Resilient businesses thrive - are you ready? Operational Resilience deadline approaching.
As we head toward the operational resilience deadline of 31 March 2025 in the UK, regulated firms across the financial sector are feeling the pressure to ensure they’re fully prepared. The FCA, alongside the Bank of England’s PRA, has set out clear expectations for firms to handle operational disruptions and protect both customers and markets. Operational resilience is more than just regulatory compliance; it’s about building a framework that manages, adapts to, and recovers from disruptions. Resilient businesses thrive.
Earlier this year, the FCA published a number of practical insights and observations on the in scope firms progress ahead of the final deadline. The FCA expects firms to have reviewed these resources as part of their preparedness for the final deadline. Link to their insights here . Below, we explore key themes that can help firms align their operational resilience efforts with the FCA’s expectations.
Identifying and reviewing Important Business Services (“IBS”)
Identifying important business services is step one for any resilience strategy. The FCA expects firms to focus on the services that might cause intolerable harm to their customers and markets if disrupted, they have laid out some pointers in their hand book. Somewhat ironically, 13 criteria are set out in section SYSC 15A 2.4 G. Determining these IBS is not a one-size-fits-all process. Instead, it’s about firms assessing what’s uniquely important to their business model and customer base.
Once you’ve distilled your IBS from all your business services, it’s essential to keep them under review, refining your assessment to reflect any changes in your firm’s offerings or the broader market landscape. Documentation is key, as is regularly revisiting your list of IBS. The FCA emphasises that this isn’t a static exercise; firms should continuously ensure their IBS are clearly mapped and understood at all levels, especially by senior management.
Setting and justifying Impact Tolerances
An effective resilience framework goes beyond simply identifying important business services; it requires setting realistic impact tolerances—clear thresholds that indicate how much disruption a firm can endure before intolerable harm takes place The FCA has observed that time-based tolerances alone are often insufficient. Firms should include a range of metrics that reflect actual service demands, such as transaction volume or peak usage periods. We recommend setting impact tolerances that encompass not only system and technology downtimes but also the people and processes essential for recovery in the event of a disruption. Remember “Service” downtime is different to “System” downtime. The system can be up but the service down as a result of humans clearing backlogs.
Establishing these tolerances means calculating what “intolerable harm” looks like in practice. It’s an exercise that encourages firms to think about worst-case scenarios while justifying their tolerance levels with clear reasoning. The FCA expects these tolerances to be more than arbitrary figures; they should be grounded in data, past disruptions, and some foresight, giving senior management the context to understand and support the impact tolerances that have been proposed.
Resource mapping and strengthening third part risk management
Operational resilience isn’t achieved in isolation. Today’s interconnected financial sector means that third-party vendors, and even market infrastructure is integral to delivering many IBS. Mapping these dependencies is crucial; firms need to understand exactly what resources—people, processes, technology, and vendors—are involved in each IBS. This mapping exercise should evolve alongside scenario testing and, identifying vulnerabilities within the organisation and across its third-party network.
The FCA has stressed that while firms may rely on third parties, responsibility for resilience cannot be outsourced. If a third-party failure threatens a firm’s impact tolerance, the onus falls on the firm. Active management and regular assessment of third-party resilience is essential, as is building response plans for when they encounter disruptions. Effective resilience depends on understanding where the weak points lie, and third-party management is a large part of this equation.
Scenario testing and planning for real-world disruptions
At the heart of building an operationally resilient business is knowing how a firm will handle the unexpected. The FCA wants to see firms moving from theoretical exercises to practical scenario testing. This testing must incorporate severe yet plausible scenarios, from IT outages to supply chain disruptions, as well as more targeted risks like cyber threats. By expanding desk-based exercises, firms can gather the empirical data needed to understand how long it would actually take to respond and recover.
Scenario testing should evolve with the firm, gradually increasing in sophistication as the business grows. Starting simple and adding complexity over time allows firms to test response plans in real-world conditions, seeing where vulnerabilities emerge when resources are stretched. We’ve seen firms considering “impact tolerances” as their recovery time objective; instead impact tolerances must be clearly linked to the point at which intolerable harm starts and lasts. Recovery time objectives are unlikely to be the same as impact tolerances, in fact they will be lower.
Cultivating a resilience-first culture
Operational resilience cannot be a box-ticking exercise but an ongoing journey. Firms are expected to embed operational resilience into their culture, ensuring that it shapes decision-making from the top down. This means involving senior management in both setting and revisiting resilience goals, encouraging a proactive rather than reactive approach. The FCA and PRA want to see firms that consider resilience not just during disruptions but as part of daily operations, influencing risk assessments, change management, and strategic planning.
A thriving business will deliver resilient services to customers, set tolerances, map the dependencies and engage in continuous resilience testing.
Supporting firms implement tool kits for operational resilience: Shapes First partnership with Business Optix
To accelerate the implementation times of the operational resilience requirements, Shapes First partnered with Business Optix in 2021 to create a toolkit that can simplify the maintenance of a firms operational resilience framework. This toolkit combined with the Shapes First operational resilience methodology supports firms through each stage of their operational resilience journey, especially with respect to resource mapping, third-party risk management and as a tool to support the identification of vulnerabilities. With a structured, user-friendly approach, this toolkit allows firms to follow FCA guidelines while tailoring operational resilience programs to meet their specific needs. By leveraging this product, firms can build their regulatory compliance and also their operational resilience and be ready for any future challenges.
In the lead-up to the March 2025 deadline, firms should focus on embedding operational resilience into every aspect of their operations. Our approach aligns with the FCA’s expectations but also positions firms to navigate a landscape of constant change and complexity, benefitting their competitive advantage.
For more information on how to strengthen your operational resilience framework or leverage our partnership with Business Optix. Get in touch we can help you business thrive.