Operational resilience: mapping your important business services
The FCA and PRA's operational resilience framework, introduced through Policy Statements PS21/3 and PS6/21, required firms to have identified their important business services (IBS), mapped their supporting resources and dependencies, and set impact tolerances by 31 March 2022. The critical additional obligation — that firms must be able to demonstrate they can remain within those tolerances during a severe but plausible disruption — carried a compliance deadline of 31 March 2025. That deadline has now passed, and the regulators have signalled that supervisory attention will focus on the quality and defensibility of firms' self-assessments.
The IBS identification process requires firms to define services from the perspective of the end consumer or market participant, not from the perspective of internal functions or technology systems. A common failing is to conflate internal processes with the externally-facing service that customers depend on. The FCA and PRA's supervisory findings indicate that some firms have identified 50 or more IBS — a number that typically reflects an inside-out approach and creates unmanageable scope for scenario testing. The regulators expect firms to apply genuine judgement about which services, if disrupted, would cause intolerable harm, and to limit the IBS list to those services that genuinely meet that threshold.
Impact tolerances must be set in time-based terms: the maximum duration of disruption that can be tolerated for each IBS. Setting a tolerance requires firms to understand the harm that a disruption would cause to consumers or markets at different durations, and to make a documented judgement about what is tolerable. The tolerance must be severe enough to be meaningful — an impact tolerance of 72 hours for a payment service used by retail customers is unlikely to be defensible — but must also reflect realistic recovery capabilities rather than aspirational targets. Mismatches between impact tolerances and actual recovery time objectives (RTOs) in IT disaster recovery plans are a common gap that supervisors will probe.
Scenario testing is the mechanism by which firms demonstrate that they can stay within their impact tolerances. Tests should be severe but plausible, should cover a range of disruption types (cyber attack, third-party failure, loss of premises, key personnel absence), and should involve genuine simulation rather than desktop exercises. The FCA expects firms to document testing outcomes, identify weaknesses, and implement remediation. Where a test reveals that the firm cannot currently remain within its impact tolerance, the firm must have a credible plan to close the gap — and must be transparent about this in the self-assessment.
Third-party dependency mapping
One of the most practically challenging aspects of operational resilience is mapping third-party dependencies within each IBS. For many firms, critical services depend on a chain of vendors, sub-processors, and infrastructure providers whose own resilience arrangements are poorly understood. SYSC 8 and the FCA's updated outsourcing guidance in SS2/21 (PRA) require firms to assess concentration risk in their third-party arrangements and to have contractual rights to information, audit, and substitution where dependencies are material. Firms should review whether their supplier contracts include adequate resilience provisions and whether their third-party risk management programme extends meaningfully to sub-outsourcing.