On 27 March 2026, the Financial Conduct Authority (FCA) published observations from firms’ self-assessments to help firms review and evolve their approach to operational resilience.

Background

The FCA explained that it has been almost a year on from the end of the operational resilience transition period on 31 March 2025 and that, by that date, firms were required to have completed mapping and testing so they can remain within impact tolerances for each important business service. 

Since then, the FCA also explains that it has reviewed firms’ annual operational resilience self-assessments and have set out our observations and insights on how firms are continuing to strengthen their operational resilience under its rules and guidance since the transition period ended.  

Summary

The FCA set out the following findings, in particular in relation to:

  • Important business services and impacts tolerances: Good practice included firms having clear, strong methodologies and rationale for defining important business services and setting impact tolerances.An area for improvement related to not establishing distinct impact tolerances for market integrity and consumer harm.
  • Mapping resources: Good practice included clear ownership and accountability of mapping data reduce the risk of outdated or inaccurate information, which could compromise resilience planning. An area for improved related to that fact that mapping has been largely focused on technology used to support the delivery of important business services but that firms should make sure they also include factors such as facilities, people, processes, information, and third-party resilience or testing outcomes.
  • Scenario testing: Good practice included expanding scenario testing to include a broader range of cyber threats and alternate scenarios than those tested in the previous year. An area for improvement is that in some firm’s state in self-assessments that there’s no scenario that they wouldn’t be able to recover from, but don’t include evidence of having tested this using sufficiently severe scenarios.
  • Vulnerability management: Good practice included self-assessments explaining the vulnerability management process and acknowledge any gaps and remediation underway.  An area for improvement is that some self-assessments do not include details on the framework or end-to-end process for vulnerability identification and remediation, including how this is informed by second and third lines. 
  • Communications plan and strategy: Good practice included that in the more mature firms a strong focus on how communications can reduce harm during incidents was demonstrated. An area for improvement that in some firms there was limited evidence that communications strategies are tested as part of scenario exercises, or that firms have plans to mitigate the loss of their usual communication channels. 
  • Governance: Good practice included clear, structured governance frameworks with defined reporting channels, supported by board-level oversight, Senior Management accountability, and second/third line involvement. Areas for improvement included unclear board engagement, approval processes, and document review trails.