Meeting FCA and PRA Expectations for Operational Resilience
Operational resilience is now firmly embedded in the UK regulatory landscape for financial services. Since March 2024, firms regulated by the PRA and FCA have been required to evidence their ability to withstand disruption and continue delivering critical services within defined tolerances for customer and market impact.
Meeting these expectations goes beyond updating business continuity plans. Organisations must take a service-led view of resilience, understand how outcomes are delivered across people, processes, technology, data, and suppliers, and be able to demonstrate where disruption could cause unacceptable harm.
In practice, many firms are still building this capability. Informed by delivery experience from one of our Associates, Richard Sullivan, this insight reflects the realities organisations face when assessing resilience. Complex technology estates, fragmented ownership, and limited visibility of third party dependencies often make it difficult to assess resilience with confidence or show clear progress to regulators.
Operational resilience also extends beyond regulated entities. Expectations increasingly flow through to suppliers and outsourced partners, raising the bar for governance, assurance, and accountability across the wider ecosystem.
This paper sets out a practical perspective on how to approach operational resilience in a way that is proportionate and achievable, covering:
The regulatory drivers shaping resilience programmes.
The operational and governance challenges firms commonly face.
What regulators expect to see in evidence and decision-making.
How to move from compliance activity to embedded, workable resilience.