The Financial Conduct Authority’s (FCA’s) ‘Operational Resilience’ rules take effect on 31 March 2025. Regardless of direct applicability, these are a key regulatory focus, and firms should be prepared to act upon the rules ahead of the implementation date.

Operational resilience rules and how to ensure you meet them

A focus on operational resilience has been put into place by the FCA to protect consumers from potential disruption and impacts caused by operational failures and vulnerabilities. Setting up impact tolerances and identifying actions to avoid or tackle operational disruptions, are considered as strong benchmark to demonstrate ‘operational resilience’. 

The aim is to ensure firms can withstand and recover from disruptions, thereby maintaining stability and sustainability. 

Key issues that regulators expect all firms to address are: 

1. Poor governance and oversight of outsourced functions and third-party service providers: Regulators are emphasising the need for robust third-party risk management to ensure that external partners do not compromise a firm's operational resilience

2. Insufficiently resilient legacy IT systems with poor cyber security: Legacy systems often lack the necessary security measures to fend off modern cyber threats, making them a significant vulnerability

3. Lack of contingency plans for business disruptions: Effective contingency planning is crucial for firms to quickly adapt and recover from unexpected disruptions

Within this insight, we have highlighted four essential business areas where definitive procedures will help your firm to ensure operational resilience. These can be incorporated within your compliance procedures, risk management function, and considered for the assessment of harms as part of your internal capital adequacy and risk assessments (ICARAs). 

Risk management framework and recovery planning

1. ‘Identification and mapping’ and ‘impact assessment’: Clearly identify and map out critical business services (CBS) along with their key dependencies. Assess the potential impacts that disruptions to these critical services might have

2. ‘Business Impact Analysis (BIA)’ and ‘risk-based approach’: Conduct a thorough BIA to determine the priorities for recovery in the event of a disruption. Establish a risk-based approach to mitigate the impact of potential disruptions to critical services

3. ‘Documented plans’ and ‘regular testing’: Ensure that Business Continuity Plans (BCPs) are documented for all critical business services. Conduct regular tests of BCPs to ensure they are effective and can handle real-world disruptions

4. ‘Third-party scenarios’ and ‘crisis management plan’: Include scenarios involving potential failures of third-party providers in the BCPs. Develop a crisis management plan that includes clear communication strategies to be used during disruptions

Technology & cyber resilience

1. IT system resilience including single points of failure: Implement controls to ensure the resilience of IT systems that support critical services. Identify and mitigate single points of failure within the technology infrastructure

2. ‘Cyber protection’ and ‘disaster recovery plan’: Safeguard against cyber-attacks and data breaches with comprehensive incident response plans. Develop a robust IT disaster recovery plan, including the use of off-site backups

3. Preparedness for cyber events: Ensure preparedness for significant cyber events and/or data breaches with a clearly defined recovery processes

Third party risk management

1. Assessment process: Establish a comprehensive process to evaluate the resilience of critical third-party service providers

2. Contingency plans: Develop and implement contingency plans for potential failures of key suppliers or partners

3. Resilience testing: Conduct regular resilience tests, at least annually,  and monitor Service Level Agreements (SLAs), to ensure third-party preparedness

4. Contractual agreements: Secure contractual agreements with third-party providers that include provisions to ensure operational resilience

Communication, reporting, monitoring and testing

1. Clear communication channels and escalation procedures: Establish clear lines of communication for both internal and external stakeholders during times of disruption. Define escalation procedures for reporting disruptions to the Board and relevant regulators

2. Post-incident reporting: Implement procedures for post-incident reporting, which should include a root cause analysis and corrective actions

3. Continuous risk monitoring and reviews: Implement a system for the continuous monitoring of operational resilience risks. Conduct regular reviews and updates of resilience performance to ensure ongoing effectiveness

4. Key performance indicators (KPIs) and metrics: Track KPIs and metrics to measure the effectiveness of operational resilience efforts

5. Regular resilience testing: Conduct regular tests, such as stress tests and scenario analysis, to assess the resilience of critical business services. Ensure that these tests cover both operational and cyber resilience scenarios

6. Employee training: Provide training for employees to help them respond effectively during disruptions. Organise live exercises that involve external parties, such as third-party service providers and regulatory bodies, to evaluate the overall resilience of the organisation

At the core of these efforts is a vigorous governance and leadership framework. This framework  should exhibit a designated team of senior managers who are responsible and accountable for overseeing operational resilience efforts. Operational resilience should be a regular agenda item for board-level discussions, often within committees focused on risk, audit, or strategy. Each committee should have clearly defined roles for individuals to ensure effective oversight and management.

Conclusion

A proactive approach to technology and cyber resilience, third party risk management, and meticulous BCP and recovery planning are essential elements of a business. This approach is to ensure that organisations are well-equipped to handle potential IT disruptions and cyber threats, maintaining the integrity and continuity of critical services of which many customers may depend. 

If you are looking to build your operational resilience plan or develop on the procedures you already have in place, you can contact the team for advice and support. We can work with you to tailor these processes for your firm and incorporate them into your day-to-day operations to bolster your existing frameworks and documentation.