Skip to content

FCA operational resilience guidance: Are you ready for 2025?

With less than 10 months until firms need to fully comply with the FCA’s operational resilience rules, the clock is ticking. The FCA recently released new insights based on their observations[1]. So where are firms at, and where might they need to take action?

In this blog we cover the FCA’s key observations and then review how you can best address them:

  • Important Business Services
  • Impact tolerances
  • Mapping and third parties
  • Scenario testing
  • Vulnerabilities
  • Response and recovery plans
  • Governance and self-assessment
  • Embedding operational resilience
  • Horizon scanning

If you’d like to know more about how Protecht ERM can help your organisation with operational resilience, watch our operational resilience demonstration webinar now:

Watch on demand

Important Business Services

Firms should have identified their IBS back in 2022; however, the FCA notes variation in the sector. They particularly point out excluding categorising some of their services as important business services on the basis that competitors can fill the gap. While unsaid, this may assume resilience or availability across the sector, and may ignore concentration of fourth or nth party providers that might contribute to disruption.

Impact tolerances

The biggest callout is that there appears to be limited rationale documented for impact tolerance that have been set. This may indicate that boards are not being provided sufficient information to approve those impact tolerances.

It also appears that many firms have stuck to the mandatory requirement for time-bound impact tolerances without branching out into other metrics. The article doesn’t explicitly say these are expected, but inclusion of the observation suggests you might want to explain why you don’t have any.

Mapping and third parties

The FCA expect maturity over time when mapping resources and processes that support your important business services. While it should go without saying, firms are responsible for remaining within their impact tolerances, regardless of whether the important business service is performed by or supported by a third party.

Mapping should not be a standalone activity that simply links resources to processes, it must also support identification of vulnerabilities.

Scenario testing

The FCA expect scenario testing to have matured throughout the transition period. This includes an expectation to shift from desk-based scenarios to a broader range of tests, including simulations, penetration tests and testing of disaster recovery capability.

Scenario testing also needs to consider third parties as part of the process. Ideally this includes involving them directly – the FCA note that the results of the third parties own independent testing may be sufficient, but must provide you reasonable assurance.

Vulnerabilities

Remediation should be underway or at least funded for vulnerabilities already identified. There should be sufficient evidence that any remediation has actually resolved the vulnerability, with appropriate governance in place to monitor successful remediation throughout the lifecycle.

Identification of vulnerabilities should be integrated into your mapping and scenario testing.

Response and recovery plans

The FCA distinguish between response (managing through the disruption) and recovery (returning to business as usual). The FCA noted there was limited evidence that response plans had been tested, which can buy time before full recovery, or reduce impact.

Governance and self-assessment

While the FCA aren’t overt that any observation is of particular concern, they do re-iterate many of the core requirements of a self-assessment. Better practice includes self-assessment documents that make it clear to the governing body the operational resilience roadmap as well current status. Any vulnerabilities or concerns about meeting impact tolerances, and details about remediation required, should be clearly documented in the self-assessment.

Embedding operational resilience

FCA promote embedding operational resilience into enterprise risk frameworks. This includes ensuring operational resilience is considered during risk in change.

Horizon scanning

Your library of severe but plausible scenarios needs to remain fresh. Horizon scanning for evolving risks or imminent threats (which may be part of your ERM capability) should influence the currency of that library and ensure testing remains appropriate.

Conclusions and next steps for your organisation

Based on these observations, here are some key actions to take:

  • Take stock of where you are against some of FCA’s observations alongside any direct communication regarding your self-assessment
  • Ensure your list of important business services is complete. For services not classified as important, document the rationale for why it does not meet the definition.
  • Document the rationale for impact tolerance levels. If you had to justify them to a new Executive or board member, is there sufficient information to support it?
  • Support time-bound impact tolerance with additional metrics with defined thresholds
  • If not already in place, define process mapping standards, which may include a roadmap for further integration of vulnerability mapping
  • Review scenario testing schedules and sophistication. More thorough testing may require more resources – start planning ahead to ensure you can meet these expectations.
  • Ensure the identification of vulnerabilities is integrated into other activities, including scenarios, enterprise risk, and process mapping.
  • Ensure response plans are tested as well as recovery – or develop them if they do not currently exist
  • Review governance arrangements. Evaluate whether the board believe they are receiving sufficient information about the state of the operational resilience program in order to discharge their responsibilities

Protecht has been at the forefront of operational resilience, with an operational resilience capability based on the FCA’s requirements integrated into Protecht ERM. Key features include:

  • An integrated process mapping tool, enabling linking your processes directly to resources and assessment of vulnerabilities
  • Scenarios linked directly to the resources likely to be affected; as your operating model changes, the potential effect on your important business services is updated in real time
  • Testing that can assess whether recovery objectives effectively support impact tolerances
  • Testing of business continuity plans and recovery activity
  • Complete documentation to support classification of important business services and their impact tolerances, including complete audit trails to enable effective governance of information across your operational resilience program
  • A single source of truth that integrates ERM and operational resilience, streamlining the self-assessment process

To find out more about Protecht ERM’s operational resilience capabilities, watch our operational resilience demonstration webinar on demand:

Watch on demand

References

[1] FCA, May 2024 https://www.fca.org.uk/firms/operational-resilience/insights-observations

 

About the author

Michael is passionate about the field of risk management and related disciplines, with a focus on helping organisations succeed using a ‘decisions eyes wide open’ approach. His experience includes managing risk functions, assurance programs, policy management, corporate insurance, and compliance. He is a Certified Practicing Risk Manager whose curiosity drives his approach to challenge the status quo and look for innovative solutions.