Operational Resilience

Read about the importance of operational resilience and the requirements for firms.

Operational resilience is the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption. With the first policy milestone having passed on 31 March 2022, firms now have until no later than 31 March 2025 to be able to operate within their impact tolerances.

The importance of operational resilience

Ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets. We believe an operationally resilient financial system is one that can absorb shocks rather than compound them.

Operational disruptions and the unavailability of important business services have the potential to cause wide-reaching harm to consumers and/or risk to market integrity, threaten the viability of firms and cause instability in the financial system.

Covid-19 provided a clear example of the kind of severe but plausible events that our policy gets firms to consider. The disruption caused by Covid showed why it is critically important for firms to understand the important business services they provide, and to invest in their resilience to protect themselves, consumers and markets.

Strong operational resilience capabilities are especially important in times of elevated cyber risk. Read more on our page about the Russian invasion of Ukraine.

Operational resilience requirements for firms

In March 2021, we published our final rules and policy and a shared policy summary alongside the Bank and the Prudential Regulation Authority (PRA).

This policy statement follows our consultation paper, our shared policy summary for the consultation and the Bank’s discussion paper.

The rules apply to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced scope Senior Managers and Certification Regime firms, and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.

Our rules and guidance came into force on 31 March 2022.

If you’re one of these firms, as soon as reasonably practicable after 31 March 2022 and by no later than 31 March 2025, you will need to have:

  • performed mapping and testing so that you can remain within impact tolerances for each important business service  
  • made the necessary investments to enable you to operate consistently within your impact tolerance

By now, you must already have:

  • identified your important business services that, if disrupted, could cause intolerable harm to consumers of your firm or risk to market integrity, threaten the viability of firms or cause instability in the financial system
  • set impact tolerances for the maximum tolerable disruption to these services
  • carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in your operational resilience
  • conducted lessons learnt exercises to identify, prioritise, and invest in your ability to respond and recover from disruptions as effectively as possible
  • developed internal and external communications plans for when important business services are disrupted
  • prepared self-assessment documentation

Currently, we assess firms’ operational resilience capabilities against our Operational Resilience Framework, which defines industry practices aligned to our existing rules and expectations. The new requirements above expand on the practices we expect firms to meet.

Insurance firms’ progress with implementation – our observations

To understand how firms have been preparing to meet their requirements, we asked for information from 47 firms about their important business services and impact tolerances.

Solvency II insurers, relevant insurance intermediaries and other firms in the sector should read our observations to:

  • check if your firm is in scope
  • see what actions you may still need to take
  • learn from examples of good practice and areas for improvement

Reporting an operational incident

Under Principle 11 of the FCA’s Principles for Businesses, firms are required to deal with the FCA in an open and cooperative way and to disclose to the FCA appropriately anything relating to the firm of which the FCA would reasonably expect notice. SUP 15.3 sets out additional rules and guidance on when the FCA would expect notice of matters relating to a firm. This means that the FCA is likely to expect a firm to report material operational incidents to the FCA. An incident may be material if it:

  • results in a significant loss of data
  • results in the unavailability or control of your IT systems
  • affects a large number of customers
  • results in unauthorised access to your information systems

Note that this list is not exhaustive. Payment service providers should also be aware of their obligations to report major operational or security incidents under the Payment Services Regulations 2017 (the PSRs). SUP 15.14 sets out additional directions and guidance on this obligation.

If you consider the incident to be material, please report it us by:

  • contacting your named FCA supervisor, if you have one 
  • using the channels on our contact page if you don’t have a named supervisor
  • informing the PRA if your firm is dual-regulated (by both the FCA and PRA)
  • by following any specific rules or directions that apply

You should also consider whether you may need to report the incident to anybody else:

  • If you believe the incident is criminal, you should contact Action Fraud via its website or by calling 0300 123 2040.
  • If the incident involves a data breach, you may need to report it to the Information Commissioner’s Office. Note they require you do this within 72 hours of becoming aware of the breach, where feasible.
  • For cyber incidents, you may need to report it to the National Cyber Security Centre.
  • It also helps other firms if you can share details of the incident on the CiSP platform. Fighting cybercrime must be a collaborative effort.

Potential measures to oversee critical third parties

We, along with the Bank of England and PRA, have published a Consultation Paper seeking views on how we oversee the resilience of services third parties provide that many financial firms rely on. This consultation opened on 7 December 2023 and closes on 15 March 2024.

The potential measures are designed to be consistent with the existing operational resilience framework for firms and FMIs. Any measures would complement, not replace, firms’ responsibilities to manage the potential impact to their firm of the failure or disruption to a third party.

On 1 March 2024, we published a Quarterly Consultation Paper on a draft Statement of Policy for critical third parties related disciplinary measures: CP24/3: Quarterly Consultation Paper No. 43. This consultation deals exclusively with our approach to using the enforcement powers we have been given through the new regime for the oversight of critical third parties. This consultation runs for 5 weeks and ends on 5 April 2024.

Authorities' Response Framework

In the event of a major operational disruption in the financial sector, we may use the Authorities' Response Framework (ARF) to coordinate a joint response with the other financial authorities including the Treasury and the Bank of England. 

Disruption in one part of the sector can spread to another, and to the wider economic system. The financial authorities have a crucial role in reducing the effects of this and ensuring stability. 

This joint framework has an overall governing body comprised of senior representatives from all 3 authorities. It enables the authorities to coordinate a response to an incident, while evaluating and responding to the impact of it against their own statutory objectives. We work to ensure the relevant markets function well, and through the framework we strive to reduce harm to consumers and markets.

See more information on the ARF.

Complete our cyber and operational resilience questionnaires

 

To help firms, as well as us, to understand their cyber resilience capability at a high level, with the PRA we’ve created a self-assessment questionnaire. CQUEST consists of multiple-choice questions covering aspects of cyber resilience, such as: 

  • does your firm have a board-approved cyber security strategy? 
  • how does it identify and protect its critical assets? 
  • how does it detect and respond to an incident, recover the business and learn from the experience?

The answers provide a valuable snapshot of a firm’s cyber resilience capability and highlight areas for development.

If you would like to complete CQUEST, please email your supervisor or portfolio lead, copying in [email protected].

The FCA has also created a broader operational resilience self-assessment questionnaire called ORQUEST to help firms, as well as us, understand their operational resilience capabilities, including their cyber capabilities.

If you would like to complete ORQUEST, please email your supervisor or portfolio lead, copying in [email protected].

 

Page updates

: Information added CP24/3: Quarterly Consultation Paper No. 43
: Editorial amendment page update as part of the website refresh
: Information changed To reflect that our rules and guidance came into force on 31 March 2022
: Information added Authorities' Response Framework section
: Information added Cyber Resilience updated to Operational Resilience.