Operational Resilience - Are you Ready?

The operational resilience rules that came into force on 31 March 2022 have a long history. The first consultation took place in December 2019; the beginning of many solo-regulated firms’ SM&CR journeys, pre-Consumer Duty and before the pandemic, it was a different world. But there have been plenty of recent incidents that show just how important preparing for technology crises are.

In summer 2024, the CrowdStrike incident – resulting from a defect that caused systems to crash – impacted regulated firms that use the service for device protection and threat intelligence. Customers faced challenges accessing online banking, which led to transaction delays and other operational challenges including increased footfall in physical banks.

Reliance on third-party vendors for critical services has concerned the FCA for some time, but the pandemic showed just how interconnected much of the industry has become, particularly where the vendors were located in a different country and their lockdown rules led to a lack of continuity of service for UK customers.

The main requirements now form part of SYSC (the changes are set out clearly in PS21/3). To comply with the FCA’s operational resilience requirements, in-scope firms needed to identify their important business services (those which could cause intolerable harm if disrupted), conduct an assessment of important business services at least every year or whenever there is a ‘relevant’ change to their business or market, set impact tolerances for each important business service, and then be able to show – within three years – that they can remain within their impact tolerances. 31 March 2025 marks this date.

Importantly, regulated firms must note that it is their responsibility to remain within impact tolerances, and not the third-party vendor. The regulatory consequences remain with the regulated firm. This will mean managing relationships with these third-parties, so that there’s a level of confidence in their operational resilience, including regular testing and auditing of their approaches.

At this point, firms need to be ensuring that, besides identifying IBS’, setting impact tolerances, and completing mapping and scenario testing, they have also ensured that policies and procedures are updated and implemented.

Since the initial consultation, there have been concerns in several sectors around how to define important business services, how to justify a tolerance and how to capture assessment of mapping of resources and third parties.

In May 2024, to support firms in completing their preparations for the transition, the FCA published a set of ‘insights and observations’ that aimed to answer some of these questions, but essentially, justifications and rationales will depend on a number of factors and the type, size and nature of the business.

In the run-up to 31 March, firms also need to note that a further Consultation Paper, on proposals for firms to report incidents and their material third party arrangements, proposes that firms will need to report incidents that breach defined thresholds, even where these do not breach firms’ individual impact tolerances.

Preparing to meet the FCA’s requirements for operational resilience is a complex challenge. Using expert created FCA operational resilience templates can – even at this late stage – support firms to meet this deadline.

Our operational resilience templates, free roadmap and detailed guidance documents can help your firm to understand the requirements.