Briefing

FCA publishes insights and observations on operational resilience a year on

The Financial Conduct Authority (FCA) recently published its insights and observations on how firms have responded to the operational resilience rules one year on from the end of the transition period. The rules were introduced on 31 March 2022 but with a three-year transition period, during which firms were required to complete mapping and testing to demonstrate that they could remain within impact tolerances for each important business service, and make necessary investments.

This article summarises the FCA’s findings and highlights some of the examples of good and poor practice across six key areas of operational resilience.

The FCA has highlighted the importance of the rules following incidents such as cloud service provider outages and high profile cyber attacks in 2025, and emphasised that operational resilience is not static: firms need to react to events in a changing world, and embed operational resilience holistically across their business‑as‑usual operations.

Background

The six key areas that the FCA looked at, and a summary of the FCA’s findings, are as follows:

1. Important business services and impact tolerances

The examples of good practice which the FCA observed included:

Clear and strong methodologies, supported by a clear rationale, for defining important business services and setting impact tolerances. In particular, the FCA praised the use of assumptions and harm thresholds, alongside a combination of quantitative non-time-based metrics and time-based measures.
Documented review cycles under which firms reassess their important business services and impact tolerances annually or following material changes to the business.
The use of scenario testing and real-world incidents used to inform impact tolerance calibration.

The FCA identified that improvement was needed on establishing distinct impact tolerances for consumer harm and market integrity.

2. Mapping resources

The FCA emphasises the importance of presenting mapping clearly and in sufficient detail within the self‑assessment to enable boards to understand and challenge the firm’s approach.

The examples of good practice observed by the FCA included:

Self‑assessments that clearly explain the methodologies used for mapping, including the use of multiple data sources to enhance accuracy.
Adequate assessment of third‑party dependencies.
Use of mapping outputs to identify vulnerabilities and inform resilience testing.
Clear ownership and accountability for mapping data to reduce the risk of outdated information.
Assessment of staff concentration in single locations.

The FCA was not impressed with mapping that focuses on technology to the exclusion of other relevant factors. The FCA reminded firms to consider facilities, people, processes, information, and third‑party resilience.

3. Scenario testing

The examples of good practice identified by the FCA included:

Expanding the range of scenarios tested year‑on‑year, to prepare for emerging risks.
Testing scenarios which would breach impact tolerances and documenting longer-term plans to remediate vulnerabilities and enhance resilience.
Testing plans that document methodologies, assumptions, rationales for scenario selection, recovery times and workarounds, enabling boards to assess the firm’s true resilience.
Self-assessments which evaluate confidence in testing output.

The FCA also identified that some firms are asserting that all scenarios could be recovered from, without evidence of testing sufficiently severe scenarios – the FCA expects this to be recitified.

4. Vulnerability management

The FCA observed the following examples of good practice:

Self‑assessments that acknowledge vulnerabilities and clearly explain the remediation actions underway.
Clear explanations of the mapping processes used to identify vulnerabilities and the important business services they affect.
Effective tracking and closure of remediation actions, supported by ongoing monitoring, testing and mapping.
Clear accountability, ownership and governance frameworks for remediation.

The FCA also noted the following areas for improvement:

Self‑assessments lacking details on the end‑to‑end process for vulnerability identification and remediation.
Firms reporting few or no vulnerabilities, despite limited evidence of effective mapping, testing and vulnerability management.

5. Communication strategy and plans

The FCA observed some examples of good practice including:

A strong focus on how communications can reduce harm during incidents.
Ongoing testing and refinement of communication strategies.
Communication strategies that address both internal and external audiences, with clear roles, responsibilities and triage processes.
Incorporating lessons learned from post‑incident reviews to assess the effectiveness of communication strategies.

The FCA also noted the following areas for improvement:

Insufficient evidence of testing communication strategies or planning for the loss of key communication channels.
Failure to consider alternative communication methods where usual strategies are unavailable.

6. Governance

Examples of good practice identified by the FCA included:

Clear and well‑structured governance frameworks, with defined reporting lines, supported by board‑level oversight and senior management accountability.
Operational resilience embedded into business‑as‑usual processes.
Effective challenge by governance committees and boards.

The FCA also noted the following areas for improvement:

Unclear board engagement, approval processes and document audit trails.
Insufficient documentation of remediation actions and objectives.
Boards demonstrating limited understanding of, or commitment to, operational resilience.
Limited evidence of effective challenge or input from second and third lines of defence in self‑assessments.

Tom Gibbons, Trainee Solicitor, assisted with the preparation of this briefing.