Operational resilience feedback from UK Financial Conduct Authority

We have considered the findings and identified five points for firms to focus on over the next six months. 

Be accurate and detailed

The FCA found that the extent to which firms have appropriately or accurately identified their important business services and/or impact tolerances varies. Firms should be considering a range of factors when identifying both. For example, time-bound tolerances should not be the only metric used to assess impact tolerance. Additional metrics which could be considered include types of customers, values and types of transactions, criticality of transaction and estimated losses. 

In all cases, the FCA reminds firms of the need to record a full rationale for these decisions in their self-assessments, which may include recording the justification for not identifying a business service as important. This will enable boards to understand what has been identified and planned for, and why.

Test your plans  

It is not enough for firms to rely on their ability to recover as evidence of compliance; firms must regularly test their response plans to assess whether they can remain within impact tolerances. Specifically, the FCA expects firms to identify and then test against “severe but plausible” scenarios across an appropriate range of adverse circumstances, varying in nature, severity, and duration, and that are aligned to a firm’s risks and vulnerabilities.

In other words, plans need cover multiple scenarios, including those regarded as remote, to understand the severity at which the firm is unable to remain within impact tolerance, the impact of the disruption at that point and any vulnerability that needs to be remediated. As a minimum, firms should consider the scenarios set-out in the Senior Management, Systems and Controls chapter of the FCA Handbook. The consequences of inadequate testing and a failure properly to consider severe but plausible scenarios have been highlighted in a number of recent FCA and PRA enforcements relating to operational resilience. 

The FCA expects firms to mature the format and type of testing used to understand their resilience. It is not sufficient to rely on desk-based scenario testing, firms also need to consider other methods such as: penetration tests, disaster recovery/failover tests, simulations and lessons learned from real scenarios. The FCA encourages firms to engage third parties to help them understand their resilience. 

An ongoing review

This is not a “once and done exercise”, the FCA expects firms to keep everything under review and for their assessments to mature over time: identification of important business services and impact tolerances, testing of plans, plausible scenarios, self-assessments and identification of vulnerabilities. The information firms draw from each review should be worked back into plans and policies, to ensure they mature and adapt with the business. 

This also applies to the preparation already undertaken during the transition period. The FCA expects firms to have significantly progressed remediation activities for vulnerabilities identified in the early part of the transition period. Any identified vulnerabilities left unaddressed run the risk of a finding of non-compliance post 31 March 2025.

Mapping third parties

Outsourcing arrangements and third party dependencies are high on the regulatory enforcement radar at the moment. In the context of the operational resilience rules and guidance, the FCA wants firms to identify and document the people, processes, technology, facilities, and information necessary to deliver firms’ important business services. In particular, firms need to be identifying and mapping relationships with third parties and other vulnerabilities which could impact the firm’s ability to remain within impact tolerances.

Board-level review

Under the new rules, firms must make, and keep up to date, a written record of their assessments of their compliance with the rules. These assessments must meet the minimum requirements set out in the FCA Handbook and the firm’s governing body is required to approve and regularly review these self-assessment. Strong self-assessment documents will include: an overview of vulnerabilities found, scenarios tested (with the outcome of those tests), remediation plans, and the firm's strategy to ensure it can remain within its impact tolerances. If any concerns are raised over a firm’s ability to remain within impact tolerances, these concerns should be clearly documented in the self-assessment with detailed information on the work needed to remediate the issue.

Ultimately, the FCA’s message is clear – compliance with the new operational resilience rules requires significant, ongoing focus by firms and their senior management; it is a living, evolving process, not a one-off, tick-box exercise. Operational resilience must be embedded into a firm’s overall culture and governance and become part of business as usual. The FCA is laying a clear trail of its expectations and, in doing so, is laying the ground for potential future enforcement action against firms and senior managers who fail to heed these warnings and do not take action to ensure that their approach to complying with the new rules is robust and defensible in light of the FCA’s expectations.