UK Operational Resilience Rules – FCA’s Findings One Year On

On 27 March 2026, the UK’s Financial Conduct Authority (“FCA”) published its insights and observations on the progress which firms have made to continue to strengthen their operational resilience, based on the regulator’s review of firms’ annual operational resilience self-assessments (“Insights and Observations”). The FCA has outlined various examples of good practice and areas requiring further improvement, which we summarise in this article.

I. A Recap of the New Requirements on Operational Resilience

The new operational resilience requirements were introduced to strengthen firms’ ability to prevent, adapt to and recover from operational disruptions, with a particular focus on avoiding intolerable harm to consumers and threats to market integrity. Rather than seeking to eliminate disruption altogether, the regime is designed to ensure that firms can continue to deliver their most important business services, or to resume them within acceptable timeframes, even in the event of severe but plausible disruptions.

As at 31 March 2025, in-scope firms were expected to have:

(i) Identified their ‘important business services’;
(ii) Set appropriate impact tolerances for each important business service – being the maximum tolerable level of disruption to an important business service;
(iii) Completed mapping of the resources (people, technology, information, etc.) necessary to deliver each of the important business services;
(iv) Completed scenario testing to assess whether they could remain within the impact tolerances set for each of the important business services in the event of a severe but plausible disruption of their operations;
(v) Updated internal policies and procedures in alignment with the new rules; and
(vi) Prepared an internal and external communication strategy to be followed in the event of an operational disruption.

The rules apply to the following types of firms:

• PRA and FCA requirements: UK banks, building societies and PRA-designated investment firms, and UK Solvency II firms, the Society of Lloyd’s and its managing agents; and
• FCA requirements only: UK recognised investment exchanges, enhanced firms under the Senior Managers and Certification Regime (“SMCR”), payment institutions, electronic money institutions and registered account information service providers.

Although core and limited scope SMCR firms fall outside the formal scope of the new operational resilience requirements, they remain subject to other applicable regulatory obligations[1]. The FCA has indicated in its recent Insights and Observations that such firms should consider the extent to which examples of good and poor practice may be appropriately reflected in their own operational resilience arrangements, on a best-practice basis.

II. FCA’s Insights and Observations – Key Findings

The FCA’s findings are structured around six core components of the operational resilience framework. Under each area, the FCA identified examples of good practice, along with areas where further work is needed. We set out the key findings below.

1. Important Business Services and Impact Tolerances

The FCA observed that firms demonstrating stronger operational resilience practices had clear, well‑documented methodologies for identifying important business services and setting impact tolerances, informed by scenario testing and subject to regular review.

However, some firms did not make it sufficiently clear when a disruption might cause consumer harm, as distinct from threats to market integrity. The FCA emphasised the need to distinguish between these harms when setting and evidencing impact tolerances.

2. Mapping Resources

The FCA observed improved maturity in firms’ resources mapping exercises, with clearer ownership and accountability. Effective approaches increasingly cover people, processes, facilities, information and third‑party dependencies, rather than focusing solely on technology.

However, mapping in some firms remained overly IT‑focused. The FCA noted that incomplete mapping – particularly of third‑party dependencies – can hinder firms’ ability to identify and remediate vulnerabilities. Self‑assessments should clearly describe mapping methodologies and include concise summaries to allow boards to assure themselves that mapping is comprehensive.

 
3. Scenario Testing

Firms with stronger practices had expanded scenario testing to cover a wider range of cyber threats and other severe but plausible disruptions. Scenario development was clearly documented, and results were used to inform remediation planning and governance.

The FCA raised concerns regarding firms that stated in their self-assessment that there was no scenario from which they could not recover, with no evidence that this had been sufficiently tested. The regulator then questioned whether boards, who were required to have approved the self-assessments, would have had the assurance they needed to sign off this statement.

4. Vulnerability Management

Some firms clearly articulated their vulnerability management processes, including the frameworks used to identify vulnerabilities, acknowledge gaps, and track remediation activity. This helped to demonstrate how mapping and scenario‑testing outputs were driving improvements.

Other self‑assessments lacked detail on the end‑to‑end identification and remediation process, including the role of second and third‑line oversight. Where firms reported few or no vulnerabilities, the FCA noted that insufficient supporting information made it difficult to assess whether vulnerabilities had been properly identified.

5. Communications Plans and Strategy

The FCA observed more mature communications planning where firms had tested their internal and external communications approaches and ensured staff were clear on their roles during a disruption. Effective plans included contingencies for the loss of usual communication channels.

In weaker examples, communications plans existed on paper but had not been tested, limiting confidence that they would effectively mitigate harm during a real incident.

6. Governance

The FCA highlighted the importance of transparency in firms’ self-assessments. Stronger examples enabled boards to understand the firm’s operational resilience approach, challenge assumptions and oversee remediation plans effectively. Where self-assessments were overly high-level or lacked supporting evidence, boards were less well-placed to exercise effective oversight or to form a clear view of residual risks.

III. What Firms Should Do Next

The FCA is engaging directly with firms within the scope of the operational resilience rules on its findings. However, it has emphasised that all firms can benefit from considering these observations, even where the rules do not formally apply.

Firms may wish to use the FCA’s findings as a benchmarking tool, reviewing whether their own self‑assessments:

• consider whether their important business services and impact tolerances distinguish between consumer harm and market impact;
• ensure all critical resources and third-party dependencies are adequately captured;
• clearly explain methodologies and judgements, rather than relying on broad assertions;
• provide boards with sufficient evidence to challenge and oversee resilience decisions; and
• demonstrate how mapping, scenario testing and vulnerability management operate as an interconnected process.

Taken together, the FCA’s observations reinforce that operational resilience is not a one-off compliance exercise, but an ongoing process of refinement, testing and governance. Firms that actively use the FCA’s findings to interrogate their own practices are likely to be better placed to prevent intolerable harm and meet regulatory expectations as supervisory scrutiny continues to evolve.

If you have any questions concerning the material discussed in this client alert, please contact a member of our Financial Services practice.