms.

Introduction: The UK Operational Resilience Regime

The UK operational resilience regime is a supervisory framework jointly designed by the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England to ensure that firms and financial market infrastructures can prevent, adapt, respond to, recover from and learn from operational disruptions. Rather than prescribing a fixed catalogue of technical controls, the regime is outcomes-focused: it asks a firm to identify the services that matter most to its clients and to the wider UK financial system, to set the maximum level of disruption it is prepared to tolerate for each of those services, and then to prove — through testing, mapping and self-assessment — that it can remain within those limits even under severe but plausible scenarios.

The regime was published in the FCA Policy Statement PS21/3 and the corresponding PRA Policy Statement PS6/21 in March 2021, taking effect on 31 March 2022. Firms were then given a transitional period ending on 31 March 2025 to become able to remain within their impact tolerances for each important business service. This makes operational resilience one of the most significant supervisory expectations in the UK financial sector, sitting alongside — and complementing — outsourcing and third-party risk rules (SS2/21), the operational risk framework, and the Senior Managers and Certification Regime (SM&CR).

This deep-dive is written for two audiences at once: the auditor or assessor who must independently verify a firm's compliance, and the CISO, Head of Operational Resilience or Chief Operating Officer who must build and evidence the programme. It sets out what the regime is, who it applies to, its structural pillars, an exhaustive master assessment checklist, the scoping and impact-tolerance methodology, a phased implementation approach, a maturity model, the audit method, an evidence request list, roles and responsibilities, metrics, common gaps, and how the regime maps to adjacent frameworks such as DORA, the Basel Principles for Operational Resilience, ISO 22301 and NIST.

Source and Copyright Note
This guide is an original CyberSigma work product. It paraphrases and interprets publicly available FCA, PRA and Bank of England rules and policy statements (notably PS21/3, PS6/21, SYSC 15A, the PRA Operational Resilience Part of the Rulebook, and SS1/21). It does not reproduce copyrighted regulatory text. Firms must always consult the current FCA Handbook (SYSC 15A), the PRA Rulebook and the latest supervisory statements, as rules are periodically updated. Nothing here is legal advice.

What is the UK FCA Operational Resilience Regime?

Operational resilience is defined by the UK regulators as the ability of firms, financial market infrastructures (FMIs) and the sector as a whole to prevent, adapt to, respond to, recover from and learn from operational disruptions. The central regulatory shift is from a firm-centric, risk-appetite view ('how much operational risk are we willing to run?') to a customer- and market-centric, harm-based view ('how much disruption to the services that matter can our clients and the financial system actually withstand?'). The regime assumes that disruptions will happen; the regulatory question is not whether a firm can avoid all incidents but whether it can stay within defined limits of harm when they occur.

The regime is codified for FCA-solo-regulated firms in the FCA Handbook chapter SYSC 15A ('Operational resilience'), supported by Policy Statement PS21/3 and Finalised Guidance. For dual-regulated firms (banks, building societies, PRA-designated investment firms and insurers) it is codified in the Operational Resilience Part of the PRA Rulebook, supported by PS6/21 and Supervisory Statement SS1/21 ('Operational resilience: Impact tolerances for important business services'). The Bank of England applies equivalent expectations to FMIs (recognised payment systems, central securities depositories and central counterparties).

Four defined terms carry the entire regime. An 'important business service' (IBS) is a service provided by a firm to an external end user or participant that, if disrupted, could cause intolerable harm to clients or pose a risk to the soundness, stability or resilience of the UK financial system, or to the orderly operation of financial markets. An 'impact tolerance' is the maximum tolerable level of disruption to an IBS, expressed by reference to a specific time metric and, where relevant, other measures such as the number of customers or volume of transactions affected. 'Mapping' is the exercise of identifying and documenting the people, processes, technology, facilities and information (including third parties) that support each IBS. A 'severe but plausible scenario' is a hypothetical disruption event, more extreme than a firm's day-to-day incidents yet realistic enough that it could genuinely occur, used to test whether the firm can stay within its impact tolerances.

Crucially, an impact tolerance is not the same as a recovery time objective (RTO). An RTO is an internal, firm-centric target for how quickly IT wishes to restore a system; an impact tolerance is an outward-facing regulatory ceiling on harm to clients and markets, set at board level, that the firm must not breach. A firm may have many RTOs feeding into a single impact tolerance, and the impact tolerance is deliberately set with the customer's tolerance for harm — not the firm's operational convenience — in mind.

A defining philosophical feature of the regime is the assumption of failure. The regulators explicitly acknowledge that in a complex, interconnected and increasingly digital financial system, operational disruption is inevitable: hardware fails, software contains defects, cyber adversaries are persistent and well-resourced, third parties themselves suffer outages, and human error is unavoidable. Consequently the supervisory posture moves away from an unattainable goal of preventing every incident and towards a realistic goal of limiting the harm that any given incident can cause. This is why the regime is sometimes described as 'harm-limitation' regulation. It compels boards to have an uncomfortable but honest conversation about the maximum disruption their clients and the market could actually absorb, and then to invest so that the firm never crosses that line — even in a bad-day, rather than an average-day, scenario.

The regime is also deliberately technology-neutral and control-agnostic. It does not tell a firm which firewall to deploy, which backup regime to run or which cloud architecture to adopt. Instead it tells the firm to prove — with evidence from realistic testing — that whatever architecture it has chosen keeps important services within tolerance. This gives firms flexibility but raises the assurance bar: a beautifully documented control environment counts for nothing if the firm cannot show, through scenario testing, that services actually stay within tolerance when those controls are stressed or fail.

Finally, operational resilience is a firm-wide, cross-functional discipline rather than an IT or security silo. Delivering it requires the coordinated effort of business service owners, technology and cyber teams, third-party and procurement functions, business continuity, communications, risk and internal audit, all under clear senior-manager accountability. Firms that treat it as a technology programme, or that bolt it onto an existing IT disaster-recovery function, consistently struggle to satisfy supervisors because they miss the end-to-end, client-harm perspective at the heart of the rules.

Who Must Comply: Scope of Applicability

The regime applies to a broad population of UK-authorised firms and infrastructures, though the precise rule source depends on whether a firm is FCA-solo-regulated or dual-regulated. Smaller firms below certain thresholds may benefit from proportionality but are not fully exempt from the underlying operational risk expectations.

Firm type / entityApplicable rule sourceIn scope?
Banks, building societies and PRA-designated investment firmsPRA Rulebook Operational Resilience Part; SS1/21; PS6/21; also FCA SYSC 15AYes (dual-regulated)
Insurers and reinsurers (Solvency II firms)PRA Rulebook Operational Resilience Part; SS1/21Yes
Enhanced-scope SM&CR firms (larger solo-regulated investment firms)FCA SYSC 15A; PS21/3Yes
Recognised Investment Exchanges (RIEs)FCA SYSC 15A / REC sourcebook expectationsYes
E-money institutions and Authorised Payment Institutions (larger)FCA SYSC 15A (as applied)Yes
Certain MiFID investment firms and UCITS/AIFM managersFCA SYSC 15A per PS21/3 scopingYes
Recognised payment systems, CSDs and CCPs (FMIs)Bank of England operational resilience expectationsYes
Small, non-enhanced SM&CR firms below thresholdsGeneral SYSC operational risk; proportionality appliesPartial / proportionate
Appointed representatives (principals responsible)Principal firm's SYSC obligationsIndirect
  • Scope is determined by firm classification (enhanced SM&CR, dual-regulated, FMI) rather than by size alone, though thresholds influence which SM&CR tier applies.
  • Group structures must consider resilience at both entity and group level; a UK entity cannot outsource away its own accountability to an overseas parent.
  • Branches of overseas firms operating in the UK are within scope for the services they provide to UK clients and markets.
  • Third parties (including intra-group service companies and cloud providers) are not directly regulated by this regime but are captured indirectly through the firm's mapping, testing and outsourcing obligations (SS2/21 and the FCA equivalent).

Structure of the UK Operational Resilience Regime

The regime is best understood as a lifecycle built around a small number of interlocking obligations. Unlike a control-catalogue standard, it does not have hundreds of numbered controls; instead it has a set of mandatory activities, each of which must be performed, documented, board-approved and reviewed at least annually (or after a material change). The table below sets out the structural pillars and their rule anchors.

Pillar / obligationWhat it requiresPrimary rule anchor
1. Identify important business services (IBS)Determine which services, if disrupted, could cause intolerable harm to clients or risk to market stabilitySYSC 15A.2 / PRA Op Res 3
2. Set impact tolerancesSet a maximum tolerable level of disruption for each IBS, expressed as a time metric plus relevant measuresSYSC 15A.2 / PRA Op Res 4; SS1/21
3. Map the serviceIdentify and document the people, processes, technology, facilities, information and third parties supporting each IBSSYSC 15A.3 / PRA Op Res 5
4. Test the ability to remain within toleranceTest against a range of severe but plausible scenarios; identify and remediate vulnerabilitiesSYSC 15A.4 / PRA Op Res 6; SS1/21
5. Manage third parties and outsourcingEnsure resilience of material outsourced and third-party services supporting IBSSS2/21 (PRA) / FCA outsourcing expectations
6. Respond, recover and communicateHave incident management, internal and external communication plans to respond to disruptionSYSC 15A.5 / PRA Op Res 7
7. Self-assessment and governanceProduce a board-approved written self-assessment document; review at least annually and after material changeSYSC 15A.6 / PRA Op Res 8
8. Lessons learned and continuous improvementLearn from incidents and testing; feed improvements back into the programmeSYSC 15A.5 / SS1/21

Overarching these pillars is the Senior Managers and Certification Regime: a named Senior Management Function (SMF) holder must be accountable for operational resilience under the firm's Statement of Responsibilities. In practice this is frequently the Chief Operating Officer (SMF24) or an equivalent, and the accountability cannot be delegated away even where activities are performed by the CISO, business continuity or technology teams.

Each of these pillars is not a one-off project deliverable but a standing obligation that must be maintained. The rules require the firm to review its identification of IBS, its impact tolerances, its mapping and its self-assessment at least annually and, importantly, whenever there is a material change to the firm's business or the market in which it operates. Material changes include mergers and acquisitions, the launch or withdrawal of products, significant technology migrations (for example a move to a new core banking platform or a lift-and-shift to the cloud), the onboarding of a new critical third party, and organisational restructuring. A firm whose artefacts are eighteen months out of date, or which has completed a major cloud migration without refreshing its maps and tolerances, will fail an assessment on currency grounds alone, however elegant the original documents were.

The pillars are also sequentially dependent: you cannot meaningfully set an impact tolerance without first defining the service; you cannot map without knowing which services to map; you cannot design a credible test without a map that reveals the dependencies and single points of failure to be stressed; and you cannot write an honest self-assessment without test results that show whether tolerances actually hold. Assessors therefore look for a coherent, traceable golden thread running from IBS identification through to remediation and board sign-off, rather than a set of disconnected documents produced by different teams at different times.

Master Assessment Checklist

This is the operational heart of the guide. Each subsection below corresponds to one mandatory obligation of the regime. For every obligation the auditor must confirm not only that the artefact exists but that it is current, board-approved, evidence-backed and genuinely tested. Where a firm cannot demonstrate an item, that is a finding regardless of the sophistication of its wider controls environment.

1. Identification of Important Business Services (IBS)

Identification is the foundation of the entire regime; every downstream obligation inherits any error made here. The assessor's central test is whether the firm has correctly applied the regulatory definition — an externally-facing service whose disruption could cause intolerable harm to clients or pose a risk to UK financial stability or market integrity — rather than substituting a convenient internal view such as a list of business lines, products or IT systems. A common failure mode is to list the core banking platform as an 'IBS'; the platform is a resource that supports services such as 'making payments' or 'providing access to cash', not a service in its own right. The right granularity is the service the customer or market participant actually consumes.

What to verifyTypical evidence
A documented, board-approved list of important business services exists and uses the regulatory definition (external end user, intolerable harm)IBS register; board/committee minutes approving the list
The methodology distinguishes IBS from internal/business lines/products and from mere IT systemsIBS identification methodology document; scoping rationale
Harm to clients AND risk to market stability/financial system are both considered as identification criteriaHarm assessment; systemic-risk analysis per service
Services are defined at the right granularity (e.g. 'making payments', not 'the core banking platform')Service definitions; example service-level descriptions
The list is reviewed at least annually and after material change (new products, M&A, restructuring)Review log; change-triggered reassessment records
Rationale for excluding candidate services is documented and defensibleExclusion register with justifications

2. Setting Impact Tolerances

Setting impact tolerances is where firms most often reveal whether they have genuinely internalised the regime or merely rebadged their disaster-recovery targets. A credible tolerance is anchored on the 'first point of intolerable harm' — the moment at which a disruption stops being a tolerable inconvenience and starts causing real detriment to clients (loss of access to funds, missed payments, harm to vulnerable customers) or destabilising the market. The assessor should challenge whether the metric is expressed primarily in time (for example, 'payments must be restored within X hours') and supplemented by relevant volume or value measures, and whether the number was derived from customer-harm analysis rather than from what IT believes it can realistically achieve. A tolerance that simply mirrors an existing RTO is a red flag.

What to verifyTypical evidence
Each IBS has a quantified impact tolerance expressed by reference to a time metricImpact tolerance statement per IBS
Tolerances also reference other relevant measures where appropriate (e.g. number of customers, transaction volume/value)Tolerance metric definitions; supporting analysis
Tolerances are set at the point beyond which harm to clients or market stability becomes intolerable — not at operational convenienceHarm-to-tolerance mapping; customer-impact analysis
Impact tolerances are approved by the governing body (board), not just managementBoard approval minutes
The distinction between impact tolerance and internal RTO/RPO is explicit and documentedDefinition mapping; RTO-to-tolerance linkage
Tolerances are reviewed at least annually and after material changeAnnual review evidence
For dual-regulated firms, tolerances reflect SS1/21 expectations including the 'first point of intolerable harm'SS1/21 alignment assessment

3. Mapping of Important Business Services

Mapping translates a service into the concrete set of resources on which it depends, and its quality determines whether testing can find anything meaningful. The rules require mapping across five resource categories: people, processes, technology, facilities and information — and, critically, the third parties (and their sub-outsourcers) embedded in each. Assessors should probe the depth of the map: a two-page block diagram that names a handful of internal systems is not sufficient. A good map surfaces single points of failure, hidden intra-group dependencies, concentration on a small number of external providers (such as a single hyperscale cloud region), and the substitutability — or lack of it — of key staff, systems and suppliers. The map should be detailed enough that a scenario designer can point to a specific node and ask 'what happens to the impact tolerance if this fails?'.

What to verifyTypical evidence
Each IBS is mapped end-to-end across people, processes, technology, facilities and informationService maps / dependency diagrams per IBS
Third-party and intra-group dependencies (including fourth parties) supporting each IBS are identifiedThird-party dependency register linked to each IBS
Mapping identifies single points of failure and concentration risksVulnerability / SPOF analysis derived from maps
Mapping is sufficiently detailed to identify vulnerabilities and support testing (not superficial)Granularity assessment; sample deep-dive maps
Data and information flows critical to the service are capturedData-flow diagrams; information asset linkage
Maps are kept current and version-controlledChange history; last-updated dates
Substitutability of key resources (staff, systems, suppliers) is assessedResource substitutability analysis

4. Scenario Testing

Scenario testing is the evidential engine of the regime: it is how a firm proves — rather than asserts — that it can stay within tolerance. Scenarios must be 'severe but plausible', meaning materially worse than the firm's everyday incidents yet genuinely capable of occurring. The library should span diverse threat types (cyber attack including ransomware and data-integrity corruption, technology and infrastructure failure, third-party or cloud outage, loss of a key facility, loss of key personnel, and combinations or chained events) and should grow in sophistication year on year. A frequent finding is that a firm's 'operational resilience testing' is really its long-standing IT disaster-recovery test in a new folder — it restores a data centre on a sunny day and declares success, without ever stressing a third party, corrupting data, or running a genuine cross-functional crisis under time pressure. Where testing shows a service cannot stay within tolerance, that is expected and acceptable during maturation, but only if it triggers a costed, owned and time-bound remediation plan.

What to verifyTypical evidence
A range of severe but plausible disruption scenarios is defined and documentedScenario library; scenario design rationale
Scenarios cover multiple threat types: cyber attack, technology failure, third-party failure, loss of premises, loss of key staff, data corruptionScenario coverage matrix
Testing determines whether the firm can remain within impact tolerance for each IBS under each scenarioTest results with pass/fail against tolerance
Testing sophistication increases over time and includes 'sunny day' and 'rainy day' assumptionsMulti-year test plan; escalation of complexity
Where a firm cannot remain within tolerance, a remediation plan with owners and dates existsRemediation / gap-closure plan
Cyber-specific testing (e.g. simulated ransomware, data integrity loss) is includedCyber scenario test reports
Testing engages business, technology, third-party and communications functions, not just IT DRCross-functional exercise records; participant lists
Lessons from live incidents are used to validate/refresh scenariosIncident-to-scenario feedback log

5. Third-Party and Outsourcing Resilience

Modern financial services run on a dense web of outsourced and third-party services, so the resilience of an IBS is often only as strong as the weakest external provider embedded in it. This obligation intersects directly with the PRA's outsourcing supervisory statement SS2/21 and the FCA's equivalent expectations, and increasingly with the UK Critical Third Parties (CTP) regime that brings systemically important providers under direct regulatory oversight. Assessors must look beyond a signed contract to evidence of genuine, tested resilience: SS2/21-aligned clauses (audit rights, sub-outsourcing transparency, business continuity, and exit), tested exit and stressed-exit plans, and a clear-eyed assessment of concentration risk where many services rely on the same hyperscale cloud provider or the same specialist vendor. Sub-outsourcing chains matter too: a firm may have contracted with a resilient primary provider that in turn depends on a fragile fourth party, and that fragility flows straight through to the IBS.

What to verifyTypical evidence
Material outsourcing and third-party arrangements supporting IBS are identified and inventoriedOutsourcing register mapped to IBS
Contracts include resilience, audit, sub-outsourcing, exit and business continuity clauses (SS2/21 alignment)Contract clause review; SS2/21 gap analysis
Resilience of critical third parties is tested and evidenced (not merely asserted by the vendor)Third-party test attestations; joint exercises
Concentration risk across shared providers (e.g. major cloud/CSPs) is assessedConcentration risk assessment
Documented, tested exit and stressed-exit plans exist for material arrangementsExit plan documents; stressed-exit test evidence
Sub-outsourcing (fourth-party) chains are visible for critical servicesSub-outsourcing / fourth-party mapping
Alignment with the UK Critical Third Parties (CTP) regime where relevantCTP oversight consideration; DP3/22 alignment

6. Response, Recovery and Communications

Even a well-mapped, well-tested firm will still suffer disruptions, so the regime demands a credible ability to respond, recover and communicate when a real incident bites. This means incident and crisis management plans that are explicitly linked to IBS and their impact tolerances (so responders know which services must be prioritised and by when), clear escalation and decision authority under pressure, and — an area firms frequently neglect — internal and external communication plans covering customers, staff, the market, the media and the regulators. Regulatory notification obligations, including Principle 11 duties and material-incident reporting, must be embedded and rehearsed so that disclosure during a crisis is timely and consistent rather than improvised. Response capability should be exercised through tabletops and live simulations, not merely written down.

What to verifyTypical evidence
Incident and crisis management plans exist and are linked to IBS and impact tolerancesIncident/crisis management framework
Internal and external communication plans (customers, regulators, media, market) are definedCommunication plans and templates
Escalation paths and decision-making authority during disruption are clearEscalation matrix; crisis governance
Regulatory notification obligations (Principle 11 / material incident reporting) are embeddedRegulatory reporting procedures
Recovery playbooks exist for each severe but plausible scenarioRecovery runbooks
Response capability is exercised, not just documentedCrisis simulation / tabletop records
Customer harm mitigation (e.g. redress, workaround channels) is plannedCustomer contingency arrangements

7. Self-Assessment and Governance

The self-assessment document is the single artefact the regulators are most likely to request, and it is the place where the whole programme is drawn together and put before the board. The rules require a written self-assessment, approved by the governing body at least annually, that records the firm's IBS, impact tolerances, mapping, the scenarios tested and their results, the vulnerabilities identified and the remediation planned. Assessors should confirm not only that the document exists and is current but that it is a genuine board document with real challenge behind it — evidenced by second-line risk review and third-line internal audit assurance — rather than a management summary rubber-stamped once a year. The named SMF holder's accountability for operational resilience should be visible in their Statement of Responsibilities, closing the loop between the programme and individual senior-manager accountability under SM&CR.

What to verifyTypical evidence
A written self-assessment document covering all obligations existsThe self-assessment document
The self-assessment is approved by the board / governing body at least annuallyBoard approval minutes
It records IBS, impact tolerances, mapping, testing results, vulnerabilities and remediationSelf-assessment content review
A named SMF holder is accountable in their Statement of ResponsibilitiesSoR extract; SM&CR mapping
The self-assessment is retained and available to supervisors on requestDocument retention evidence
Second and third lines (risk, internal audit) provide challenge/assurance over the self-assessmentRisk review and internal audit reports
Material changes trigger an out-of-cycle refresh of the self-assessmentChange-triggered update log

8. Lessons Learned and Continuous Improvement

What to verifyTypical evidence
Post-incident reviews are conducted and feed structured lessons learnedPIR reports; lessons-learned register
Vulnerabilities identified by testing are tracked to closure with owners and datesVulnerability remediation tracker
Improvements are prioritised by severity of potential harmPrioritisation methodology
Board receives regular reporting on resilience posture and open vulnerabilitiesMI packs / board reporting
Investment decisions reflect resilience prioritiesBudget / investment linkage evidence

Scoping, Materiality and Tiering

Scoping under this regime is fundamentally an exercise in judgement about harm, not a checklist. The firm must first decide which of its services are 'important' by asking whether disruption would cause intolerable harm to clients or threaten the stability of the UK financial system. The FCA deliberately avoided publishing a fixed list of IBS so that each firm tailors identification to its own business model; however, common examples in retail banking include making payments, providing access to cash, and enabling customers to make lending decisions, while in wholesale markets they include trade execution, clearing and settlement.

  • Materiality is assessed against two lenses: harm to clients (financial loss, loss of access to funds, detriment to vulnerable customers) and harm to market integrity/stability (contagion, loss of confidence, disorderly markets).
  • Proportionality applies: a firm's approach should be proportionate to its size, complexity and the potential systemic impact of its failure. A small solo-regulated firm may have a handful of IBS; a large universal bank may have dozens.
  • Impact tolerances effectively 'tier' services — the tightest tolerances (shortest tolerable disruption windows) apply to the most systemically or client-critical services.
  • The 'first point of intolerable harm' concept (SS1/21) is the practical anchor for setting a tolerance: identify the moment at which harm shifts from tolerable inconvenience to genuine detriment.
  • Group and legal-entity scoping must avoid gaps: shared services and intra-group dependencies must be mapped so that no IBS falls between entities.

There is no numeric turnover or balance-sheet threshold that switches the core obligations on or off in the way some other regimes use size bands; instead, the depth and formality expected scale with the firm's size, complexity and potential systemic footprint. A large, systemically important bank is expected to run sophisticated, chained, cyber-integrated scenario testing across dozens of IBS with granular fourth-party mapping, whereas a small enhanced-scope solo-regulated firm may reasonably operate a leaner programme covering a small number of services — provided the underlying discipline (harm-based tolerances, real mapping, real testing, board sign-off) is genuinely present. Proportionality is a modifier of effort, not an exemption from the outcomes.

Key Dates and Regulatory Milestones
31 March 2022 — rules took effect; firms had to have identified IBS, set impact tolerances and completed initial mapping. 31 March 2025 — end of the transitional period; firms had to be able to remain within impact tolerances for every important business service under severe but plausible scenarios, and to have performed the mapping and testing necessary to demonstrate this. From 31 March 2025 onwards, the regime is fully in force with no transitional latitude: supervisors expect a mature, tested and board-assured capability, and firms must sustain it through annual and change-triggered reviews.

Implementation Approach

A robust implementation follows a phased path. Because the regulatory transitional period ended on 31 March 2025 — the date by which firms had to be able to remain within impact tolerances for every IBS — most firms are now in a 'sustain and mature' state, but the same phases apply to any new firm entering scope, any newly-identified IBS, or any post-M&A integration.

Phase 1 — Mobilise and Identify

  • Activities: establish governance and SMF accountability; secure board sponsorship; define the IBS identification methodology; produce the candidate IBS list; agree scoping and proportionality approach.
  • Deliverables: operational resilience governance charter; IBS identification methodology; board-approved IBS register; project plan and RACI.

Phase 2 — Set Impact Tolerances

  • Activities: define time and non-time metrics; conduct harm analysis and locate the first point of intolerable harm; draft tolerances; obtain board approval.
  • Deliverables: impact tolerance statements per IBS; harm analysis; board approval record; RTO-to-tolerance reconciliation.

Phase 3 — Map Dependencies

  • Activities: map people, processes, technology, facilities, information and third parties for each IBS; identify single points of failure and concentration risk; assess substitutability.
  • Deliverables: end-to-end service maps; third-party dependency register; SPOF and concentration risk analysis.

Phase 4 — Test and Remediate

  • Activities: design severe but plausible scenarios; run tests against impact tolerances; identify vulnerabilities; build and execute remediation plans; increase testing sophistication over successive cycles.
  • Deliverables: scenario library; test reports with pass/fail; vulnerability register; costed remediation roadmap.

Phase 5 — Embed, Self-Assess and Sustain

  • Activities: produce and obtain board approval of the self-assessment; embed into BAU risk management and change control; establish annual review and material-change triggers; institute lessons-learned loop.
  • Deliverables: board-approved self-assessment; embedded operating model; annual review calendar; continuous improvement backlog.

Maturity / Capability Model

While the regulator does not publish an official maturity scale, assessors commonly grade a firm's operational resilience capability against a five-level model. This helps translate binary rule compliance into a picture of genuine, sustainable resilience.

LevelDescriptorCharacteristics
1 — InitialAd hocNo formal IBS list; resilience conflated with IT DR; tolerances absent or expressed only as RTOs; no board self-assessment.
2 — DevelopingDefined on paperIBS list and tolerances documented but not deeply tested; mapping superficial; third-party dependencies partially understood; self-assessment nascent.
3 — EstablishedOperationalAll obligations met; end-to-end mapping complete; severe-but-plausible testing underway; vulnerabilities tracked; board-approved self-assessment in place.
4 — ManagedEvidenced and challengedTesting sophistication increasing year-on-year; remediation demonstrably closes gaps; second/third line challenge; metrics reported to board; can stay within tolerance for all IBS.
5 — OptimisedEmbedded and predictiveResilience integrated into strategy, change and investment; scenario testing includes complex, chained and cyber-integrity events; concentration and fourth-party risk actively managed; continuous learning demonstrably improves posture.

Assessment and Audit Approach

  1. Scope and plan: confirm the firm's classification (FCA-solo vs dual-regulated vs FMI), identify the applicable rule source (SYSC 15A / PRA Op Res Part / BoE expectations), and agree the audit period and sampling approach.
  2. Review governance and accountability: verify the SMF holder, Statement of Responsibilities, board sponsorship and committee oversight of operational resilience.
  3. Test IBS identification: challenge the methodology and the completeness of the IBS list against the regulatory definition of intolerable harm.
  4. Evaluate impact tolerances: confirm they are quantified, board-approved, harm-based and distinct from internal RTOs.
  5. Assess mapping quality: sample two or three IBS and trace end-to-end maps, verifying granularity, third-party coverage and SPOF/concentration analysis.
  6. Examine scenario testing: review the scenario library, test results against tolerances, and whether vulnerabilities were identified and remediated.
  7. Review third-party and outsourcing resilience: check SS2/21 alignment, exit plans, concentration risk and CTP considerations.
  8. Assess response, recovery and communications: review incident/crisis plans, regulatory notification procedures and exercise records.
  9. Evaluate the self-assessment document: confirm it is complete, current, board-approved and supported by underlying evidence.
  10. Assess continuous improvement: verify lessons-learned loops, vulnerability closure and board reporting.
  11. Rate maturity and report: assign a capability level, document findings by obligation, and provide a prioritised, harm-weighted remediation roadmap.

Evidence Request List

The following artefacts should be requested at the outset of any assessment, organised by obligation area.

  • Governance: operational resilience policy and charter; SMF Statement of Responsibilities; board and committee terms of reference and minutes referencing operational resilience.
  • IBS identification: IBS register; identification methodology; harm/exclusion rationale documentation.
  • Impact tolerances: impact tolerance statements per IBS; harm analysis; RTO/RPO-to-tolerance reconciliation; board approval records.
  • Mapping: end-to-end service maps; dependency diagrams; third-party and intra-group dependency registers; SPOF and concentration analyses; data-flow diagrams.
  • Testing: scenario library and design rationale; scenario coverage matrix; test plans; test reports with results against tolerance; vulnerability register; remediation roadmap.
  • Third parties: outsourcing register mapped to IBS; sample contracts and SS2/21 clause reviews; exit and stressed-exit plans; concentration risk assessments; sub-outsourcing maps.
  • Response and recovery: incident and crisis management framework; communication plans and templates; escalation matrix; regulatory notification procedures; recovery runbooks; exercise/tabletop records.
  • Self-assessment and assurance: the board-approved self-assessment document; second-line risk reviews; internal audit reports; MI/board reporting packs.
  • Continuous improvement: post-incident reviews; lessons-learned register; vulnerability closure evidence; change-triggered reassessment logs.

Roles and Responsibilities

RolePrimary responsibilities
Board / Governing bodyApprove IBS, impact tolerances and self-assessment; set risk appetite; oversee resilience posture and remediation.
Accountable SMF holder (e.g. COO / SMF24)Overall regulatory accountability under SM&CR; ensures obligations are met; owns Statement of Responsibilities entry.
Head of Operational ResilienceRuns the programme; coordinates identification, tolerances, mapping, testing and self-assessment.
CISO / Head of CyberProvides cyber scenarios, tests data-integrity and ransomware resilience, links cyber controls to IBS.
Business service ownersOwn individual IBS; validate tolerances, maps and remediation for their service.
Technology / IT DRProvide system maps, RTO/RPO data, recovery capability and testing support.
Third-party / procurementManage outsourcing register, contract resilience clauses, exit plans and concentration risk.
Second line (Operational Risk / Compliance)Independent challenge; monitor against risk appetite; oversee regulatory obligations.
Third line (Internal Audit)Independent assurance over the design and operation of the resilience framework and self-assessment.
Communications / Crisis teamOwn internal and external communication plans and regulatory notification execution.

KPIs and Metrics to Track

  • Number of IBS identified and percentage with board-approved impact tolerances.
  • Percentage of IBS that can demonstrably remain within impact tolerance under all severe-but-plausible scenarios tested.
  • Number and severity of impact tolerance breaches in testing and in live incidents.
  • Percentage of IBS with complete, current end-to-end mapping (including third parties).
  • Number of open resilience vulnerabilities by severity, and mean time to remediate.
  • Scenario testing coverage: number and diversity of scenarios executed per IBS per year.
  • Percentage of material third parties with tested exit plans and resilience attestations.
  • Concentration risk exposure (e.g. share of IBS dependent on a single cloud provider).
  • Time to detect, respond to and recover critical services during live incidents versus tolerance.
  • Currency of the self-assessment (days since last board approval; overdue material-change refreshes).
  • Percentage of post-incident actions closed on time.

Readiness Checklist

  • A named SMF holder is accountable for operational resilience in their Statement of Responsibilities.
  • A board-approved register of important business services exists, using the intolerable-harm definition.
  • Each IBS has a quantified, board-approved impact tolerance distinct from internal RTOs.
  • Each IBS is mapped end-to-end across people, process, technology, facilities, information and third parties.
  • Single points of failure and concentration risks have been identified and are being managed.
  • A library of severe but plausible scenarios covers cyber, technology, third-party, premises, staff and data-integrity events.
  • Scenario testing demonstrates the firm can remain within tolerance for every IBS, or a remediation plan exists where it cannot.
  • Material outsourcing arrangements have resilience clauses and tested exit/stressed-exit plans (SS2/21 aligned).
  • Incident, crisis and communication plans (including regulatory notification) are documented and exercised.
  • A written self-assessment covering all obligations is board-approved and current.
  • Second and third lines provide independent challenge and assurance.
  • Lessons learned and vulnerability remediation are tracked to closure and reported to the board.

Common Gaps and Findings

  • Confusing impact tolerances with IT recovery time objectives, so tolerances reflect operational convenience rather than the point of intolerable customer harm.
  • Defining IBS at the wrong granularity — labelling entire platforms or business lines as services, which makes tolerances and testing meaningless.
  • Superficial mapping that stops at internal systems and fails to trace third-party, intra-group and fourth-party dependencies.
  • Scenario testing that is really just IT disaster-recovery testing, lacking cyber-integrity, third-party-failure and chained-event scenarios.
  • Vulnerabilities identified in testing that are logged but never remediated to closure, or lack owners and dates.
  • Exit plans for critical outsourcing that exist on paper but have never been tested, and unmanaged concentration on a small number of cloud providers.
  • A self-assessment that is a management document only, without genuine board approval or independent challenge from second and third lines.
  • Failure to refresh IBS, tolerances and mapping after material change such as M&A, new products or significant technology migration.
  • Communications and regulatory-notification planning treated as an afterthought, leading to late or inconsistent disclosure during incidents.
  • Weak evidence trail — assertions of resilience without test results, remediation records or board minutes to substantiate them.

Mapping to Other Frameworks

UK operational resilience does not exist in isolation. Firms with international footprints must reconcile it with the EU's DORA, the Basel Committee's Principles for Operational Resilience, business continuity standards such as ISO 22301, and information-security frameworks. The table below shows the principal alignments and the key differences an assessor should keep in mind.

FrameworkHow it relates to UK Operational ResilienceKey difference
EU DORABoth are financial-sector resilience regimes; DORA covers ICT risk, TLPT, incident reporting and third-party (CTPP) oversightDORA is far more prescriptive on ICT controls, mandatory threat-led penetration testing and harmonised incident reporting timelines; UK regime is outcomes-focused on IBS and impact tolerances
Basel Principles for Operational Resilience (2021)UK regime operationalises many Basel principles (mapping, tolerance for disruption, third-party risk, incident management)Basel principles are international guidance; the UK regime is enforceable rulebook obligation with self-assessment
ISO 22301 (Business Continuity)BCMS supports mapping, recovery and testing; useful evidence baseISO 22301 is firm-centric continuity of the organisation; UK regime is client/market-harm centric and sets external impact tolerances
UK SS2/21 Outsourcing & Third-Party RiskDirectly complementary — third-party resilience feeds IBS mapping and testingSS2/21 governs the outsourcing relationship; op-res governs the service outcome
UK Critical Third Parties (CTP) regimeExtends oversight to systemically important providers whose failure could threaten IBS across firmsCTP regime regulates the provider directly; op-res regulates the firm relying on it
NIST CSF / ISO 27001Provide the security control substance behind cyber scenario resilienceSecurity frameworks are control-catalogue based; op-res asks whether services stay within harm tolerances despite control failures
SM&CRProvides the individual accountability layer for operational resilienceSM&CR is about people accountability; op-res is about service outcomes
How CyberSigma Helps
CyberSigma helps FCA- and PRA-regulated firms and FMIs stand up and mature their operational resilience programmes end to end. Our CERT-In empanelled and QSA-led team supports IBS identification workshops, harm-based impact tolerance calibration, end-to-end dependency mapping (including third- and fourth-party chains and concentration risk), severe-but-plausible and cyber-integrity scenario design and testing, SS2/21-aligned outsourcing and stressed-exit reviews, and the drafting of board-ready self-assessments. We also provide independent third-line-style assurance and pre-supervisory readiness assessments, mapping your controls across UK Operational Resilience, DORA, Basel, ISO 22301 and NIST so you evidence resilience once and satisfy many regimes. Talk to CyberSigma to turn a compliance obligation into demonstrable, board-assured resilience.

Frequently asked questions

What is an impact tolerance?
The maximum tolerable level of disruption to an important business service, expressed as a metric such as time, that a firm must stay within during severe scenarios.
CyberSigma resources

Need help with UK FCA?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.