Operational resilience: How are firms doing in meeting the March 2025 deadline?

The FCA/PRA deadline for firms to ensure alignment of their operational resilience frameworks with regulatory requirements is fast approaching, in particular demonstrating Important Business Services (IBS) can operate within the defined Impact Tolerances.

The FCA has been reviewing firms’ readiness and recently published their findings. This article summarises the FCA’s key findings and what firms should be doing to resolve any deficiencies in their operational resilience frameworks.

Good practices

Integrating operational resilience processes and requirements into firms’ risk management

The FCA highlighted that the most effective operational resilience frameworks are those that are embedded within the firms’ enterprise-wide risk frameworks and change management and strategic planning processes.

Operational resilience is a complex and multi-faceted challenge for firms to prepare for and respond to. This is because potential causes of operational failure can enter a firm from several directions and their impacts can permeate numerous aspects of firms’ operations. Consequently, firms must make sure that their operational resilience culture encourages strong and effective coordination across multiple teams and divisions (including risk management functions) to identify, plan for, document and test a firm’s capacity to withstand operational shocks.

Important Business Services

A key feature of the UK operational requirements is that firms identify IBS and they are able to operate these within their defined Impact Tolerances. IBSs are services that if disrupted could cause intolerable harm to consumers, threaten the viability of the firm, and other firms or cause instability in the financial system.

IBSs will vary across firms and sectors and will change as firms’ services and business lines evolve.  What’s important is that firms are cognisant of the regulatory definitions when determining their IBS and they document clear and comprehensive rationales for what is, and isn’t, included in their list of IBSs.   

Firms may consider the substitutability of IBS as part of their inclusion/exclusion decision. However, this shouldn’t detract from a firm’s responsibilities to ensure continuity of service to its customer base that is reliant on those services.

Impact Tolerances

Impact Tolerances refer to “the maximum tolerable level of disruption to an IBS, as measured by a length of time and any other relevant metrics”. As such, many firms have implemented time-bound tolerances.

In a similar vein to determining the list of IBS, firms need clear rationales for how Impact Tolerance metrics are derived and set. Firms should also consider using additional metrics to complement the time-bound tolerances, such as customer type, value, transaction type, estimated losses etc.  

We have seen firms lean on their Business Continuity and Disaster Recovery frameworks to set Impact Tolerances in alignment with Recovery Time Objectives (RTO). This approach does have merit but the key difference here is that a recovery time objective is the time taken to recover the service after disruption, whereas restoring operating time relative to the delivery of the service may take longer once back up and running. As such, firms need to consider the buffer time between reaching the RTO and IBS resuming at normal operational efficiency.

Mapping and Third-Parties

Mapping IBS allows firms to capture the people, processes, technology, facilities, and information necessary to deliver IBS. Having undertaken an effective mapping exercise, firms will be able to identify key dependencies and potential vulnerabilities relative to each IBS, as well as interdependencies and critical points of failure that may be relative to multiple IBS.  

Firms must implement controls to address vulnerabilities and key dependencies, for example, we have seen numerous instances where key person or key system dependencies have been identified. Firms can seek to implement controls and mitigants such as succession planning, training and upskilling to alleviate key person risk. Firms can also consider the use of alternative systems or manual workaround, where plausible, to help alleviate risks relative to key system dependency.

Where the delivery of an IBS involves a third-party service provider, the responsibility to remain within impact tolerance sits with the firm. It’s imperative that third parties are actively involved when developing the operational resilience framework to ensure third-party services are included in IBS mapping. It’s equally important that the firm’s Impact Tolerances are understood by third parties and incorporated into service delivery, and the robustness of the third parties’ service delivery capabilities has been appropriately assessed as part of scenario testing.

Firms should have documented their assessment and provided their boards with assurance of third-party capabilities and how this has been factored into the firms’ Impact Tolerances.

Scenario Testing

Testing of severe, yet plausible scenarios must be regularly conducted by firms. This should be used to benchmark firms’ resilience measures to ensure all resources relevant to the delivery of IBS can be maintained within the set Impact Tolerances in the event of a disruption.

The most effective testing plans are informed by realistic scenarios and learnings from previous testing. Firms should have sources to reference such as those listed below to inform their scenario testing approach: 

  • Internal risk registers
  • Real incidents that have occurred at the firm or across the sector
  • The Internal Capital Adequacy Assessment Process (ICAAP)
  • National Risk Register (UK Government)
  • Business Continuity Institute (annual horizon scan)
  • ORX incident database
  • Cyber Security Information Sharing Partnership
  • Global Risk Report from World Economic Forum
  • National Cyber Security Centre

Remediating vulnerabilities

The vulnerabilities identified in the early stages of mapping and scenario testing, which may have caused firms to breach Impact Tolerances should already have been remediated. Firms should be able to evidence how identified vulnerabilities have informed the necessary investment decisions and plans to enable them to operate consistently within their impact tolerances. Firm should be actively seeking to identify further vulnerabilities through regular review of mapping and ongoing scenario testing.  Vulnerabilities should be appropriately documented and addressed by firms with a lessons learnt exercise undertaken with appropriate governance.

Response and Recovery Plans

Testing recovery plans is critical to determine whether firms can remain within impact tolerances in the event of a disruption. Firms should also have adequately developed and tested recovery and response plans. Response plans provide alternative actions you can take during a disruptive event to support the execution of recovery plans and avoid breaching your impact tolerance. They can also help firms avoid breaching the Impact Tolerance.

Self-assessment

Self-assessments, a written record of the firm’s assessment of its compliance with the operational resilience requirements, should provide comprehensive detail on the firm's journey to becoming operationally resilient. There should be clear rationale and documented methodologies incorporated into the self-assessment to ensure the board can gain an understanding of how the firm has reached its current position on resilience and how this aligns with regulatory expectations. This should include an overview of vulnerabilities found, scenarios tested and their outcomes, remediation plans, and the firm’s strategy to remain within the impact tolerances for each IBS, including an ongoing testing plan.

What should firms be doing next?

Firms should be using the time before the March 2025 deadline to ensure that each element of their operational resilience framework has been considered appropriately, is sufficiently detailed within the self-assessment, and remains in alignment with the expectations of the Board and the regulators.

Get in touch

Forvis Mazars has assisted a wide variety of firms in developing, enhancing and providing assurance of their operational resilience frameworks. We combine our regulatory, risk management and technology expertise to provide a comprehensive solution to our clients.

If you have any questions or simply want to discuss this topic in more detail then please contact us.

Contact us today

National contacts