The UK Financial Conduct Authority (FCA) has been a global standard setter in operational resilience, advancing the concept from traditional business continuity planning into a harm-prevention, service-based regulatory regime and influencing regulatory thinking around the globe.
On 27 March 2026, the FCA published Operational Resilience: Insights and Observations One Year On, which provides its view on the progress firms have made in implementing operational resilience regulations and identifies areas where improvement opportunities exist. The FCA’s views align with many of the challenges we’ve observed across the industry. Here’s what stood out:
- Important business services (IBS) and impact tolerances: While many firms have established strong methodologies and rationale for defining IBS, the FCA noted that firms should be able to identify when harm would occur to consumers and when it would impact the market. A service should be classed as an IBS only if the firm can clearly articulate the intolerable harm that could occur if the IBS was disrupted. In our experience, firms can articulate harm but often struggle with the concept of intolerable harm. When “intolerable harm” is successfully defined, firms are better positioned to set accurate and meaningful impact-tolerance metrics, including those relating to consumer harm and market impact.
- Third-party dependencies remain a blind spot: Despite growing reliance on outsourced services, many firms are not adequately understanding and addressing third-party vulnerabilities, instead focusing disproportionately on technology vulnerabilities. Many have not yet mapped the chain of fourth- and nth-party dependencies to a level that enables them to obtain a clear picture of resilience vulnerabilities within the supply chains that underpin the delivery of IBS. Examples of resilience vulnerabilities include heightened exposure to concentration risk and single points of failure where there is no contingency solution in place.
- Scenario testing lacks depth: The FCA’s call for more rigorous scenario testing reflects the need for firms to move beyond theoretical exercises and use real-world evidence to stress-test their resilience strategies. It is important for firms to identify the scenarios that could lead them to breach their impact tolerances, as this can help drive strategic investment in improving operational resilience. In our experience, firms that develop an integrated resilience-testing programme that coordinates various types of testing across the firm can gather more valuable insights and build a clearer picture of the firm’s resilience posture over time.
- Governance needs to be dynamic: The FCA’s emphasis on continuous improvement in self-assessments resonates strongly. Static, one-off assessments fail to capture evolving risks and opportunities for growth. A clear theme has emerged from our work across the financial services industry: Those firms that view resilience as a tick-box exercise fail to improve the resilience posture of the firm as quickly as those firms that treat resilience as a strategic enabler and imperative for building customer trust.
What Firms Should Focus On
To close the gaps identified by the FCA and build truly resilient operations, firms should prioritise the following:
- Embed a culture of operational resilience: This must trickle down from the board, with an intent to place operational resilience on the same footing as financial resilience. Management must be incentivised to drive operational resilience and be rewarded in doing so, as opposed to a relentless pursuit of cost-saving and profit maximisation.
- Improve horizon scanning and intelligence capability: Firms that identify emerging resilience threats faster and more holistically can take appropriate and timely action, resulting in better preparedness to avoid or withstand disruptive events.
- Build effective communications protocols: Operational-resilience threats are guaranteed to materialise, often when firms least expect them. Effective communications protocols are critical in maintaining trust and transparency during times of crisis. these should be well documented and regularly tested.
- Fail fast and learn: A resilient organisation seeks to identify failures and implement remedial actions quickly to avoid reoccurrences in the future. Repeated failures of a similar nature can quickly destroy customer trust and reputation.
- Implement a rigorous testing and assurance programme: A mature programme of testing is important for understanding, and proving, resilience capability. Alongside testing, firms should proactively engage second- and third-line functions to seek assurance and maintain awareness of leading industry practices.
Conclusion
The FCA’s insights provide a timely reminder for firms to elevate operational resilience beyond compliance. By embedding resilience into business strategy — through regular board engagement, robust governance and strategic investment in resilience — firms can strengthen trust, protect consumers and safeguard market integrity in an increasingly disruptive world.
