Building operational resilience: what’s next?

Share this post

The 31 March 2022, deadline has passed for financial firms to carry out the UK Financial Conduct Authority’s (FCA) requirement to complete a self-assessment document setting out their approach to operational resilience.

But while firms have now tested their ability to recover from potential disruptions and received the board’s sign off on the document, this is not the time to take the foot off the accelerator. In fact, the countdown has already begun to the next deadline of 31 March 2025, for firms to act on the findings of this first stage.

Companies cannot leave this to the last minute; the FCA expects organisations in scope to undergo a thorough process to address any issues identified during the initial stage, further test their operational resilience, and build it into the overall framework and governance of their business.

In this blog, we look at five actions you should take to meet the regulator’s expectations and, perhaps more importantly, to become truly operationally resilient.

Assessing operational resilience: the story so far

The FCA’s recent push on operational resilience in the financial sector is driven by the harm disruptions to business operations can cause to consumers and the wider financial system. The regulator says the impact of Covid-19 on firms further illustrates the importance of resilience.

Its new rules (see Policy Statement PS21/3) came into force on 31 March 2022. You can read more about the requirements of the initial stage in our previous blog but, in short, firms had to complete a self-assessment document which:

  • Identified their important business services.
  • Set impact tolerances for the maximum tolerable disruption to business operations.
  • Carried out initial mapping and testing of operational resilience, including critical processes, technologies and third parties.
  • Spotted any vulnerabilities in their resilience and considered the resources needed to mitigate them.

While this first deadline has passed, the hard work starts now. To borrow from Winston Churchill, this is not the end of the regulatory focus on operational resilience. At best, it’s the end of the beginning!

The next step: five requirements for firms by 31 March 2025

The assessment and mapping stage was not just a desktop exercise, but it was designed to give firms a clear course of action to strengthen their operational resilience. The FCA’s rules says this work should be done “as soon as possible” and no later than 31 March 2025. The requirements include:

  1. Remediate vulnerabilities

Firms need to remediate any weaknesses within the operational framework which were identified in the first stage. Without mitigation, these vulnerabilities could damage companies, their customers and the wider markets.

  1. Ramp up resilience testing

Firms should further develop their mapping and testing to ensure they remain within their impact tolerances for each important business service. This includes regular testing of different scenarios which could disrupt operations.

  1. Invest in operational resilience

By March 2025, the FCA expects firms to have “made the necessary investments to operate consistently within their impact tolerances”.

  1. Refine and embed operational resilience

Firms are expected to build operational resilience into their overall framework. It should be interlinked with their frameworks around business continuity, cyber resilience, risk management and process management. Operational resilience is critical to the company’s success and survival and should not be treated as an add-on.

  1. Operationalise governance

The FCA wants firms to operationalise the governance of operational resilience within the organisation. This should involve regular reviews of the firm’s resilience and applying the outcomes of these tests to their approach. Companies should also adapt the framework as appropriate to meet changes in the organisation and the financial markets.

A path to resilience: our advice for companies


We know improving operational resilience is a top priority for financial services firms: at our recent webinar about the UK’s regulatory outlook for 2022, 62% of participants picked it as their main area for improvement this year.

Firms can meet and exceed the FCA’s expectations with a properly resourced and planned approach that builds on what you have done before. Based on our work with clients in this area, we recommend building on the knowledge, experience and work already completed across your business. A lot of components of operational resilience exist in functions across the company.

Three years can pass quickly so the best time to start this work is now, and it should not simply be a tick-box exercise to satisfy the regulator. Firms will benefit in myriad ways from shoring up their operational resilience.

If you would like assistance with your operational resilience compliance, contact us today.

Article by FScom

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?