“In an era where operational disruptions can swiftly erode consumer trust, market stability, and firm viability, this focused training equips attendees with a clear understanding of FCA requirements and equips them with actionable strategies to build, test, and sustain resilience—ensuring they not only meet compliance deadlines but embed resilience as a core business capability.”
FCA Operational Resilience Framework: Core Principles and Current Expectations
The FCA’s operational resilience rules, solidified through Policy Statement PS21/3 and effective since March 2022, represent a paradigm shift in how UK-regulated firms approach disruptions. The framework prioritizes the continuity of critical services over traditional risk management silos, focusing on outcomes rather than processes alone.
Firms must identify Important Business Services (IBS) —those services whose disruption could cause intolerable harm to clients or threaten the stability of the UK financial system or orderly markets. These are not all services but those with significant potential impact, determined through careful analysis of client harm, market effects, and safety/soundness risks.
Once identified, firms establish impact tolerances for each IBS. These define the maximum acceptable disruption level, typically measured in time (e.g., hours or days) but supplemented by other metrics such as transaction volumes, data loss thresholds, or geographic scope. Impact tolerances mark the point beyond which further disruption would cause intolerable harm, guiding response and recovery priorities.
The transitional period ended on March 31, 2025, marking the point where firms must demonstrate they can remain within these tolerances during severe but plausible scenarios. In 2026, supervisory focus has intensified on proving ongoing compliance rather than initial setup. Regulators now scrutinize whether resilience is dynamic and embedded, moving beyond static documentation to evidence of continuous monitoring, testing, and improvement.
Key Requirements Under the FCA Framework
Firms in scope—including banks, building societies, PRA-designated investment firms, insurers, electronic money institutions, and payment providers—must fulfill several interconnected obligations:
Identification of Important Business Services Firms conduct thorough reviews to pinpoint IBS, considering end-to-end delivery chains, including dependencies on third parties. Regular reassessment is required as business models evolve.
Setting and Reviewing Impact Tolerances Tolerances must be realistic, board-approved, and calibrated to prevent intolerable harm. They serve as decision-making tools during incidents, not aspirational goals.
Mapping and Testing Detailed mapping covers people, processes, technology, facilities, and third-party dependencies supporting each IBS. Scenario testing against severe but plausible disruptions validates whether tolerances can be met, identifying vulnerabilities for remediation.
Investment and Remediation Where testing reveals gaps, firms must prioritize investments to close them, ensuring operational continuity within tolerances.
Governance and Self-Assessment Boards and senior management oversee the program, approving self-assessments that document IBS, tolerances, testing outcomes, vulnerabilities, and remediation plans. These living documents evolve with the firm’s maturity and must be available for regulatory review.
Incident Response and Learning Firms maintain clear response and recovery arrangements, with post-incident reviews to drive continuous improvement.
Practical Strategies Covered in the Training Course
This one-day virtual course, led by seasoned FCA experts, structures content around real-world application to ensure participants depart with concrete tools:
IBS Identification Workshop — Interactive exercises help attendees map services relevant to their firm, distinguishing important from non-important and justifying selections with regulatory rationale.
Impact Tolerance Calibration — Guidance on setting defensible tolerances, incorporating multi-metric approaches and aligning with board risk appetites. Participants practice defining tolerances that balance realism with regulatory expectations.
Mapping Dependencies — Step-by-step methods for end-to-end mapping, highlighting third-party risks and concentration vulnerabilities that supervisors increasingly target in 2026.
Scenario Testing Best Practices — Developing and running “severe but plausible” scenarios, from cyber attacks to supply chain failures. Emphasis on empirical evidence over assumptions, with tips for documenting outcomes effectively.
Vulnerability Remediation Planning — Prioritizing fixes based on potential impact, building remediation roadmaps, and integrating resilience into change management and supplier contracts.
Self-Assessment Development — Structuring comprehensive yet concise self-assessments that satisfy handbook requirements (SYSC 15A), including governance oversight and board reporting templates.
Embedding Resilience Culture — Strategies to move from project-based compliance to ongoing resilience, including training staff, integrating into risk frameworks, and aligning with broader obligations like third-party oversight.
Common Challenges and Solutions in 2026
Post-2025, many firms face hurdles in shifting from initial compliance to sustained resilience. Static spreadsheets and one-off assessments often fall short under scrutiny. The course addresses these by promoting dynamic tools—such as digital mapping platforms—for real-time visibility.
Third-party dependencies remain a flashpoint, with regulators probing exit strategies and alignment of supplier SLAs to firm tolerances. Participants learn negotiation tactics and monitoring approaches to strengthen these chains.
Supervisory reviews now demand proof of “today’s” resilience, including recent testing and incident responses. The training stresses annual self-assessment updates and board-level accountability to avoid “compliance debt.”
Who Benefits and Expected Outcomes
Ideal for risk managers, compliance officers, operations leads, IT resilience specialists, and senior executives in UK-regulated firms. By day’s end, participants gain:
A solid grasp of FCA rules and 2026 enforcement priorities.
Templates and frameworks for IBS identification, tolerance setting, and testing.
Actionable plans to address vulnerabilities and enhance governance.
Confidence in preparing for supervisory engagement or internal audits.
In a landscape where disruptions—from cyber threats to geopolitical events—pose escalating risks, this training bridges regulatory demands with practical execution, empowering firms to protect clients, maintain stability, and thrive amid uncertainty.
Disclaimer: This article is for informational purposes only and does not constitute financial, legal, or regulatory advice. Readers should consult qualified professionals and refer to official FCA guidance for compliance obligations.
