Welcome to the final article of the ICSR Operational Resilience Assurance Week’s series (Follow the conversation on LinkedIn at: #ICSROpResAssuranceWeek) which details what firms need to have in place by the end of March 2025 to be compliant with Operational Resilience regulations in the UK, looking beyond the deadline into the areas UK regulators are expected to shift their focus towards.

The practicalities of the approaching end to the transition period is a subject we covered in an article earlier this year: “Operational Resilience – The Final Furlong Towards Implementation”. In this article, we consider the specific nuances relating to the Assurance process and how that can help reduce enterprise-related risk associated with the self-certification process and board sign-off, ensuring your firm’s Operational Resilience work remains aligned to the regulatory direction of travel.

What Must Your Firm Achieve By March 2025?

  1. Identification of Important Business Services (IBS)

Firms are required to identify their Important Business Services (IBS)—those services that, if disrupted, would cause significant harm to consumers or market integrity. The identification of IBS must be thorough and justified, and firms should be able to demonstrate the criteria used for their selection.

  1. Setting and Testing Impact Tolerances

Firms must have set Impact Tolerances for each IBS. These tolerances define the maximum acceptable level of disruption (duration or magnitude) that your firm can manage before it causes intolerable harm. By March 2025, firms need to demonstrate that they have tested their ability to remain within these Impact Tolerances through realistic and challenging scenario testing.

  1. Scenario Testing

Firms should have conducted and documented their Scenario Testing exercises to test the ability of their IBS to remain within the set Impact Tolerances. These scenarios should be both plausible and extreme, covering a wide range of potential disruptions. Firms are expected to demonstrate that they have used these exercises to identify and address any vulnerabilities or gaps in their Operational Resilience.

  1. Mapping

Firms are required to map the resources—people, technology, facilities, information, and third parties—that support their IBS. This mapping should be detailed enough to allow firms to understand how disruptions to these resources could affect their ability to deliver their IBS and to respond effectively.

  1. Remediation of Vulnerabilities

If Scenario Testing or mapping has identified vulnerabilities in a firm’s Operational Resilience, these vulnerabilities should be resolved or, at the very least, there should be a clear and actionable plan for remediation. The goal is to ensure that by March 2025, firms have addressed any significant risks that could prevent them from operating within their Impact Tolerances.

  1. Governance and Oversight

Firms are expected to have implemented governance frameworks that provide senior management and boards with oversight of their Operational Resilience efforts. This includes evidence that the board has approved your firm’s IBS, Impact Tolerances, and Operational Resilience strategies. Firms must demonstrate that Operational Resilience is embedded within their overall risk management frameworks.

  1. Self-Assessment

Firms must complete a self-assessment document outlining how they have met the requirements of Operational Resilience regulation. This document should describe:

    • The identification of IBS.
    • The setting of Impact Tolerances.
    • Scenario Testing conducted.
    • Any actions taken to address vulnerabilities.
    • Governance and oversight mechanisms.

This self-assessment must be available for review upon request by the FCA, PRA, or BoE by 31st March 2025 but does not need to be submitted otherwise. Firms should ensure that it is clear, comprehensive, and backed by documented evidence, as regulators will review this during future supervisory or thematic assessments.

Regulators Require Firms To Demonstrate Continuous Improvements

Operational Resilience is not a one-time exercise. Firms are expected to continuously review and improve their resilience frameworks beyond the March 2025 deadline. Regulators will expect firms to be able to demonstrate how they monitor, test, and adapt their resilience practices over time.

Monitoring, Testing And Adapting Your Operational Resilience Framework

Firms must demonstrate a clear commitment to continuous improvement in their Operational Resilience frameworks. This requires an ongoing cycle of monitoring, testing, and adapting their resilience strategies to keep pace with evolving risks and operational challenges. Firms should regularly review their Important Business Services (IBS), ensuring that they continue to reflect your firm’s critical operational and customer needs. This means assessing changes in business models, emerging threats, and shifts in regulatory expectations.

Testing must also be a continuous process. Scenario testing should go beyond initial compliance and be used to identify new vulnerabilities in response to changing operational environments, such as advancements in technology, third-party dependencies, or cyber threats. The results of these tests should directly inform updates to Impact Tolerances and contingency plans, ensuring that your firm’s ability to recover from disruptions remains robust. Continuous monitoring, using both internal performance metrics and external risk indicators, is essential to anticipate potential disruptions before they occur. By embedding Operational Resilience into business-as-usual activities, firms ensure that they are not only compliant but also agile and responsive to an increasingly complex risk landscape.

Operational Resilience Plans For 2025 And Beyond

Looking ahead to 2025 and beyond, Operational Resilience will become a central element of long-term business strategy, rather than just a regulatory requirement. Firms must move from short-term compliance efforts to creating dynamic and forward-looking resilience plans. These plans should account for the full range of potential future challenges, from technology disruptions to climate-related risks. To remain resilient, firms will need to regularly update their resilience frameworks to reflect new risks, including evolving market conditions and regulatory changes. This might involve further refining IBS and Impact Tolerances as new services become critical or as customer expectations shift.

Additionally, firms will need to continue strengthening their third-party risk management practices, particularly as regulators increase scrutiny on Critical Third Parties (CTPs). Firms should ensure that third-party contracts incorporate resilience requirements, and that regular testing and assurance reviews are conducted to verify that third parties remain capable of supporting IBS under stress conditions.

By proactively enhancing their Operational Resilience strategies, firms can safeguard against future disruptions, maintain trust with customers and stakeholders, and ensure long-term business viability. In this sense, 2025 is not the end of the resilience journey but the beginning of an ongoing process of adaptation and enhancement in response to an evolving risk environment.

Regulatory Direction Of Travel

 

After the March 2025 deadline for Operational Resilience, we expect to see the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England (BoE) shift focus toward continuous supervision, enforcement, and further strengthening of Operational Resilience across the financial services sector. The post-March 2025 agenda will likely emphasise several key areas to ensure firms are not only meeting minimum standards but are also evolving their resilience frameworks in response to emerging risks and challenges. Here are some of the primary focus areas to be expected on the regulators’ agenda:

  1. Ongoing Supervisory Engagement and Monitoring

After March 2025, UK regulators will transition from ensuring firms meet the initial Operational Resilience requirements to monitoring how well firms are embedding Operational Resilience into their day-to-day operations. This will likely include:

  • Thematic reviews: Regulators may conduct industry-wide thematic reviews to assess common vulnerabilities or best practices in Operational Resilience frameworks.
  • Firm-specific supervisory reviews: Supervisors will likely engage more closely with individual firms to review their Operational Resilience, including testing of Important Business Services (IBS), Impact Tolerances, and scenario testing outcomes.
  • Review of self-assessment documents: Firms’ self-assessments (prepared by March 2025) will be scrutinised during supervisory assessments. Firms may need to update and improve these over time based on feedback.

In recent times, the regulators have increasingly looked to encourage firms to consider how examples of good practices from across the market might influence their own approach. Firms should consider how they might identify such examples as part of their assurance process.

  1. Scenario Testing and Continuous Improvement

After the initial March 2025 compliance date, regulators are likely to expect firms to:

  • Enhance their scenario testing: Firms will need to regularly perform more sophisticated and challenging scenario tests that reflect evolving risks such as cyber threats, geopolitical issues, supply chain disruptions, and third-party failures.
  • Regularly review Impact Tolerances: As businesses evolve and new risks emerge, regulators will expect firms to review and potentially adjust their Impact Tolerances. Regulators may issue guidance to help firms benchmark these tolerances appropriately.
  • Address emerging vulnerabilities: Firms will be required to continuously identify and resolve vulnerabilities discovered through scenario testing, actual incidents, or regulatory reviews.
  1. Increased Focus on Third-Party and Outsourcing Risk

Post-March 2025, there will likely be greater regulatory scrutiny on third-party providers and outsourcing arrangements, especially given the heavy reliance of financial firms on cloud providers, fintech partners, and other critical third parties. Key points of focus are expected to include:

  • Critical third parties: Regulators will likely pay more attention to how firms manage risks from their critical third parties and whether resilience measures from these parties are robust enough to support firms’ IBS.
  • Regulatory frameworks for third parties: There will be further regulation or guidelines around the obligations of third-party providers to ensure resilience, especially regarding concentration risk in service providers like cloud providers. Consultation for CP23/30 ended in March 2024 and we are expecting the Policy Statement in the next few months.
  • Operational continuity: Ensuring continuity of IBS through third parties, including through exit strategies and alternative arrangements.
  1. Technology and Cyber Resilience

Given the increasing digitisation of financial services, regulators will likely place an even greater focus on cyber resilience post-March 2025. This may involve:

  • Cyber risk testing and mitigation: Firms may be expected to conduct more rigorous testing of their cybersecurity measures as part of their scenario testing.
  • Supply chain cyber risks: With interconnected systems, regulators may focus more on how firms manage cyber risks in their supply chains, especially from third-party IT service providers.
  • Regulatory guidelines on new technologies: As firms adopt technologies such as artificial intelligence, cloud computing, and distributed ledger technologies, regulators may provide further guidance on how to integrate these into Operational Resilience frameworks without increasing vulnerabilities.
  1. Review of IBS and Impact Tolerances

Regulators will continue to assess the effectiveness of firms’ identification of IBS and the setting of Impact Tolerances beyond the March 2025 deadline. Over time, regulators are likely to encourage firms to:

  • Refine and expand their IBS: As businesses evolve and customer needs change, regulators will expect firms to refine their definitions of IBS to ensure critical services are protected.
  • Regular reviews of Impact Tolerances: As market conditions and risks change, firms will be expected to periodically review and adjust their Impact Tolerances, keeping in line with operational realities and emerging risks.
  1. Enforcement and Remediation for Non-Compliance

For firms that fail to meet the March 2025 deadline or show inadequate progress in embedding Operational Resilience post-deadline, regulators may initiate:

  • Enforcement actions: Regulatory penalties or sanctions could be imposed on firms that do not meet the required standards or are found to be non-compliant during post-deadline reviews.
  • Mandated remediation plans: Firms with significant deficiencies in their Operational Resilience frameworks may be required to submit and implement detailed remediation plans, subject to ongoing regulatory monitoring.
  1. Board and Senior Management Accountability

The role of governance in Operational Resilience will continue to be a major post-2025 focus, as regulators emphasise accountability at the senior management and board levels. This includes:

  • Senior Managers and Certification Regime (SM&CR): Regulators will increasingly hold senior managers accountable for their firm’s Operational Resilience outcomes, requiring evidence of proper oversight and decision-making related to resilience.
  • Board oversight: Boards will be expected to continue playing a critical role in Operational Resilience, ensuring that resilience remains a key consideration in strategic decision-making and risk management.
  1. Adapting to Future Regulatory Changes

Post-March 2025, Operational Resilience regulation is expected to evolve further as new risks emerge and financial markets continue to develop. UK regulators may:

  • Issue updated guidance or regulatory amendments: In response to emerging risks, such as technological advancements, geopolitical issues, or climate risks, regulators may revise Operational Resilience guidelines or introduce new requirements.
  • Focus on international alignment: With global regulators also advancing their Operational Resilience agendas, UK regulators may seek to align their frameworks with those of international bodies to maintain consistency for multinational firms. The Digital Operational Resilience Act (DORA) that applies to businesses operating in EU territories is the most obvious example that already affects many firms.
  1. Climate-Related Operational Resilience Risks

In alignment with broader sustainability and environmental, social, and governance (ESG) trends, regulators may increasingly focus on the operational risks posed by climate change. Firms will need to:

  • Incorporate climate risk into scenario testing: Firms may be required to assess the impact of climate-related disruptions, such as extreme weather events, on their operations and supply chains.
  • Develop resilience to long-term climate risks: Regulators could expect firms to build resilience against slow-onset risks associated with climate change, including resource scarcity or regulatory changes in high-risk geographies.

Conclusion

By March 2025, firms subject to Operational Resilience regulation must be able to:

  • Demonstrate that they have identified their Important Business Services.
  • Set and tested appropriate Impact Tolerances.
  • Conducted scenario testing and addressed vulnerabilities.
  • Have governance frameworks in place to ensure ongoing resilience.
  • Produce a comprehensive self-assessment, available to regulators upon request.

While firms are not required to submit a specific regulatory filing for March 2025, they must be prepared to provide the regulators with evidence of their compliance and Operational Resilience capabilities as part of the supervisory process. That self-assessment must be complete and available by 31st March 2025.

Post-March 2025, UK regulators will maintain a rigorous approach to Operational Resilience, focusing on continuous improvement, enforcement, and the effective integration of resilience into governance structures. Firms should be prepared to provide ongoing evidence of compliance, regularly test and adapt their frameworks, and address vulnerabilities that may arise in an evolving risk landscape. The agenda post-deadline will shift from preparation to sustained vigilance, ensuring that Operational Resilience remains a top priority in the financial sector.

This article concludes ICSR’s Operational Resilience Assurance Week. You can find links to all of the articles below. If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulation, please do speak with either of the authors or your usual ICSR contact.

Talking Operational Resilience

Kenneth Underhill talks about the approaching end to the Operational Resilience transition period and what happens after March 2025 in this short video.

Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience

Related Articles

Advisory & Resourcing

Pin It on Pinterest

Share This