Operational disruptions can prevent consumers accessing essential financial services, disrupt markets and threaten confidence in the sector. Firms continue to face a high – and growing – level of cyber threats and operational resilience risks. So, they should be investing in their resilience to help prevent and respond to disruptions.
While operational disruptions are inevitable, our outcomes aimed to reduce their impact on consumers and markets. To do this, we wanted to make sure that firms’ important business services are resilient.
Access
Outcome 1: Firms’ important business services are resilient to operational disruption
| Metric code | Metric description | Source | Baseline Value | Year 1 values | Year 2 values | Year 3 values | Latest status (year 3 value compared to baseline) |
|---|---|---|---|---|---|---|---|
| IOD1-M01 | Maintain a low impact (scale, severity, time to resolve) of operational disruptions to firms’ important business services, as measured by FCA Technology, Resilience & Cyber function*
*We revised the original baseline figures for the number of operational incidents reported to us. Please see ‘Further detail on these metrics and limitations’. | FCA data | Average impact of incidents 1.33 out of 6 (Low Impact) (2023) | 1.33 (2023)
| 1.34 (2024) | Little or no change | |
| Average impact of consumer firm incidents 1.28 out of 6 (Low Impact) | 1.28 (2023) | 1.32 (2024) | Little or no change | ||||
Average impact of wholesale markets firms – 1.43 out of 6 (Low Impact) (2023) | 1.43 (2023) | 1.42 (2024) | Little or no change | ||||
| IOD1-M02 | Maintain awareness of the FCA's work to ensure firms are operationally resilient Increase the proportion of firms who, over the past 12 months, say operational resilience has become more of a priority
| FCA and Practitioner Panel survey | 88% of firms are aware of the FCA's work to ensure firms are operationally resilient (2022/23) | 91% of firms (2023/24) | 91% of firms (2024/25) Difference between year 3 and baseline value is statistically significant. | Improved | |
57% of firms say operational resilience has become more of a priority over the past 12 months (2022/23) | 61% of firms | 60% of firms (2024/25) Difference between year 3 and baseline value is statistically significant. | Improved | ||||
| CAC1-M01 and WAC1-M01 | We also monitor the overall number of operational incidents through topline metrics CAC1-M01 and metric WAC1-M01 | FCA Data | 644 incidents – Consumer firms (2021)
| 663 incidents – Consumer firms (2022)
| 807 incidents – Consumer firms (2023)
| 749 incidents – Consumer firms (2024) | Declined |
| FCA Data | 204 incidents – Wholesale market firms (2021) | 232 incidents - Wholesale market firms (2022) | 314 incidents – Wholesale market firms (2023)
| 319 incidents – Wholesale market firms (2024) | Declined |
What the latest metric values tell us
Over the last 3 years we set out to minimise the harm from operational disruptions. We have delivered a significant amount of the supervisory, policy and wider cross-industry initiatives that we had planned as part of our work towards meeting the outcomes of this commitment. However, across this time, the threat landscape has continued to worsen and the incidents that firms have been reporting have become more complex. There is more to do, by regulators and by the financial industry as a whole, including its third-party suppliers, to meet these challenges.
We have done much to increase industry’s awareness of the importance of operational resilience post Covid-19. We introduced regulatory initiatives to strengthen the sector’s resilience over the last 3 years. Our messages on remaining operationally resilient, and the need for firms to minimise the impact of operational disruptions, have become more ingrained over the last 3 years. While the number of reported incidents has increased, this does not mean the sector is less resilient. We believe the general increase in the volume of incidents reported to us (CAC1-M01 and WAC1-M01), combined with the firm awareness metric (IOD1-M02) and the low impact assessment metric (IOD1-M01), reflects that.
While we have strengthened our operational resilience regime, we understand that disruptions will still happen. In a sector which increasingly relies on third parties and interconnectedness, our data shows the leading root cause for operational disruptions is problems with third parties that firms use. Firms also continue to face a high, and growing, level of cyber threats and operational resilience risks, against a complex geopolitical backdrop. That’s why we expect firms in scope of our rules to test and plan, but be able to remain within impact tolerance, for all severe but plausible scenarios, such as cyber attacks and third-party failures.
In the next few years, we expect firms to continue strengthening their resilience - engaging with their boards, securing investment, testing systems, and refining their response and recovery plans.