HomeResourcesGuides › Business & Finance
Practical Guide · 17 pages · Free

Operational Resilience for Financial Services: What Regulators Now Expect

FCA and PRA operational resilience policy has been fully effective since March 2025. Every FCA and PRA-regulated firm must now have mapped its important business services, set impact tolerances, and demonstrated through scenario testing that it can remain within those tolerances. This guide walks through the complete operational resilience framework.

Published May 2026·Business & Finance·Operational Resilience FCA PRA Financial Services

What the FCA and PRA Operational Resilience Policy Requires

The FCA and PRA jointly published their operational resilience policy in March 2021, with full implementation required by March 2025. For FCA and PRA-regulated firms — banks, insurers, investment managers, payment firms, and in-scope market infrastructure — the policy requires: identification of important business services, setting of impact tolerances for each service, mapping of the resources and third-party dependencies that support each service, scenario testing to demonstrate the firm can remain within impact tolerances, and an annual self-assessment of operational resilience capability.

This is a different regulatory framework from ISO 22301 business continuity management — although the two complement each other. ISO 22301 focuses on the management system for business continuity. FCA/PRA operational resilience policy focuses specifically on customer and market outcomes: can the firm deliver its important business services within tolerances that protect consumers and market stability, even during severe but plausible disruption?

Access the complete guide
All 17 pages — practical implementation guidance, checklists and templates. Free, instant access.
No spam. No sales calls. AjaCertX will email you a copy for reference.
Guide unlocked ✓
A copy has been sent to your email for reference.
Step 01
Important Business Service identification
Identify services that if disrupted would cause harm to consumers, market participants, or pose a risk to market integrity or financial stability. The test is customer and market outcome focused — not operational impact on the firm itself. Common important business services in financial services include: payment processing, deposit-taking and access to funds, mortgage origination, investment execution, and insurance claims processing. The identification must be approved by the governing body.
Step 02
Impact tolerance setting
Set an impact tolerance for each important business service: the maximum tolerable level of disruption, expressed in time — how long the firm could tolerate disruption before consumer harm, market impact, or financial stability risk becomes unacceptable. Impact tolerances must be set at a level that is genuinely challenging — regulators expect impact tolerances to drive investment in resilience, not simply reflect current capability.
Step 03
Resource and third-party dependency mapping
Map every resource — people, technology, facilities, data — and every third-party dependency that supports each important business service. The mapping must be sufficiently granular to identify single points of failure: technology components with no resilient alternative, key person dependencies, third parties that are sole providers of critical services. The mapping is the foundation for identifying where investment in resilience is required.
Step 04
Scenario testing
Test whether the firm can remain within its impact tolerances during severe but plausible disruption scenarios. Scenarios should be developed based on the threats most relevant to the firm's operating model — cyber attacks, third-party provider failure, operational incidents affecting key facilities, and pandemic-level people disruption are commonly tested. The scenario testing must be adversarial enough to genuinely test tolerance limits — and must identify where investment is required to close gaps.
Step 05
Annual self-assessment
Produce an annual board-approved self-assessment documenting: the firm's important business services, its impact tolerances, the results of scenario testing, any gaps identified between current capability and impact tolerances, and the investment programme addressing those gaps. The self-assessment must be available to the FCA and PRA on request.
Operational Resilience Readiness Checklist
Important business services identified and approved by the governing body
Impact tolerances set for each important business service — at a level that drives resilience investment
Resource and third-party dependency mapping completed at granularity sufficient to identify single points of failure
Scenario testing completed against severe but plausible disruption scenarios
Gaps between current capability and impact tolerances documented with investment programme
Annual self-assessment produced and approved by the governing body
Building your operational resilience programme?

Financial services resilience specialists. Programme assessment within 48 hours.

Get a Proposal →WhatsApp
About AjaCertX
AjaCertX is a specialist compliance, certification and assurance partner serving financial services organisations globally. Our Resilience and Continuity practice delivers operational resilience programme design, ISO 22301 implementation, and FCA/PRA operational resilience self-assessment support.
WhatsAppConnect