On March 31, 2025, the Financial Conduct Authority (FCA)’s transition period for PS21/3: Building operational resilience will come to an end. With less than a year to go until the final rules come into force, the FCA has set out its observations of how well firms are preparing to meet the new operational resilience benchmark.
The publication, it says, should be used by firms as a guide to review their approaches and assess readiness for implementation of the final rules.
Are firms ready for the operational resilience deadline?
At present, the FCA has not expressed direct concern that firms will not be compliant in time for the 2025 deadline. However, certain elements of their observations hint at more work to be done. Specifically, firms should reassess five critical areas:
- Defining their important business services
- Explain why impact tolerances have been set where they are – and think about how they’re measured
- Take stock of third-party services, and ensure they’re included in (or conducting their own) scenario testing
- Ensure remediation is prioritized
- Expand testing to include the testing of responses, not just scenarios
These five critical considerations form part of a wider nine topic areas in which the FCA has made pertinent observations:
1. Important business services to be identified and reviewed (substitutes won’t suffice)
Under the new rules, firms must appropriately identify their important business services and keep these under review. In its observations, the FCA has seen instances where “outlier firms” are relying on “substitutability” – the belief that, in the event of an outage, their competitors could continue to service client needs. The FCA expects firms to consider all factors when identifying an important service, which should be determined without reference to response or recovery capabilities.
2. Impact tolerance should have rationale and diverse measurements
While many firms are identifying their impact tolerances, the FCA has observed that there is “limited rationale” for when intolerance for consumer harm or risk to market integrity is reached. This should be considered from the outset and included within a firm’s self-assessment. Similarly, many firms are defining impact tolerance using measurements of time. The FCA encourages firms to consider other metrics, including:
- Types of customer
- Values and types of transactions
- Criticality of transaction
- Estimated losses
If recovery from disruption is not feasible within a time-based impact tolerance, the FCA reminds firms that mitigating actions could be considered as part of a response plan.
3. Mapping and third parties to mitigate vulnerabilities
The FCA reminds firms that if a third party is delivering an important business service, and that service fails, it is the firm that ultimately has responsibility. To mitigate third-party risk, firms should ensure they are identifying any potential vulnerabilities, and document the “people, processes, technology, facilities, and information necessary” to ensure business continuity.
4. Scenario testing for firms and third parties
Firms should identify “severe but plausible” scenarios across a range of circumstances, “varying in nature, severity, and duration”, using the FCA’s Handbook as a guide in the first instance. These tests should be implemented in increments, gradually increasing in severity until a firm is no longer able to stay within its impact tolerance. Third parties should be included in such resting, and third parties can undertake their own tests, but the firm must be satisfied that “their methodology and tested scenarios are appropriate and sufficient” for a firm’s requirements.
5. Vulnerabilities and remediation a priority in the early stage of transition
Mapping and scenario testing should allow firms to see vulnerabilities that would stop them from staying within impact tolerances. Remediation should be prioritized in the early stage of transition, and should be “approved, fully funded, and appropriately governed” to ensure delivery. As further vulnerabilities are identified, further remediation will be required. With this in mind, they should be reviewed regularly.
6. Response and recovery plans should be addressed in equal measure
The FCA has so far observed that firms’ self-assessments seldom evidence the testing of response plans, which are a “fundamental part of understanding whether you can remain within impact tolerance”. Instead, firms are relying on recovery rather than response. The FCA notes that response plans offer tactical options for remediation and can “buy time for recovery plans to complete”, so should be given equal weight.
7. Governance and self-assessment to document the path to operational resilience
The FCA has published a Handbook that acts as a guide for self-assessments which should be, in essence, a storybook documenting a firm’s journey to operational resilience. The FCA notes that good examples of self-assessments allow a governing body to understand the firm’s “position and roadmap to resilience” including an overview of vulnerabilities, testing, remediation plans, and strategies to remain within impact tolerances.
8. Embedding operational resilience within a firm’s culture
The requirement to be operationally resilient is not “once and done”, and should instead be a “way of working that is embedded into your overall culture”. The FCA observes that the most effective frameworks it has seen are those that form part of the firm’s enterprise-wide risk frameworks and is a core consideration when assessing transformation.
9. Horizon scanning to prepare for emerging risk
The FCA expects firms to continue to look ahead to build an “understanding of new and emerging risks”, as well as the likely impact they may have on their business. This will help ensure that effective testing and controls are in place to respond to operational disruptions.
What’s next for operational resilience?
Once the transition period has ended, not only does the FCA expect firms to be compliant, but that they will review impact tolerances and mapping on an annual basis – at minimum. The FCA will also require firms to conduct further reviews and mapping exercises in the event that there is a material change to a firm’s business or to the market in which it operates.
With multiple rules on the horizon, from DORA to the Commodity Futures Trading Commission (CFTC)’s Operational Resilience Framework, firms should be placing operational resilience at the top of their agendas – or failure to plan could mean planning to fail.