Operational Resilience: What Firms Must Demonstrate Post-Deadline
Compliance

Operational Resilience: What Firms Must Demonstrate Post-Deadline

MC
MEMA Regulatory Team
10 min read

A practical guide to FCA and PRA operational resilience requirements now that the March 2025 deadline has passed, including ongoing compliance expectations.

Introduction: The Deadline Has Passed - What Now?

The FCA operational resilience deadline of 31 March 2025 has now passed. After a three-year transition period, UK financial services firms were required to demonstrate they can remain within their impact tolerances for all important business services. For firms that met the deadline, the focus now shifts to maintaining compliance and continuous improvement. For those that fell short, urgent remediation is essential as supervisory scrutiny intensifies.

The operational resilience framework, established through PS21/3 and the PRA's SS1/21, represents more than a compliance exercise—it is a fundamental shift in how firms approach operational risk. The regulators have made clear that meeting the March 2025 deadline was not the end of the journey, but the point at which firms must demonstrate they have achieved a sustainable state of resilience.

For boards and senior management, the message is clear: operational resilience must be embedded into your firm's culture and governance framework on an ongoing basis. The FCA and PRA are now actively supervising against these requirements.

What is Operational Resilience?

Definition and Regulatory Context

Operational resilience refers to a firm's ability to prevent, adapt to, respond to, recover from, and learn from operational disruptions. The FCA and PRA define it as the ability to deliver important business services to customers and counterparties, and to support the stability of the financial system, even during severe but plausible disruption scenarios.

The regulatory framework emerged following several high-profile operational failures in the financial sector, including IT outages at major banks that left millions of customers unable to access basic banking services. The regulators recognised that traditional approaches to operational risk management were insufficient in an increasingly complex, interconnected, and technology-dependent financial ecosystem.

PS21/3 (FCA) and SS1/21 (PRA) came into force on 31 March 2022, giving firms a three-year transition period to:

  • Identify their important business services
  • Set impact tolerances for each service
  • Map the people, processes, technology, facilities, and information required to deliver these services
  • Conduct scenario testing to determine whether they can remain within impact tolerances
  • Develop remediation plans for any identified vulnerabilities

How Operational Resilience Differs from Business Continuity

Whilst business continuity and operational resilience share common ground, they represent fundamentally different approaches. Business continuity planning typically focuses on restoring specific systems or processes following a disruption—essentially asking, "How do we get back to normal?"

Operational resilience takes a service-centric view, asking instead, "How do we continue delivering services to customers throughout a disruption?" This shift in perspective has significant implications:

Traditional Business Continuity:

  • Process and system-focused
  • Emphasises recovery time objectives (RTOs)
  • Often siloed within IT or operational risk functions
  • Reactive in nature

Operational Resilience:

  • Service and outcome-focused
  • Emphasises impact tolerances based on consumer and market harm
  • Requires enterprise-wide collaboration
  • Proactive and forward-looking

Consider a retail bank's payment services. A business continuity plan might focus on restoring the payment processing system within four hours. An operational resilience approach would consider all the ways payment services might be disrupted—technology failure, third-party outage, cyber attack, or staff unavailability—and ensure the firm can continue processing payments for customers regardless of the specific disruption type.

Key Requirements Under the Framework

Identifying Important Business Services

The foundation of operational resilience is identifying your firm's important business services (IBS). These are services provided to external customers or market participants that, if disrupted, could cause intolerable harm to consumers, market integrity, or the firm's own safety and soundness.

The regulators expect firms to take an outcomes-based approach, considering:

  • The nature and scale of the service
  • The number of customers or counterparties affected
  • Whether there are readily available substitutes
  • The potential for contagion to other firms or the wider financial system
  • The criticality of the service to specific customer segments (particularly vulnerable customers)

For example, a wealth management firm might identify discretionary portfolio management, custody services, and client money handling as important business services. A retail bank would likely include current account services, mortgage lending, and payment processing.

Setting Impact Tolerances

For each important business service, firms must set an impact tolerance—the maximum tolerable level of disruption. Unlike RTOs, which measure time to recovery, impact tolerances consider the real-world impact on consumers and markets.

Impact tolerances should be expressed in terms that reflect actual harm, such as:

  • Duration of disruption (e.g., payment services unavailable for more than 24 hours)
  • Volume of affected transactions (e.g., more than 10,000 payments delayed)
  • Number of customers impacted (e.g., more than 50,000 customers unable to access accounts)
  • Financial loss to customers (e.g., customer losses exceeding £1 million)

Setting appropriate impact tolerances requires careful judgement. They must be ambitious enough to drive genuine resilience investment, yet realistic given current capabilities. The regulators have made clear that impact tolerances set at levels that would never be breached are unlikely to be acceptable.

Mapping Dependencies

Once important business services and impact tolerances are established, firms must map all the resources required to deliver each service. This includes:

People: Staff with critical skills, key person dependencies, succession planning, and geographic concentration risks.

Processes: End-to-end process flows, handoff points, manual workarounds, and escalation procedures.

Technology: Systems, applications, infrastructure, data, and technology change management.

Facilities: Premises, data centres, equipment, and geographic considerations.

Information: Data flows, data quality, and information dependencies.

Third Parties: Critical suppliers, outsourcing arrangements, and concentration risks.

Mapping must be sufficiently granular to identify single points of failure and interconnections between services. Many firms have discovered through this exercise that their understanding of critical dependencies was incomplete—particularly regarding third-party technology providers and intragroup dependencies.

Scenario Testing

The operational resilience framework requires firms to conduct scenario testing to determine whether they can remain within impact tolerances during severe but plausible disruptions. Testing should:

  • Be based on realistic scenarios that could genuinely affect important business services
  • Challenge assumptions about recovery capabilities
  • Include third parties where appropriate
  • Test the effectiveness of communication and escalation procedures
  • Be conducted regularly and following material changes

Scenarios should not be limited to familiar risks. The regulators expect firms to consider emerging threats, including sophisticated cyber attacks, simultaneous failures of multiple third parties, and scenarios that combine several disruption types.

Post-Deadline Compliance: What Firms Must Now Demonstrate

Ongoing Supervisory Expectations

Since 31 March 2025, firms have been required to demonstrate they can remain within their impact tolerances. The FCA and PRA are now actively supervising against these requirements and expect firms to evidence:

  1. All important business services identified with documented and justified selection methodology
  2. Impact tolerances appropriately calibrated and approved by the board
  3. Comprehensive mapping completed of resources and dependencies for each IBS
  4. Scenario testing conducted confirming the firm can remain within impact tolerances
  5. Vulnerabilities remediated or credible remediation plans in place with clear timelines
  6. Operational resilience embedded into governance, risk management, and investment decisions

Firms should be prepared to evidence their compliance through documentation, testing results, board papers, and audit trails. Supervisors expect to see a clear line of sight from regulatory requirements through to operational implementation.

What If Your Firm Missed the Deadline?

Firms that did not meet the March 2025 deadline should treat remediation as an urgent priority. The FCA and PRA have indicated they will take a risk-based approach to supervision, but firms with material gaps can expect:

  • Intensive supervisory engagement and potential s.166 skilled persons reviews
  • Requirements for accelerated remediation with regular progress reporting
  • Possible restrictions on business activities in severe cases
  • Consideration of enforcement action where failures have caused or risk customer harm

If your firm has gaps, immediate steps should include:

  1. Conducting an honest assessment of your current position
  2. Reporting findings to the board with clear remediation recommendations
  3. Developing a realistic but ambitious remediation plan
  4. Engaging proactively with your supervisory contact
  5. Prioritising areas that present the greatest risk to customers

Board Responsibilities

The board carries ultimate responsibility for operational resilience. Directors must be able to demonstrate they have:

  • Approved the methodology for identifying important business services
  • Reviewed and approved impact tolerances, understanding the judgements involved
  • Received regular reporting on resilience capabilities and testing results
  • Challenged management on remediation progress and investment priorities
  • Considered operational resilience implications in strategic decisions

Board members should expect searching questions from supervisors about their personal understanding of the firm's operational resilience posture and their confidence that the firm can meet its impact tolerances.

Common Challenges and Solutions

Third-Party Dependency Mapping

Many firms struggle to map dependencies on third-party providers with sufficient granularity. Cloud service providers, payment processors, market data vendors, and technology partners often sit at the heart of important business services, yet detailed information about their own resilience capabilities may be difficult to obtain.

Practical solutions include:

  • Incorporating operational resilience requirements into procurement and contract negotiations
  • Developing standardised questionnaires for critical third parties
  • Participating in industry utilities for third-party resilience information
  • Conducting joint testing exercises with key providers
  • Establishing clear contractual rights to audit and receive resilience information

Testing Within Impact Tolerances

Demonstrating that a firm can remain within impact tolerances through testing alone is inherently challenging. Full-scale live testing of severe disruption scenarios is often impractical and could itself cause customer harm.

Approaches to address this include:

  • Combining desktop exercises, simulation testing, and controlled live testing
  • Using historical incidents and near-misses as evidence of resilience capabilities
  • Conducting component testing that validates individual elements of the recovery chain
  • Engaging third parties in testing where they are critical to service delivery
  • Documenting assumptions and limitations clearly when full testing is not feasible

Technology Resilience

Technology underpins virtually every important business service, making technology resilience a critical focus area. Common challenges include legacy system dependencies, technical debt, inadequate disaster recovery capabilities, and insufficient testing of backup systems.

Key considerations:

  • Legacy systems may require significant investment to achieve acceptable resilience levels
  • Cloud migration can improve resilience but introduces new dependencies and concentration risks
  • Disaster recovery capabilities must be tested regularly—untested backups cannot be relied upon
  • Change management processes must consider operational resilience implications

Maintaining Compliance: Ongoing Requirements

Regular Testing and Review

Operational resilience is not a one-time compliance exercise. Firms must maintain ongoing testing programmes that:

  • Cover all important business services over an appropriate cycle
  • Include a range of scenarios reflecting different disruption types
  • Test end-to-end service delivery, not just individual components
  • Involve relevant third parties where they are critical to service delivery
  • Generate actionable findings that drive continuous improvement
  • Are documented thoroughly to evidence compliance

Keeping Documentation Current

Comprehensive documentation must be maintained and updated as your business evolves. Firms should maintain:

  • Important business service definitions and selection rationale
  • Impact tolerance methodology and calibration documentation
  • Dependency maps with version control and update procedures
  • Testing plans, scenarios, results, and lessons learned
  • Remediation action plans with progress tracking
  • Board papers, minutes, and decision records
  • Policies, procedures, and playbooks

Annual Board Attestation

Boards should conduct at least annual reviews of the firm's operational resilience posture, with formal attestation that the firm can remain within impact tolerances. This review should consider:

  • Any material changes to the business or operating environment
  • Results of scenario testing conducted during the year
  • Progress on remediation of identified vulnerabilities
  • Emerging risks that may affect important business services
  • Adequacy of resources allocated to operational resilience

How MEMA Can Help

Whether your firm met the March 2025 deadline and needs to maintain compliance, or you have gaps that require remediation, MEMA Consultants can provide the expertise and practical support you need. We have supported numerous firms through their operational resilience journeys and understand what regulators expect.

Our services include:

Operational Resilience Assessment: Comprehensive review of your current position against regulatory expectations, with prioritised recommendations for remediation or enhancement.

Important Business Service Identification: Facilitated workshops to identify and document your important business services using a methodology aligned with regulatory expectations.

Impact Tolerance Setting: Expert support in calibrating impact tolerances that are appropriately ambitious yet achievable.

Mapping and Testing Support: Practical assistance in mapping dependencies and designing effective scenario testing programmes.

Board and Executive Briefings: Targeted sessions to ensure senior leadership understand their responsibilities and can engage effectively with operational resilience matters.

Regulatory Engagement Preparation: Support in preparing for supervisory discussions and demonstrating compliance.

Remediation Support: For firms with gaps, we provide hands-on support to develop and execute remediation plans on realistic timelines.

Ready to assess your operational resilience posture? Contact our team for a confidential discussion about how we can support your firm in maintaining regulatory compliance and building genuine operational resilience.

This article is for general information purposes only and does not constitute regulatory or legal advice. Firms should seek specific guidance tailored to their circumstances.

Operational ResilienceFCAPRABusiness ContinuityRisk Management
About the Author
MC

MEMA Regulatory Team

The MEMA Regulatory Team includes ex-FCA supervisors and Big 4 consultants with deep expertise across all aspects of UK financial services regulation and compliance.

Need regulatory support?

Our team can help with FCA authorisation, compliance outsourcing, and regulatory change implementation.

Book a consultation
Related Insights

Continue Reading

Non-Financial Misconduct: September 2026 Deadline for Non-Bank Firms
Compliance18 Apr 2026

Non-Financial Misconduct: September 2026 Deadline for Non-Bank Firms

Understanding PS25/23 requirements for tackling bullying, harassment, and misconduct, with implementation guidance for affected firms.

9 min readRead
Complaints Reporting Reform: Preparing for the July 2026 Taxonomy Changes
Compliance25 Mar 2026

Complaints Reporting Reform: Preparing for the July 2026 Taxonomy Changes

Understanding PS25/19 and the new consolidated complaints return, including implementation requirements and key deadlines.

8 min readRead
Transaction Monitoring Systems: Meeting FCA's Updated Expectations
Compliance28 Feb 2026

Transaction Monitoring Systems: Meeting FCA's Updated Expectations

A practical guide to the FCA's Financial Crime Guide requirements for transaction monitoring, including AI approaches and good practice.

9 min readRead