Prepared for Change: A Guide to Operational Resilience

Maintaining operational resilience within the UK’s financial sector is of paramount importance to protect consumers, ensure the stability of firms, and maintain confidence in the financial markets. Resilience is key to a firm’s ability to effectively anticipate, withstand, respond to, and recover from operational disruptions. Lack of resilience in critical business services may result in extensive consumer detriment, compromise market integrity, and endanger the solvency of firms, potentially leading to systemic financial instability.

The turbulence of the COVID-19 pandemic highlighted the critical need for firms to deeply understand and fortify the resilience of the services they provide. In response, the Financial Conduct Authority (FCA) issued PS21/3, setting out a blueprint to build and strengthen operational resilience, guiding firms to align with new expectations of robustness. The FCA continues to ensure firms are aware of the requirements and underscore the importance of operational resilience with a hard stop on 31 March 2025 to implement impact tolerances.

Objectivus are ready to support firms requiring guidance, offering specialised guidance and consultation services to financial service firms aiming to bolster their operational resilience. Our experts excel in evaluating and refining policies and practices to ensure that we not only meet but surpass current regulatory benchmarks. We partner with firms to pinpoint and rectify potential weak points in their operational frameworks, devising strategic solutions to manage risks effectively and maintain an uninterrupted operation during periods of uncertainty. Our bespoke consultancy extends beyond mere compliance, enhancing your firm’s capability to navigate, with agility, the demands of a dynamic financial landscape.

Critical Timelines and Transitional Phases Defined by PS21/3:

March 2021: Publication of the policy framework, marking the commencement of a one-year period for firms to integrate the policy framework.

March 2022: Rules and guidance come into force.

March 2025: Conclusion of a three-year transitional phase for firms to achieve full compliance and effectively operate within their defined impact tolerances. These tolerances represent the threshold at which a disruption to a vital business service would cause unacceptable harm to consumers or pose a threat to market integrity.

Key Considerations for Operational Resilience:

• Critical Business Services Identification: Firms are obligated to discern and document essential services that are vital to their operation and whose disruption could cause significant harm to consumers or the market.
• Thorough Mapping: A comprehensive map outlining the people, processes, technologies, facilities, and information required to deliver each essential service is mandated, aiming to spotlight and mitigate any existing vulnerabilities.
• Resilience Testing: Firms are expected to rigorously test their capacity to operate within impact tolerances under various severe yet plausible scenarios.
• Routine Reassessment: An annual—or more frequent, if necessary—reassessment of critical business services and their associated impact tolerances is required to stay aligned with evolving business or market conditions.
• Operational Disruption Preparedness: The recent pandemic accentuated the need for solid contingency plans, capable of managing unforeseen events, including scenarios like widespread remote work or heavy reliance on third-party service providers.

Expanding on Operational Resilience:

1. Incident Management & Continuity Strategies: Establish comprehensive plans for incident management and business continuity to ensure rapid and effective responses to operational disruptions.
2. Cyber and Operational Resilience Synergy: Ensure operational resilience is in tandem with cyber resilience strategies, with aligned resources to mitigate risks across both domains.
3. Regulatory Adherence and Continuous Enhancement: Commit to continuous improvement and adherence to evolving regulatory standards related to operational resilience.
4. All-Encompassing Resilience: Take a comprehensive approach to resilience, considering all facets of the business that might influence critical services, beyond the scope of technology or cybersecurity.
5. Structured Governance & Defined Responsibility: Implement clear governance structures and accountability systems to ensure operational resilience obligations are met. Assigning mapping responsibilities to an individual with board-level accountability underscores the importance of resilience within the firm’s hierarchy.