On 28 May 2024, the Financial Conduct Authority (FCA) published a new webpage setting out observations and insights on the preparations firms have made towards complying with PS21/3: Building operational resilience. The FCA is asking firms to ensure they are ready to comply with the rules on operational resilience by 31 March 2025 (when the transition period ends), and to use the observations set out on the webpage to help review their approach.

The observations and insights are split into the following key areas:

  • Important business services.
  • Impact tolerance.
  • Mapping and third parties.
  • Scenario testing.
  • Vulnerabilities and remediation.
  • Response and recovery plans.
  • Governance and self-assessment.
  • Embedding operational resilience.
  • Horizon scanning (to establish an understanding of new and emerging risks and the proximity of impact).

The FCA also highlights the following points:

  • All firms are expected to be resilient and provide services for their customers when needed.
  • Ahead of the 31 March 2025 deadline, firms must ensure they can remain within impact tolerance in severe but plausible scenarios for any identified important business services, and have their plans approved by their Board in good time.
  • Important business services, impact tolerances and mapping should be reviewed on at least an annual basis, or if there is a material change to the firm’s business or the market it operates in.
  • Changes to important business services, impact tolerances and mapping should be clearly identified in each firm’s self-assessment, along with any rationale.
  • Scenario testing underpins a firm’s evidence for how it will remain within impact tolerances for severe but plausible scenarios for its important business services. It should become part of business as usual and be reviewed on a regular basis as evidence of the firm’s operational resilience.