Welcome to the final article of the ICSR Operational Resilience Assurance Week’s series (Follow the conversation on LinkedIn at: #ICSROpResAssuranceWeek) which details what firms need to have in place by the end of March 2025 to be compliant with Operational Resilience regulations in the UK, looking beyond the deadline into the areas UK regulators are expected to shift their focus towards.
The practicalities of the approaching end to the transition period is a subject we covered in an article earlier this year: “Operational Resilience – The Final Furlong Towards Implementation”. In this article, we consider the specific nuances relating to the Assurance process and how that can help reduce enterprise-related risk associated with the self-certification process and board sign-off, ensuring your firm’s Operational Resilience work remains aligned to the regulatory direction of travel.
What Must Your Firm Achieve By March 2025?
- Identification of Important Business Services (IBS)
Firms are required to identify their Important Business Services (IBS)—those services that, if disrupted, would cause significant harm to consumers or market integrity. The identification of IBS must be thorough and justified, and firms should be able to demonstrate the criteria used for their selection.
- Setting and Testing Impact Tolerances
Firms must have set Impact Tolerances for each IBS. These tolerances define the maximum acceptable level of disruption (duration or magnitude) that your firm can manage before it causes intolerable harm. By March 2025, firms need to demonstrate that they have tested their ability to remain within these Impact Tolerances through realistic and challenging scenario testing.
- Scenario Testing
Firms should have conducted and documented their Scenario Testing exercises to test the ability of their IBS to remain within the set Impact Tolerances. These scenarios should be both plausible and extreme, covering a wide range of potential disruptions. Firms are expected to demonstrate that they have used these exercises to identify and address any vulnerabilities or gaps in their Operational Resilience.
- Mapping
Firms are required to map the resources—people, technology, facilities, information, and third parties—that support their IBS. This mapping should be detailed enough to allow firms to understand how disruptions to these resources could affect their ability to deliver their IBS and to respond effectively.
- Remediation of Vulnerabilities
If Scenario Testing or mapping has identified vulnerabilities in a firm’s Operational Resilience, these vulnerabilities should be resolved or, at the very least, there should be a clear and actionable plan for remediation. The goal is to ensure that by March 2025, firms have addressed any significant risks that could prevent them from operating within their Impact Tolerances.
- Governance and Oversight
Firms are expected to have implemented governance frameworks that provide senior management and boards with oversight of their Operational Resilience efforts. This includes evidence that the board has approved your firm’s IBS, Impact Tolerances, and Operational Resilience strategies. Firms must demonstrate that Operational Resilience is embedded within their overall risk management frameworks.
- Self-Assessment
Firms must complete a self-assessment document outlining how they have met the requirements of Operational Resilience regulation. This document should describe:
-
- The identification of IBS.
- The setting of Impact Tolerances.
- Scenario Testing conducted.
- Any actions taken to address vulnerabilities.
- Governance and oversight mechanisms.
This self-assessment must be available for review upon request by the FCA, PRA, or BoE by 31st March 2025 but does not need to be submitted otherwise. Firms should ensure that it is clear, comprehensive, and backed by documented evidence, as regulators will review this during future supervisory or thematic assessments.
Regulators Require Firms To Demonstrate Continuous Improvements
Operational Resilience is not a one-time exercise. Firms are expected to continuously review and improve their resilience frameworks beyond the March 2025 deadline. Regulators will expect firms to be able to demonstrate how they monitor, test, and adapt their resilience practices over time.
Monitoring, Testing And Adapting Your Operational Resilience Framework
Firms must demonstrate a clear commitment to continuous improvement in their Operational Resilience frameworks. This requires an ongoing cycle of monitoring, testing, and adapting their resilience strategies to keep pace with evolving risks and operational challenges. Firms should regularly review their Important Business Services (IBS), ensuring that they continue to reflect your firm’s critical operational and customer needs. This means assessing changes in business models, emerging threats, and shifts in regulatory expectations.
Testing must also be a continuous process. Scenario testing should go beyond initial compliance and be used to identify new vulnerabilities in response to changing operational environments, such as advancements in technology, third-party dependencies, or cyber threats. The results of these tests should directly inform updates to Impact Tolerances and contingency plans, ensuring that your firm’s ability to recover from disruptions remains robust. Continuous monitoring, using both internal performance metrics and external risk indicators, is essential to anticipate potential disruptions before they occur. By embedding Operational Resilience into business-as-usual activities, firms ensure that they are not only compliant but also agile and responsive to an increasingly complex risk landscape.
Operational Resilience Plans For 2025 And Beyond
Looking ahead to 2025 and beyond, Operational Resilience will become a central element of long-term business strategy, rather than just a regulatory requirement. Firms must move from short-term compliance efforts to creating dynamic and forward-looking resilience plans. These plans should account for the full range of potential future challenges, from technology disruptions to climate-related risks. To remain resilient, firms will need to regularly update their resilience frameworks to reflect new risks, including evolving market conditions and regulatory changes. This might involve further refining IBS and Impact Tolerances as new services become critical or as customer expectations shift.
Additionally, firms will need to continue strengthening their third-party risk management practices, particularly as regulators increase scrutiny on Critical Third Parties (CTPs). Firms should ensure that third-party contracts incorporate resilience requirements, and that regular testing and assurance reviews are conducted to verify that third parties remain capable of supporting IBS under stress conditions.
By proactively enhancing their Operational Resilience strategies, firms can safeguard against future disruptions, maintain trust with customers and stakeholders, and ensure long-term business viability. In this sense, 2025 is not the end of the resilience journey but the beginning of an ongoing process of adaptation and enhancement in response to an evolving risk environment.
Regulatory Direction Of Travel
After the March 2025 deadline for Operational Resilience, we expect to see the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and Bank of England (BoE) shift focus toward continuous supervision, enforcement, and further strengthening of Operational Resilience across the financial services sector. The post-March 2025 agenda will likely emphasise several key areas to ensure firms are not only meeting minimum standards but are also evolving their resilience frameworks in response to emerging risks and challenges. Here are some of the primary focus areas to be expected on the regulators’ agenda:
- Ongoing Supervisory Engagement and Monitoring
After March 2025, UK regulators will transition from ensuring firms meet the initial Operational Resilience requirements to monitoring how well firms are embedding Operational Resilience into their day-to-day operations. This will likely include:
- Thematic reviews: Regulators may conduct industry-wide thematic reviews to assess common vulnerabilities or best practices in Operational Resilience frameworks.
- Firm-specific supervisory reviews: Supervisors will likely engage more closely with individual firms to review their Operational Resilience, including testing of Important Business Services (IBS), Impact Tolerances, and scenario testing outcomes.
- Review of self-assessment documents: Firms’ self-assessments (prepared by March 2025) will be scrutinised during supervisory assessments. Firms may need to update and improve these over time based on feedback.
In recent times, the regulators have increasingly looked to encourage firms to consider how examples of good practices from across the market might influence their own approach. Firms should consider how they might identify such examples as part of their assurance process.
- Scenario Testing and Continuous Improvement
After the initial March 2025 compliance date, regulators are likely to expect firms to:
- Enhance their scenario testing: Firms will need to regularly perform more sophisticated and challenging scenario tests that reflect evolving risks such as cyber threats, geopolitical issues, supply chain disruptions, and third-party failures.
- Regularly review Impact Tolerances: As businesses evolve and new risks emerge, regulators will expect firms to review and potentially adjust their Impact Tolerances. Regulators may issue guidance to help firms benchmark these tolerances appropriately.
- Address emerging vulnerabilities: Firms will be required to continuously identify and resolve vulnerabilities discovered through scenario testing, actual incidents, or regulatory reviews.
- Increased Focus on Third-Party and Outsourcing Risk
Post-March 2025, there will likely be greater regulatory scrutiny on third-party providers and outsourcing arrangements, especially given the heavy reliance of financial firms on cloud providers, fintech partners, and other critical third parties. Key points of focus are expected to include:
- Critical third parties: Regulators will likely pay more attention to how firms manage risks from their critical third parties and whether resilience measures from these parties are robust enough to support firms’ IBS.
- Regulatory frameworks for third parties: There will be further regulation or guidelines around the obligations of third-party providers to ensure resilience, especially regarding concentration risk in service providers like cloud providers. Consultation for CP23/30 ended in March 2024 and we are expecting the Policy Statement in the next few months.
- Operational continuity: Ensuring continuity of IBS through third parties, including through exit strategies and alternative arrangements.
- Technology and Cyber Resilience
Given the increasing digitisation of financial services, regulators will likely place an even greater focus on cyber resilience post-March 2025. This may involve:
- Cyber risk testing and mitigation: Firms may be expected to conduct more rigorous testing of their cybersecurity measures as part of their scenario testing.
- Supply chain cyber risks: With interconnected systems, regulators may focus more on how firms manage cyber risks in their supply chains, especially from third-party IT service providers.
- Regulatory guidelines on new technologies: As firms adopt technologies such as artificial intelligence, cloud computing, and distributed ledger technologies, regulators may provide further guidance on how to integrate these into Operational Resilience frameworks without increasing vulnerabilities.
- Review of IBS and Impact Tolerances
Regulators will continue to assess the effectiveness of firms’ identification of IBS and the setting of Impact Tolerances beyond the March 2025 deadline. Over time, regulators are likely to encourage firms to:
- Refine and expand their IBS: As businesses evolve and customer needs change, regulators will expect firms to refine their definitions of IBS to ensure critical services are protected.
- Regular reviews of Impact Tolerances: As market conditions and risks change, firms will be expected to periodically review and adjust their Impact Tolerances, keeping in line with operational realities and emerging risks.
- Enforcement and Remediation for Non-Compliance
For firms that fail to meet the March 2025 deadline or show inadequate progress in embedding Operational Resilience post-deadline, regulators may initiate:
- Enforcement actions: Regulatory penalties or sanctions could be imposed on firms that do not meet the required standards or are found to be non-compliant during post-deadline reviews.
- Mandated remediation plans: Firms with significant deficiencies in their Operational Resilience frameworks may be required to submit and implement detailed remediation plans, subject to ongoing regulatory monitoring.
- Board and Senior Management Accountability
The role of governance in Operational Resilience will continue to be a major post-2025 focus, as regulators emphasise accountability at the senior management and board levels. This includes:
- Senior Managers and Certification Regime (SM&CR): Regulators will increasingly hold senior managers accountable for their firm’s Operational Resilience outcomes, requiring evidence of proper oversight and decision-making related to resilience.
- Board oversight: Boards will be expected to continue playing a critical role in Operational Resilience, ensuring that resilience remains a key consideration in strategic decision-making and risk management.
- Adapting to Future Regulatory Changes
Post-March 2025, Operational Resilience regulation is expected to evolve further as new risks emerge and financial markets continue to develop. UK regulators may:
- Issue updated guidance or regulatory amendments: In response to emerging risks, such as technological advancements, geopolitical issues, or climate risks, regulators may revise Operational Resilience guidelines or introduce new requirements.
- Focus on international alignment: With global regulators also advancing their Operational Resilience agendas, UK regulators may seek to align their frameworks with those of international bodies to maintain consistency for multinational firms. The Digital Operational Resilience Act (DORA) that applies to businesses operating in EU territories is the most obvious example that already affects many firms.
- Climate-Related Operational Resilience Risks
In alignment with broader sustainability and environmental, social, and governance (ESG) trends, regulators may increasingly focus on the operational risks posed by climate change. Firms will need to:
- Incorporate climate risk into scenario testing: Firms may be required to assess the impact of climate-related disruptions, such as extreme weather events, on their operations and supply chains.
- Develop resilience to long-term climate risks: Regulators could expect firms to build resilience against slow-onset risks associated with climate change, including resource scarcity or regulatory changes in high-risk geographies.
Conclusion
By March 2025, firms subject to Operational Resilience regulation must be able to:
- Demonstrate that they have identified their Important Business Services.
- Set and tested appropriate Impact Tolerances.
- Conducted scenario testing and addressed vulnerabilities.
- Have governance frameworks in place to ensure ongoing resilience.
- Produce a comprehensive self-assessment, available to regulators upon request.
While firms are not required to submit a specific regulatory filing for March 2025, they must be prepared to provide the regulators with evidence of their compliance and Operational Resilience capabilities as part of the supervisory process. That self-assessment must be complete and available by 31st March 2025.
Post-March 2025, UK regulators will maintain a rigorous approach to Operational Resilience, focusing on continuous improvement, enforcement, and the effective integration of resilience into governance structures. Firms should be prepared to provide ongoing evidence of compliance, regularly test and adapt their frameworks, and address vulnerabilities that may arise in an evolving risk landscape. The agenda post-deadline will shift from preparation to sustained vigilance, ensuring that Operational Resilience remains a top priority in the financial sector.
This article concludes ICSR’s Operational Resilience Assurance Week. You can find links to all of the articles below. If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulation, please do speak with either of the authors or your usual ICSR contact.
Talking Operational Resilience
Kenneth Underhill talks about the approaching end to the Operational Resilience transition period and what happens after March 2025 in this short video.
Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience
- ICSR Operational Resilience webinars – watch on our YouTube channel:
- Operational Resilience – Introduction with Kenneth Underhill (4th June 2020)
- ICSR Webinar: Technology & Operational Resilience (16th July 2020)
- Operational Resilience: Service and Activity Mapping with Kenneth Underhill (8th October 2020)
- Operational Resilience: Impact Tolerances webinar (26th May 2021)
- Articles:
- Operational Resilience Assurance Week – Preparing For Q1 Board Review And Sign-Off (25th October 2024)
- Operational Resilience – The Final Furlong Towards Implementation (21st May 2024)
- TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This? (18th January 2023)
- Outsourcing and Third-Party Arrangements – Creating Resilience In Your Operational Processes (10th February 2022)
- Operational Resilience – A Regulatory Double-Header (15th April 2021)
- Mapping Important Business Services: When Does A Service Finish? (12th November 2020)
- Operational Resilience: The First Shot Has Been Fired! (6th March 2020)
- Case Studies:
- Assisting International Insurer Manage Its Operational Resilience Obligations
- Digital Operational Resilience Act (DORA) Support For Client In The Irish Regulated Market
- Supporting The Client With The Delivery Of A New Governance, Service And Operating Model As A Part Of A Corporate Restructure
- Assisting London Market Insurance Broker With Operational Resilience
- Support Developing Operational Resilience Control Framework
- Assisting Client With Project Delivering PRA and FCA Operational Resilience Requirements
- Support Preparing For Introduction of Operational Resilience and Business Continuity Planning
Related Articles
Operational Resilience: An Assurance Review Of Outsourcing Policies, Third-Party Risk Management And Critical Third Parties
Outsourcing has become a fundamental aspect of operational strategy – as firms strive to meet OpRes requirements. Ensuring their outsourcing policies and third-party relationships are robust and capable of withstanding disruptions is key.
Operational Resilience: Assurance Review Of IBS, Impact Tolerances, Scenario Testing And Vulnerabilities Resolution
Explore how assurance reviews can provide firms with confidence that their OpRes measures around IBS, Impact Tolerances, Scenario Testing and vulnerability management are sound, actionable, and aligned with regulatory expectations.
Operational Resilience: The Project Governance Process – An Assurance Review
Learn more about the role of project governance in Operational Resilience, looking in particular at how assurance processes support the successful delivery of actions and deliverables.
Operational Resilience: Why Assurance Matters And What Is Required
Learn more about the vital role assurance plays in Operational Resilience, including the regulatory backdrop, the risks of non-compliance, and how firms can ensure their assurance processes are robust, transparent, and aligned with long-term business objectives.
Operational Resilience Compliance – Doing The Right Thing Is Not Enough; You Must Prove It!
The clock is ticking for insurance firms ahead of the March 2025 deadline to fully implement and demonstrate Operational Resilience. Claire King and Benoit Steulet explore the importance of being able to evidence compliance with the regulations.
Operational Resilience Assurance Week – Preparing For Q1 Board Review And Sign-Off
The Operational Resilience regulations require firms to undertake a process of self-assessment and sign-off, but what are the regulatory expectations for that work?