Operational Resilience: FCA Requirements and Implementation

The FCA's operational resilience framework requires firms to take a fundamentally different approach to operational risk. Rather than focusing on individual systems or processes, firms must consider resilience from the perspective of the services that matter most to customers and markets.

The framework centres on important business services. These are services provided to external customers or market participants where disruption could cause intolerable harm. Firms must identify their important business services, understand the resources supporting them, and ensure they can continue delivery during disruption.

Impact tolerances define acceptable disruption limits. For each important business service, firms must set the maximum tolerable duration and extent of disruption. These tolerances should reflect the point at which disruption would cause intolerable harm to consumers, market integrity, or financial stability.

Scenario testing validates resilience capabilities. Firms must test whether they can remain within impact tolerances during severe but plausible disruption scenarios. Testing should cover a range of scenarios including technology failures, third-party disruptions, and external events.

Self-assessment documents compliance. Firms must maintain self-assessments of their operational resilience capabilities, identifying vulnerabilities and remediation plans. These assessments inform board oversight and regulatory engagement.

The framework applies proportionately. While all FCA-regulated firms should consider operational resilience, detailed requirements apply primarily to firms providing important business services. Smaller payment firms should assess whether their services meet the importance threshold.

Identifying important business services is the foundation of operational resilience compliance. This requires analysis from the customer and market perspective rather than internal operational views.

Start with external services. Important business services are those provided to external customers or market participants. Internal services, however critical operationally, are not themselves important business services—though they may support important business services.

Assess disruption impact. For each external service, consider the harm that disruption would cause. Would customers be unable to access funds? Would payments fail? Would customers face financial loss or significant inconvenience? Services where disruption causes material harm are candidates for importance classification.

Consider customer dependency. Services that customers rely on for essential activities are more likely to be important. A payment service enabling customers to pay rent, buy groceries, or receive wages is more critical than one used for discretionary purchases.

Evaluate market impact. Some services may be important because of their role in market functioning rather than individual customer impact. High-volume payment processing that supports market infrastructure may be important even if individual transactions are small.

Document importance rationale. For each service classified as important, document why. Also document services considered but not classified as important, with rationale. This documentation supports regulatory engagement and demonstrates systematic analysis.

For payment firms, core payment services are typically important. Payment initiation, account access, and fund transfers are usually essential to customers and likely meet importance thresholds. Ancillary services require case-by-case assessment.

Impact tolerances define the maximum tolerable disruption for each important business service. Setting appropriate tolerances requires careful analysis of customer impact and should drive resilience investment decisions.

Tolerances should reflect intolerable harm thresholds. The FCA expects tolerances to be set at the point beyond which harm becomes intolerable, not at the point where any harm begins. Some short-duration disruption may be tolerable; prolonged or severe disruption is not.

Duration is typically the primary tolerance metric. Most impact tolerances are expressed as maximum acceptable service outage duration—for example, payment initiation service must be restored within four hours. Duration tolerances should reflect how quickly customer harm escalates.

Other tolerance metrics may be appropriate. Volume of affected transactions, geographic scope, or customer segments affected might supplement duration tolerances. Use metrics that meaningfully capture the dimensions of harm for your services.

Customer perspective should drive tolerance setting. Engage customers or use customer research to understand when disruption becomes intolerable from their perspective. Internal operational views may underestimate customer impact.

Tolerances should be stretching but achievable. Setting very short tolerances that cannot realistically be met undermines the framework. Setting very long tolerances that permit significant customer harm fails regulatory expectations. Balance ambition with achievability.

Document tolerance rationale. Explain how tolerances were derived, what evidence informed the analysis, and how customer impact was considered. Regulatory scrutiny will examine whether tolerance setting was rigorous.

Review tolerances periodically. As services, customer expectations, and operational capabilities evolve, tolerances may require adjustment. Establish review cycles that keep tolerances current.

Understanding what resources support important business services enables firms to identify vulnerabilities and build resilience. Resource mapping connects service delivery to underlying people, processes, technology, facilities, and third parties.

Technology mapping identifies systems supporting each service. Document the applications, infrastructure, data, and integrations required for service delivery. Understand dependencies between systems and identify single points of failure.

People dependencies matter. Which roles are essential for service delivery? What happens if key personnel are unavailable? Consider both operational staff and specialist expertise needed for incident response.

Third-party mapping is critical for payment firms. Payment services typically depend on card schemes, banking partners, technology vendors, and other third parties. Map these dependencies and understand each third party's resilience capabilities.

Data dependencies should be identified. Which data is essential for service delivery? Where is it stored? How is it protected? Data unavailability or corruption can disrupt services even when systems are functioning.

Facility dependencies may exist. While many payment services operate digitally, some may depend on physical facilities—data centres, offices, or operational locations. Identify facility dependencies and their vulnerabilities.

Mapping should enable vulnerability identification. The purpose of resource mapping is not documentation for its own sake but understanding where weaknesses exist. Use mapping outputs to identify concentration risks, single points of failure, and areas requiring resilience investment.

Scenario testing validates whether firms can remain within impact tolerances during disruption. The FCA expects firms to test against severe but plausible scenarios that stress their resilience capabilities.

Scenario selection should cover key risk categories. Consider technology failures, cyber attacks, third-party outages, pandemic or staffing disruptions, physical events, and other scenarios relevant to your operations. Scenarios should be severe enough to test resilience meaningfully.

Severe but plausible is the standard. Scenarios should represent genuinely challenging situations that could realistically occur, not everyday incidents or apocalyptic events. The FCA has provided guidance on calibrating scenario severity.

Testing should measure tolerance achievement. The purpose of testing is to determine whether services can be maintained or restored within impact tolerances. Test outputs should clearly indicate whether tolerances were met and identify any gaps.

Different testing approaches suit different purposes. Tabletop exercises test decision-making and coordination. Technical tests validate system failover and recovery. Full simulations test end-to-end response. Use appropriate approaches for different scenarios and capabilities.

Third-party involvement may be necessary. Where services depend on third parties, testing should include those dependencies. Engage third parties in scenario testing or obtain assurance about their tested capabilities.

Testing frequency should reflect risk. Higher-risk services and scenarios may require more frequent testing. Establish testing programmes that provide ongoing assurance rather than one-time validation.

Document and learn from testing. Maintain records of scenarios tested, results achieved, and lessons identified. Use findings to drive resilience improvements and update response procedures.

Operational resilience requires capabilities to prevent disruption where possible and respond effectively when disruption occurs. Building these capabilities demands investment in technology, processes, and people.

Prevention measures reduce disruption likelihood. Robust technology architecture, security controls, redundancy, and quality assurance all help prevent incidents. While prevention cannot eliminate all disruption risk, it reduces frequency and severity.

Detection capabilities enable rapid response. Monitoring systems should identify disruption quickly so response can begin. Delayed detection extends disruption duration and customer impact.

Response procedures guide action during incidents. Documented procedures ensure consistent, effective response regardless of which personnel are available. Procedures should cover escalation, communication, technical response, and decision-making.

Recovery capabilities restore services. Technical recovery mechanisms—failover, backup restoration, alternative processing—enable service restoration. Understand recovery time objectives and test that they can be achieved.

Communication during incidents matters. Customers, regulators, and partners need appropriate information during disruption. Communication plans should address who communicates what, when, and through which channels.

Post-incident review improves resilience. After incidents, conduct thorough reviews to understand what happened, why, and how to prevent recurrence. Implement improvements identified through review.

Investment prioritisation should reflect risk. Focus resilience investment on the most important services and most significant vulnerabilities. Resource mapping and testing results inform prioritisation decisions.

Operational resilience requires governance structures that ensure board oversight, clear accountability, and systematic management of resilience capabilities.

Board responsibility is explicit. The FCA expects boards to approve impact tolerances, oversee resilience capabilities, and receive regular reporting on resilience status. Operational resilience should feature in board agendas and governance frameworks.

Senior management accountability applies. Under SM&CR, senior managers with relevant responsibilities must ensure their areas meet operational resilience requirements. Clear accountability for resilience drives appropriate attention and resources.

Self-assessment provides structured compliance review. Firms must maintain self-assessments of their operational resilience capabilities. Self-assessments should identify important business services, evaluate whether impact tolerances can be met, and document remediation plans for gaps.

Self-assessment should be honest. The purpose is not to present a favourable picture but to understand genuine capabilities and vulnerabilities. Regulators will scrutinise whether self-assessments are realistic and whether identified gaps are being addressed.

Regular review keeps assessments current. As services, resources, and capabilities evolve, self-assessments require updating. Establish review cycles and triggers that maintain assessment currency.

Regulatory engagement may draw on self-assessments. The FCA may request self-assessments as part of supervisory engagement. Well-maintained assessments that demonstrate systematic resilience management support positive regulatory relationships.

Operational resilience requirements represent a significant regulatory investment for payment firms but also an opportunity to build genuine competitive advantage. Firms that can demonstrate reliable service delivery during disruption build customer trust and differentiate themselves in competitive markets.

The March 2025 deadline for demonstrating tolerance achievement creates urgency for firms still building capabilities. Those that have not yet completed resource mapping, established testing programmes, or addressed identified vulnerabilities should prioritise these activities. The FCA has indicated it will assess compliance actively.

Beyond regulatory compliance, operational resilience is simply good business practice. Payment services that customers can rely on, even during challenging circumstances, create loyalty and support growth. Firms that view operational resilience as a strategic capability rather than a compliance burden will find the investment delivers lasting value.