On 27 March 2024, the Bank of England (BoE) published ‘Financial Stability in Focus: The FPC’s macroprudential approach to operational resilience’. The Financial Stability in Focus publication sets out the Financial Policy Committee’s (FPC) view on specific topics related to financial stability, and this edition focuses on the FPC’s macroprudential approach to operational resilience.

It initially defines operational resilience as the ability of individual firms, financial market infrastructures (FMIs) and the wider financial system to prevent, adapt and respond to (as well as recover and learn from) operational disruptions.

The publication then focuses on:

  • How operational resilience has become more important to maintaining financial stability, particularly as the financial system has become more digitalised and interconnected (Section 1).
  • The FPC’s work to develop its approach to assessing financial stability risks from potential operational incidents, and to consider how and where operational resilience might need to be improved in the financial system (Section 2).
  • How individual firms and FMIs can continue to build system wide resilience, (Section 3) including through:
  • Assessing potential gaps in or risks to operational resilience.
  • Continuing to conduct cyber stress testing.
  • Monitoring the implementation and outcomes of the regime for critical third parties.
  • Considering whether to set impact tolerances for additional vital services beyond payments.

Next steps

The FPC intends to review the existing policies on operational resilience regularly, and notes that it is monitoring for new threats, changes in technology and changes in the way vital services are provided. It confirms that it will:

  • Assess potential gaps from a system-wide perspective that are not covered by existing rules.
  • Continue to run cyber-attack stress tests as well as considering other types of operational disruption themed tests.
  • Monitor the implementation and outcomes of a new set of rules for important outside service providers (critical third parties).
  • Consider whether to set further expectations about how quickly services should be able to be restored after an operational incident (the FPC currently only does this for payments).