Our recent experience within the industry reveals that many firms are still in relatively nascent stages of developing and embedding their resilience frameworks, with only a few having fully implemented them, let alone being able to demonstrably evidence compliance with the requirements of SS1/21.
After 31 March 2025, firms are expected to have a prioritised plan which sets out how they will comply with the requirement to be able to remain within their Impact Tolerances within a reasonable time, and no later than Monday 31 March 2025. For a firm’s plan to be effective, firms must have started putting the plan into effect by 31 March 2022.
Despite a broad understanding of operational resilience, significant challenges persist, including: competing regulatory priorities, resource constraints, contract challenges and difficulties in building a compelling business case for resilience-type investment into Systems & Controls.
The PRA policy objective is to improve the resilience of both firms and the wider financial sector to operational disruptions.
The policy addresses risks to operational resilience and the PRA considers that there is a need for a proportionate minimum standard of operational resilience where firms have prepared for disruptions and invested where it is needed to prevent, manage or mitigate these disruptions to Important Business Services. After 31 March 2025, maintaining operational resilience must be a dynamic activity. By this point, firms should have sound, effective and comprehensive strategies, processes, and systems that enable them to address risks to their ability to remain within their Impact Tolerance for each Important Business Service in the event of a severe but plausible disruption.
The FCA's recent observations, particularly regarding scenario testing, echo our own observations: A primary concern is that while many firms have established scenario testing procedures, the depth and rigour of these tests often fall short, lacking the required sophistication. The FCA has noted a tendency among firms to focus on less severe, more predictable scenarios which may not sufficiently challenge or stretch their resilience frameworks. The FCA therefore urges firms to explore a broader range of severe yet plausible scenarios, including those that model the firm's ability to manage simultaneous disruptions or prolonged crises, as well as giving consideration to the operational credibility of the response and recovery plan.
Continuous review of resilience capabilities is essential, particularly in the face of severe scenarios. Recent incidents and near parallels, such as the vulnerabilities exposed in CrowdStrike’s systems and the challenges facing France’s railways ahead of the Paris Olympics, underscore the ongoing and critical importance of operational resilience (and the cost of not prioritising it). These examples highlight the need for organisations to continually assess and strengthen their defences — a process that requires Senior Management engagement, streamlined processes, investment in capabilities, and leveraging the shared knowledge and experience of external advisers. The FCA also emphasises that operational resilience should be embedded in a firm’s culture, driving continuous improvement and proactive scanning for emerging risks such as advancements in AI and shifting regulatory landscapes.
As we approach six months until the March 2025 deadline, Senior Management must prioritise several key areas to meet the FCA’s operational resilience requirements. Firstly, governance structures need to be robust, with clear accountability for resilience established at Board-level. It is crucial that operational resilience is fully integrated into strategic planning and not merely treated as a compliance obligation. Secondly, Senior Management should focus on conducting thorough self-assessments to identify any remaining vulnerabilities within their resilience frameworks, as well as considering third line activity and / or external assurance-type exercises to gain comfort. This process will need to build in time to take any remedial action. Finally, there must be a strong emphasis on embedding resilience into the firm’s culture and daily operations and having tried and tested contingency and business continuity plans in respect of the outage or any one of your Important Business Services.