FCA publishes operational resilience tips

The FCA has published its observations on firms’ preparations for complying with its operational resilience rules by 31 March 2025. The rules apply to dual regulated firms as well as RIEs, enhanced scope SMCR firms and authorised payment institutions and EMIs. Among the FCA’s key observations are:

  • some firms are unlikely properly to be identifying their important business services – for example, some are excluding services that could be provided from competitors if necessary. The FCA says firms should not exclude services on just one factor, and should include in their self-assessments the justification for identifying services as important business services;
  • firms are setting a wide range of impact tolerances, not always backed with a full rationale. The FCA also comments that firms should use other metrics to complement time-bound tolerances, and should be looking at responding with mitigating actions as part of a response plan.;
  • it expects firms’ mapping of resources and processes to mature over time, but they should always manage relationships with third party providers so they can be assured of the third party’s resilience, because failure of a provider to remain within impact tolerance is the firm’s responsibility;
  • when scenario testing, firms should at the very least consider the scenarios within the FCA Handbook. Scenario testing should be evolving from judgment, desk-based tests, to a wider range of testing that will provide empirical data;
  • firms need to have progressed remediation activities for vulnerabilities they are identifying such that they can be sure to remain within impact tolerance for all important business services by March 2025;
  • it found limited evidence of testing of response plans;
  • self-assessments should set out a firm’s journey to operational resilience and, again, the FCA expects that self-assessments will mature and develop over time;
  • like the Consumer Duty, the FCA stresses operational resilience is not a “once and done” activity, or something that is just tick-box compliance; and
  • as firms embed operational resilience, they should also ensure their stress testing scenarios are regularly refreshed.

Emma Radmore