With the PRA & FCA’s operational resilience rules fully into force since the end of March 2025, financial services institutions operating in the UK face a critical milestone: demonstrating that they can remain within their impact tolerances during disruptions.
In this blog, we explore how firms can move from compliance to true resilience and sustain their efforts beyond the deadline. Key areas covered include:
- Moving from compliance to resilience
- Reviewing your maturity journey
- Tightening the hatches
- Staying ahead of evolving requirements
Download The complete guide to achieving operational resilience and learn how to integrate resilience into your risk strategy from day one:
Moving from compliance to resilience
Firms had a three-year runway between the initial phase of understanding their important business services (IBS) and setting impact tolerances, to the March 2025 deadline to demonstrate they can remain within those impact tolerances.
These journeys are never a straight path. Some firms had many puzzle pieces already in place and looked to enhance and evolve existing capabilities early. Others, perhaps by necessity due to lack of resources, may have focused on minimum compliance.
With any regulatory change, inevitably there is an urge to ensure minimum requirements are met – but baseline compliance shouldn’t be the goal. Resilience is what is required, and tick-the-box exercises are unlikely to meet the PRA and FCA’s expectations.
The headline questions the regulators are likely to have moving forward are:
- Can you remain within your impact tolerances?
- Have you made the right investments to address vulnerabilities?
- Are your governance arrangements adequate to ensure ongoing resilience?
Reviewing your maturity journey
With the rules now fully in force, now is the time to take stock of how your operational resilience program has matured, the level of sophistication of the key components, and identify investment required to push further up the maturity curve.
Below is our assessment of how the 2022 state of the market compares with 2025.
Important Business Services:
Mapping
Impact Tolerances
Scenario Testing
Adaptation
During implementation, it’s common for disparate processes to spring up, often using different tools or systems – this can make it challenging to achieve higher levels of maturity. Digitising your operational resilience program into a single, integrated platform can enhance efficiency and support real-time adjustments. Relying on static spreadsheets and documents make it difficult to achieve the ongoing sophistication of operational resilience programs that the regulators expect.
Tightening the hatches
If you haven’t already, you should consider the areas of focus from the FCA’s observations back in May 2024[1], and tighten up where necessary.
As firms move into the sustainability phase, they may want to assess their governance structures and ensure they remain fit for purpose. Review learnings from the self-assessment process, and validate that any committees, sub-committees or working groups still serve their intended purpose. Ensure that operational risk, operational resilience, business continuity and related disciplines and frameworks are integrated and collaborative. Re-align roles and responsibilities if required.
Moving into the sustainability phase doesn’t mean operational resilience is ‘done’. Risk-in-change is an important component of both an enterprise risk management and operational resilience framework, so you will want to ensure you have the appropriate triggers to identify:
- Changes to existing IBS to ensure mapping and vulnerability identification remain up to date
- When new IBS (perhaps driven by new products) might be introduced
- Data sources that warrant review of impact tolerances and related metrics
- Data sources that influence the plausibility of scenarios
- Outputs of risk processes such as controls assurance that identify potential vulnerabilities
Staying ahead of evolving requirements
The PRA and FCA introduced requirements related to critical third parties in November 2024[2]. While the requirements are aimed at the critical third parties, they also reinforce the relationships firms should have with their material providers in order to achieve operational resilience across the sector.
Consultation recently closed on the Bank of England paper on reporting requirements for firms related to incidents, and material third parties. This demonstrates the ongoing evolution from the regulators to obtain consistent information from firms in order to analyse trends and identify systemic issues.
In the interest of proportionality, the proposal only requires reporting of incidents that would present risk to the PRA’s objectives. It also specifies that even when impact tolerances of IBS are not breached, an assessment still needs to be made whether it breaches the PRA’s objectives.
The proposal further outlines three types of incident reporting (initial, intermediate, and final), as well as comprehensive data categories for that reporting.
Firms in scope would also need to create a register of material third party arrangements for submission to the PRA. This is based on a proposed template and taxonomies to ensure consistent data capture. The aim is to provide the PRA more insight into systemic concentration risk, and assist the PRA to classify specific entities as critical third parties to the financial sector.
As we wait to find out the results of the consultation, firms should prepare themselves to incorporate these processes as part of their operational resilience evolution.
Conclusions and next steps for your organisation
With the March 2025 deadline now passed, compliance is no longer the finish line, it's the starting point for continuous operational resilience. The PRA and FCA’s expectations will only intensify from here, with greater scrutiny on how resilience is sustained, tested, and improved over time.
Now is the time to shift gears: move beyond static registers and siloed processes, and embed operational resilience into your broader enterprise risk framework. That means real-time insights, connected data, and automation across mapping, scenario testing, impact tolerance monitoring, and third-party oversight.
Protecht makes this evolution possible.
Our operational resilience solution offers built-in dashboards, preconfigured registers, and visual mapping tools to give you a clear line of sight on your resilience posture – and the evidence to prove it.
See how Protecht can help you demonstrate, strengthen, and scale your resilience capability. Request a demo today:
References
[1] FCA, Operational resilience: insights and observations for firms – Link
[2] PRA SS6/24 – Critical third parties to the UK financial sector - Link