At a glance

FCA issues operational resilience reminder

  • Insight
  • 12 minute read
  • June 2024

The FCA published its view of the financial sector’s preparedness to meet its operational resilience rules (PS21/3) on 28 May 2024. The update was published as a reminder of FCA expectations and steps for firms to take to comply by the end of the transition period on 31 March 2025. 

The publication is designed to aid firms in reviewing their approach to key areas of the policy: important business services, impact tolerance, mapping and third parties, scenario testing, vulnerabilities and remediation, response and recovery plans, governance, self-assessment, embedding operational resilience, and horizon scanning.

What does this mean?

The FCA outlined its insights and observations across nine core elements of its operational resilience rules. 

Important Business Services (IBS)

The FCA notes variability in how firms are identifying IBS. It urges firms to take a comprehensive approach to their assessments, ensuring they do not rely on one factor alone, for example, substitutability by competitors.

The FCA expects justifications for identified and excluded services to be well-documented in the firm's self-assessment.

Impact Tolerance

The FCA observes a need for firms to have clearer rationales for the setting of tolerances. It indicates that firms should consider using additional metrics - for example types of customers, values and types of transactions, criticality of transaction, estimated losses - beyond the use of time-bound tolerances.

The regulator also highlights the importance of firms differentiating between impact tolerances and recovery time objectives, emphasising that recovery plans need to fall within set tolerances.

Mapping and Third Parties

The FCA expects firms’ mapping of resources and processes to mature over time, and that this supports the identification of vulnerabilities.

The FCA emphasises the importance of managing third-party relationships to ensure resilience, reiterating that responsibility for meeting impact tolerance remains with the firm.

Scenario Testing

The FCA reminds firms that they must develop detailed testing plans that are continuously updated to ensure they can remain within impact tolerances under severe but plausible scenarios.

Firms’ testing is expected to have matured and developed in sophistication, evolving from judgement-based to more empirical testing. This should also include third parties in order to gain a comprehensive understanding of their resilience capabilities.

Vulnerabilities and Remediation

The FCA expects firms’ mapping and scenario testing should identify vulnerabilities that may breach impact tolerances. In particular, it expects any remediation activity for vulnerabilities identified in the early part of the transition period to have significantly progressed. 

It adds that as firms’ mapping and scenario testing matures, firms should prioritise addressing vulnerabilities that significantly impact their ability to remain within impact tolerances. Firms should also ensure that regular reviews are conducted to identify new vulnerabilities

Firms’ remediation plans should be approved, fully funded, and verified through repeated scenario tests.

Response and Recovery Plans

The FCA expects firms to maintain effective response and recovery plans that provide alternative actions during disruptions to avoid breaching impact tolerances.  

It found limited evidence of response plan testing in self-assessments and encouraged more comprehensive testing.

Governance and Self-Assessment

The FCA notes that firms’ self-assessments should detail the firm's journey to operational resilience, including vulnerabilities found, scenarios tested, remediation plans, and its overall strategy. These assessments should be reviewed and approved by firms’ governing bodies. 

Embedding Operational Resilience

The FCA wants to see operational resilience embedded within the firm's overall risk frameworks, including change management and strategic planning. It should be a cultural way of working, not just regulatory compliance.

Horizon Scanning

The regulator expects firms to regularly refresh their understanding of risks through horizon scanning, to ensure  appropriate testing and controls for current and future operational disruptions are maintained.

What do firms need to do?

Identify gaps in current approaches and assess readiness.

Prioritise action to address the key gaps that would impact the ability to remain within tolerance.

Integration of operational risk with operational resilience and testing strategies to enable robust horizon scanning.

Firms need to ensure they adhere to the operational resilience policy (PS21/3) and that capabilities are built utilising the FCA Handbook. Where firms identify any gaps in their approaches based on the FCA’s observations, they should take steps to  address them as a priority. 

Firms need to make sure that they have integrated operational resilience into their day-to-day operations, in line with the overall risk frameworks of the entire enterprise. This includes areas such as change management and strategic planning, with the necessary governance structures in place.

Boards and senior management of firms should thoroughly evaluate their approach to managing risks, ensuring that all remediation plans are approved, adequately funded, and subject to appropriate governance. It is important to ensure that these plans are effectively implemented and verified through repeated scenario tests, providing evidence of vulnerability resolution. 

Firms must establish a clearly defined testing strategy that enables them to assess the scenario and severity at which the IBS can operate within the defined tolerance. This strategy should take into account incident and testing data from various sources within the firm, such as penetration tests, disaster recovery testing, and other component testing. This data should be considered when conducting scenario testing to ensure a comprehensive understanding of the IBS capabilities and any vulnerability required to be remediated.

Next steps

The operational resilience policy (PS21/3) transition period ends on 31 March 2025. Ahead of this deadline, firms must ensure that they can remain within impact tolerance in severe but plausible scenarios for any identified important business services, and have your plans approved by your Board in good time.

Contacts

James Houston

Risk and Resilience Partner, PwC United Kingdom

+44 (0)7876 207850

Email

Andrew Strange

Director, London, PwC United Kingdom

+44 (0)7730 146626

Email

Abha Uthaman Radhamony

Senior Manager, PwC United Kingdom

+44 (0)7483 110613

Email

Follow us