Menu Close

Blog

Ensuring Compliance with FCA Operational Resilience Rules by 31 March 2025

Operational resilienceEnsuring Compliance with FCA Operational Resilience Rules by 31 March 2025

Operational resilience is critical for firms operating in the financial services sector. The FCA’s policy statement PS21/3: Building Operational Resilience sets forth stringent requirements to safeguard firms against operational disruptions. As we approach the end of the transition period on 31 March 2025, it is imperative for firms to meticulously evaluate and enhance their operational resilience frameworks. This article provides comprehensive insights and guidelines to help firms ensure compliance with these regulatory expectations.

Key Areas for Compliance

1. Operational Resilience: Identifying Important Business Services

Definition and Review
Firms must identify their important business services, keeping them under regular review. This involves understanding which services, if disrupted, could significantly impact customers or market integrity. The FCA has observed variability in how firms identify these services, with some incorrectly excluding services based on the assumption of competitor substitution.

Best Practices
Firms should adhere strictly to the FCA Handbook, ensuring that the identification of important business services is holistic and evidence-based. It is crucial to document justifications for both the inclusion and exclusion of services, particularly following annual reviews.

2. Operational Resilience: Setting and Reviewing Impact Tolerances

Definition and Metrics
Impact tolerances represent the maximum acceptable level of disruption to an important business service. The FCA notes that firms often set these tolerances with insufficient rationale or solely time-based metrics.

Best Practices
Firms should diversify their impact metrics, considering factors such as customer types, transaction values, and estimated losses. The rationale behind these tolerances must be well-documented in self-assessments to ensure board understanding and approval. Additionally, recovery objectives should be distinguished from impact tolerances, with recovery plans designed to avoid exceeding set tolerances.

3. Operational Resilience: Mapping Resources and Third-Party Dependencies

Identification and Documentation
Mapping involves identifying all resources—people, processes, technology, facilities, and information—essential to delivering important business services. This includes relationships with third parties.

Best Practices
Firms should ensure detailed and dynamic mapping to understand dependencies fully. This mapping should reveal potential vulnerabilities and be regularly updated to reflect changes in service delivery and third-party arrangements. Active management of third-party relationships is crucial to maintaining resilience.

4. Operational Resilience: Scenario Testing

Development and Execution
Firms must create and update testing plans that assess their ability to stay within impact tolerances under severe but plausible scenarios. This involves varying adverse circumstances to reflect realistic risks and vulnerabilities.

Best Practices
Effective scenario testing should evolve in sophistication, incorporating a range of testing methods such as penetration tests, disaster recovery tests, and simulations. Including third parties in these tests can provide insights into their resilience. Firms should incrementally increase disruption severity to fully evaluate their response and recovery capabilities.

5. Operational Resilience: Identifying and Remediating Vulnerabilities

Ongoing Identification and Action
Through mapping and scenario testing, firms should continuously identify vulnerabilities that may prevent them from remaining within impact tolerances.

Best Practices
Remediation plans should be promptly developed, fully funded, and governed to ensure timely delivery. Firms should conduct repeated scenario tests to verify the closure of vulnerabilities. Regular reviews are essential to prioritise and address new vulnerabilities that may emerge.

6. Operational Resilience: Developing Response and Recovery Plans

Planning and Testing
Response plans provide tactical actions during disruptions, buying time for recovery plans to complete. Testing these plans is crucial to understand their effectiveness in maintaining impact tolerances.

Best Practices
Firms should test response plans thoroughly, integrating them with recovery plans to ensure comprehensive resilience strategies. Documentation of testing outcomes and continuous improvement are key to robust operational resilience.

7. Operational Resilience: Governance and Self-Assessment

Documentation and Approval
Self-assessments should capture the firm’s journey towards operational resilience, including vulnerabilities, tested scenarios, remediation plans, and resilience strategies.

Best Practices
Governance bodies must approve and regularly review self-assessments, ensuring they provide sufficient detail for informed decision-making. Self-assessments should evolve over time, reflecting ongoing developments in resilience capabilities.

8. Embedding Operational Resilience

Cultural Integration
Operational resilience should be embedded within the firm’s culture and risk frameworks, rather than treated as a compliance exercise.

Best Practices
Firms should integrate resilience into enterprise-wide risk management, strategic planning, and change management processes. This ensures resilience considerations are inherent in all operational decisions and transformations.

9. Horizon Scanning

Risk Identification and Management
Firms must engage in horizon scanning to identify new and emerging risks, ensuring their resilience strategies remain relevant and effective.

Best Practices
Regularly updating risk assessments and controls based on horizon scanning findings is crucial. This proactive approach helps firms stay ahead of potential disruptions and maintain operational resilience.

Conclusion

Achieving compliance with the FCA’s operational resilience requirements by 31 March 2025 demands meticulous planning, continuous improvement, and robust governance. By following these best practices, firms can enhance their resilience frameworks, ensuring they can withstand severe but plausible disruptions and safeguard their customers and market integrity.

Contact us if you need assistance in implementing, documenting or testing/auditing

your Operational Resilience project

0800 689 0190

or Email: info@complianceconsultant.org

×
Recent Enquiry
Copy code