Ensuring compliance with FCA Operational Resilience rules by 31 march 2025


INSIGHT
Published
Jun 6th '24
Share
Facebook

Operational Resilience is critical for firms operating in the financial services sector. The FCA’s policy statement ps21/3: building Operational Resilience sets forth stringent requirements to safeguard firms against operational disruptions. As we approach the end of the transition period on 31 march 2025, it is imperative for firms to meticulously evaluate and enhance their Operational Resilience frameworks.

 

This article provides comprehensive insights and guidelines to help firms ensure compliance with these regulatory expectations.

 

Key areas for compliance

 

1. Identifying important business services

 

Definition and review
Firms must identify their important business services, keeping them under regular review. This involves understanding which services, if disrupted, could significantly impact customers or market integrity. The FCA has observed variability in how firms identify these services, with some incorrectly excluding services based on the assumption of competitor substitution.

 

Best practices
Firms should adhere strictly to the FCA handbook, ensuring that the identification of important business services is holistic and evidence-based. It is crucial to document justifications for both the inclusion and exclusion of services, particularly following annual reviews.

2. Setting and reviewing impact tolerances

 

Definition and metrics
Impact tolerances represent the maximum acceptable level of disruption to an important business service. The FCA notes that firms often set these tolerances with insufficient rationale or solely time-based metrics.

 

Best practices
Firms should diversify their impact metrics, considering factors such as customer types, transaction values, and estimated losses. The rationale behind these tolerances must be well-documented in self-assessments to ensure board understanding and approval. Additionally, recovery objectives should be distinguished from impact tolerances, with recovery plans designed to avoid exceeding set tolerances.

 

3. Mapping resources and third-party dependencies

 

Identification and documentation
Mapping involves identifying all resources—people, processes, technology, facilities, and information—essential to delivering important business services. This includes relationships with third parties.

 

Best practices
Firms should ensure detailed and dynamic mapping to understand dependencies fully. This mapping should reveal potential vulnerabilities and be regularly updated to reflect changes in service delivery and third-party arrangements. Active management of third-party relationships is crucial to maintaining resilience.

 

4. Scenario testing

 

Development and execution
Firms must create and update testing plans that assess their ability to stay within impact tolerances under severe but plausible scenarios. This involves varying adverse circumstances to reflect realistic risks and vulnerabilities.

 

Best practices
Effective scenario testing should evolve in sophistication, incorporating a range of testing methods such as penetration tests, disaster recovery tests, and simulations. Including third parties in these tests can provide insights into their resilience. Firms should incrementally increase disruption severity to fully evaluate their response and recovery capabilities.

 

5. Identifying and remediating vulnerabilities

 

Ongoing identification and action
Through mapping and scenario testing, firms should continuously identify vulnerabilities that may prevent them from remaining within impact tolerances.

 

Best practices
Remediation plans should be promptly developed, fully funded, and governed to ensure timely delivery. Firms should conduct repeated scenario tests to verify the closure of vulnerabilities. Regular reviews are essential to prioritise and address new vulnerabilities that may emerge.

 

6. Developing response and recovery plans

 

Planning and testing
Response plans provide tactical actions during disruptions, buying time for recovery plans to complete. Testing these plans is crucial to understand their effectiveness in maintaining impact tolerances.

 

Best practices
Firms should test response plans thoroughly, integrating them with recovery plans to ensure comprehensive resilience strategies. Documentation of testing outcomes and continuous improvement are key to robust Operational Resilience.

 

7. Governance and self-assessment

 

Documentation and approval
Self-assessments should capture the firm’s journey towards Operational Resilience, including vulnerabilities, tested scenarios, remediation plans, and resilience strategies.

 

Best practices
Governance bodies must approve and regularly review self-assessments, ensuring they provide sufficient detail for informed decision-making. Self-assessments should evolve over time, reflecting ongoing developments in resilience capabilities.

 

8. Embedding Operational Resilience

 

Cultural integration
Operational Resilience should be embedded within the firm’s culture and risk frameworks, rather than treated as a compliance exercise.

 

Best practices
Firms should integrate resilience into enterprise-wide risk management, strategic planning, and change management processes. This ensures resilience considerations are inherent in all operational decisions and transformations.

 

9. Horizon scanning

 

Risk identification and management
Firms must engage in horizon scanning to identify new and emerging risks, ensuring their resilience strategies remain relevant and effective.

 

Best practices
Regularly updating risk assessments and controls based on horizon scanning findings is crucial. This proactive approach helps firms stay ahead of potential disruptions and maintain Operational Resilience.

 

Conclusion

Achieving compliance with the FCA’s Operational Resilience requirements by 31 march 2025 demands meticulous planning, continuous improvement, and robust governance. By following these best practices, firms can enhance their resilience frameworks, ensuring they can withstand severe but plausible disruptions and safeguard their customers and market integrity.

 

Contact us if you need assistance in implementing, documenting or testing/auditing your Operational Resilience project.

 

Related:

 

Call us on +44 (0) 20 8087 2377  or email us.

 

If you want to get the right advice, quickly, with clear and totally transparent, unshackling yourself from the confines of an antiquated compliance support service, then contact us.

 

Contact us

 

About us

LS Consultancy are experts in Marketing and Compliance, and work with a range of firms to mitigate risk.

 

We also provide a cost-effective and timely bespoke copy advice and copy development services to make sure all your advertising and campaigns are compliant, clear and suitable for their purpose.

 

Our range of innovative solutions can be tailored to suit your unique requirements, no matter whether you’re currently working from home, or are continuing to go into the office. Our services can be deployed individually or combined to form a broader solution to release your energies and focus on your clients.

 

Contact us today for a chat or send us an email to find out how we can support you in meeting your current and future challenges with confidence.

 

Explore our full range today.

 

Contact us

 

Why Not Download our FREE guides.

 

Call Us Today on 020 8087 2377 or send us an email.

 

FOLLOW US

Connect with us via social media and drop us a message from there. We’d love to hear from you and discuss how we can help.

 

Facebook | Instagram | LinkedIn | X (formerly Twitter) | YouTube

 

Contact us

 

We are Affiliate Members of the Consumer Duty Alliance.