In the final months before the deadline for Operational Resilience compliance, many organisations are under pressure to ensure that their processes, frameworks, and systems meet regulatory expectations. Many of our clients have reached out for support in injecting pace in the final stages of their Operational Resilience programme and also to ensure that their Operational Resilience Framework is fit for purpose ahead of preparing their all-important Self-Assessment for board review and approval. At the heart of this effort is assurance — a process that provides stakeholders with confidence that an organisation’s Operational Resilience framework is effective, compliant, and sustainable. But why exactly does assurance matter, and what is required to ensure it is fit for purpose?
This article is the first of the ICSR Operational Resilience Assurance Week’s series (Follow the conversation on LinkedIn at: #ICSROpResAssuranceWeek), and explores the vital role assurance plays in Operational Resilience, highlighting the regulatory backdrop, the risks of non-compliance, and how firms can ensure their assurance processes are robust, transparent, and aligned with long-term business objectives.
The Importance of Operational Resilience Assurance to Achieve Compliance
The Operational Resilience framework is underpinned by regulatory requirements set by the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), and the Bank of England. These regulators have defined clear expectations for firms to build Operational Resilience by identifying their Important Business Services (IBS), setting Impact Tolerances, and implementing measures to remain within those tolerances during disruptions.
Boards are expected to ensure that their firm has developed Operational Resilience frameworks that are proactive rather than reactive, ensuring that systems are tested and ready to withstand, or quickly recover from, disruptions. Assurance is critical because it provides senior management and board members with a degree of certainty that a firm’s resilience framework is effective and can be relied upon in practice.
By March 2025, firms must have thoroughly tested their Operational Resilience frameworks, addressed identified gaps, and assured key stakeholders of their ability to meet regulatory requirements. Assurance is not just about ticking boxes — it is about demonstrating that firms can confidently manage risk, maintain continuity of services, and protect consumers and the broader financial system from operational failure.
Key Benefits of Assurance
Demonstrating Compliance to boards and Regulators
The FCA and PRA have made it clear that they will scrutinise how firms are preparing for operational disruptions. The deadline of March 2025 is not just a target – it is the moment when firms must demonstrate full compliance with regulations that require:
- Identification of important business services
- Setting of clear impact tolerances
- Evidence that these tolerances can be met during severe disruptions
Independent assurance can provide the objective evidence you need to show that your firm’s Operational Resilience framework meets these expectations. It serves as an external stamp of approval, validating that your organisation has done everything possible to meet regulatory requirements. It will provide added strength to your Self-Assessment ahead of board review and sign off.
Uncovering Blind Spots in Resilience Planning
Even the most well-prepared firms can suffer from internal blind spots. This is particularly true when Operational Resilience efforts are driven by internal teams, where familiarity with processes and services may cause critical risks to be overlooked.
An independent assurance provider (be that internal if the skills are available, or an external resource) brings a fresh, unbiased perspective. They can identify gaps in your resilience strategy, uncover discrepancies between objectives and deliverables, or point out where impact tolerances might not be realistic under severe stress scenarios. This review helps firms avoid the complacency that can come from over-reliance on their original assessments.
Enhancing Stakeholder Confidence
Insurance firms operate in a highly interconnected environment, interacting with a web of stakeholders – including customers, regulators, investors, and third-party suppliers. In the event of an operational disruption, confidence in your firm’s ability to recover quickly and effectively is critical to maintaining trust.
By soliciting independent assurance, your firm sends a clear message to stakeholders: you are taking Operational Resilience seriously and are willing to have your processes rigorously tested by external experts. This can bolster trust, both within your firm and externally, while ensuring that your stakeholders are confident in your ability to manage disruptions effectively.
Strengthening Third-Party Risk Management
In the interconnected world of insurance, third-party relationships are a critical component of service delivery. However, they also represent a significant risk. A disruption at a third-party provider can have a cascading effect on your firm’s ability to meet its own impact tolerances.
Independent assurance can provide a detailed review of your third-party risk management processes, ensuring that your supply chain is as resilient as your own internal operations. It can also help firms verify that their third-party contracts and service-level agreements are aligned with Operational Resilience requirements, providing a safety net if a key provider experiences disruption.
Preparing for Post-Deadline Scrutiny
While meeting the March 2025 deadline is crucial, the work doesn’t stop there. Regulators are likely to conduct post-deadline reviews, and firms will need to maintain ongoing Operational Resilience. Independent assurance not only prepares firms for the immediate regulatory deadline but also helps to establish continuous monitoring processes that ensure long-term resilience.
By engaging with independent assurance now, your firm can be confident that it is not only ready for March 2025 but also prepared for the long-term challenges of maintaining Operational Resilience in an ever-evolving risk landscape.
What Does Effective Assurance Look Like?
Assurance is the mechanism by which your firm confirms that its Operational Resilience framework is functioning as expected. But what does effective assurance look like in practice? It encompasses a range of activities, including risk assessments, audits, testing, and reporting, all aimed at providing transparency and building confidence in your firm’s ability to remain resilient.
The Core Elements of Assurance
- Governance:
Governance sits at the core of any effective assurance process. It is essential that boards and senior management understand their roles and responsibilities in overseeing Operational Resilience. Assurance requires clear reporting lines and accountability mechanisms to ensure that resilience efforts are properly monitored and evaluated at the highest levels. - Frameworks and Processes:
A robust Operational Resilience framework should be aligned with a firm’s overall risk management approach. This includes clearly defining IBS, setting and testing Impact Tolerances, and regularly reviewing and updating processes to reflect changes in the external environment or business operations. - Stress Testing and Scenarios:
One of the most important aspects of assurance is validating that a firm’s resilience framework works in practice. This is achieved through stress testing, where firms simulate disruptive scenarios to assess how well they can continue delivering their IBS. The results of these tests provide valuable insights into gaps and weaknesses, which must be addressed as part of ongoing assurance activities. - Continuous Improvement:
Effective assurance is not a one-off activity. Instead, it should be part of an ongoing process of continuous improvement. Firms need to be constantly monitoring and reassessing their resilience frameworks, making adjustments where necessary to ensure they remain aligned with both regulatory expectations and business realities.
Role of Leadership in Assurance
Leadership plays a crucial role in ensuring that assurance processes are effective. The board and senior management must not only understand the importance of Operational Resilience but also take active steps to ensure that your firm’s assurance framework is fit for purpose. This involves setting clear objectives, overseeing testing activities, and ensuring that the outcomes of assurance reviews are acted upon.
The Board’s Responsibility
The ultimate responsibility for Operational Resilience lies with the board of directors. Regulators expect boards to be actively engaged in overseeing resilience efforts, ensuring that they receive regular updates on your firm’s progress toward meeting the March 2025 deadline. The board must also ensure that appropriate resources are allocated to resilience initiatives, and that assurance processes are adequately funded and supported.
Senior Management’s Role
While the board has overall responsibility, senior management, and specifically the SMF24 (chief operations function), is tasked with implementing and managing the day-to-day activities related to assurance. This includes coordinating testing, overseeing risk management processes, and ensuring that all necessary actions are taken to address any identified vulnerabilities. Management must also ensure that the outcomes of assurance activities are clearly communicated to the board, enabling informed decision-making.
The Assurance Process: what should you consider?
As organisations approach the March 2025 deadline, it is essential to ask critical questions to ensure that assurance processes are effective and aligned with regulatory expectations. These questions can serve as a valuable tool for boards and senior management as they evaluate their Operational Resilience frameworks:
- Are we clear on the regulatory requirements for Operational Resilience?
Have we fully understood the expectations set by the FCA, PRA, and Bank of England, and are we confident that our frameworks meet these requirements? - How do we ensure our assurance processes are objective and independent?
Are we conducting thorough and independent reviews of our resilience frameworks, or are we relying on assessments undertaken by the original project teams that may be biased or incomplete? Do we have the skills required in-house (e.g. within internal audit)? - What mechanisms do we have to identify and address gaps in our frameworks?
Do we have a clear process for identifying weaknesses in our resilience framework, and are we confident that we are taking the necessary steps to address these gaps before the deadline? - Is our board actively engaged in overseeing Operational Resilience?
Are we providing the board with the information and resources they need to effectively oversee and assess our resilience efforts, and are they fully engaged in the assurance process? - How confident are we in our ability to meet the March 2025 deadline?
Have we conducted thorough testing of our resilience framework, and are we confident that we will be able to meet the deadline with a fully compliant and effective framework? - Do we have proof?
Have we gathered enough evidence that our Operational Resilience processes have been sufficiently and appropriately documented, that our testing results have been recorded, analysed and vulnerabilities identified? - Are we in line with market practice?
Do we know what other firms have delivered in response to Operational Resilience requirements? Are we confident we are at least in line with the standard or deviate from it with clear and logical rationale?
Conclusion
Assurance plays an essential role in providing confidence that a firm’s Operational Resilience framework is fit for purpose. By embedding assurance into governance processes, conducting regular testing, and fostering a culture of continuous improvement, firms can ensure they are well-prepared to meet regulatory expectations and protect their customers and the broader financial system from operational disruptions.
Effective assurance is not just about meeting regulatory requirements — it is about building long-term resilience and ensuring that firms are prepared to handle the challenges of an increasingly complex and interconnected world.
If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulations, please do speak with either of the authors or your usual ICSR contact.
Tomorrow we will be covering how to undertake a review of the project governance process.
Talking Operational Resilience
Kenneth Underhill talks about why Operational Resilience Assurance matters in this short video.
Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience
- ICSR Operational Resilience webinars – watch on our YouTube channel:
- Operational Resilience – Introduction with Kenneth Underhill (4th June 2020)
- ICSR Webinar: Technology & Operational Resilience (16th July 2020)
- Operational Resilience: Service and Activity Mapping with Kenneth Underhill (8th October 2020)
- Operational Resilience: Impact Tolerances webinar (26th May 2021)
- Articles:
- Operational Resilience Assurance Week – Preparing For Q1 Board Review And Sign-Off (25th October 2024)
- Operational Resilience – The Final Furlong Towards Implementation (21st May 2024)
- TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This? (18th January 2023)
- Outsourcing and Third-Party Arrangements – Creating Resilience In Your Operational Processes (10th February 2022)
- Operational Resilience – A Regulatory Double-Header (15th April 2021)
- Mapping Important Business Services: When Does A Service Finish? (12th November 2020)
- Operational Resilience: The First Shot Has Been Fired! (6th March 2020)
- Case Studies:
- Assisting International Insurer Manage Its Operational Resilience Obligations
- Digital Operational Resilience Act (DORA) Support For Client In The Irish Regulated Market
- Supporting The Client With The Delivery Of A New Governance, Service And Operating Model As A Part Of A Corporate Restructure
- Assisting London Market Insurance Broker With Operational Resilience
- Support Developing Operational Resilience Control Framework
- Assisting Client With Project Delivering PRA and FCA Operational Resilience Requirements
- Support Preparing For Introduction of Operational Resilience and Business Continuity Planning
Related Articles
Operational Resilience: The 31st March 2025 Deadline And Beyond
In this article we look at what firms need to have in place by the end of March 2025 to be compliant with Operational Resilience regulations in the UK, looking beyond the deadline into the areas UK regulators are expected to shift their focus towards.
Operational Resilience: An Assurance Review Of Outsourcing Policies, Third-Party Risk Management And Critical Third Parties
Outsourcing has become a fundamental aspect of operational strategy – as firms strive to meet OpRes requirements. Ensuring their outsourcing policies and third-party relationships are robust and capable of withstanding disruptions is key.
Operational Resilience: Assurance Review Of IBS, Impact Tolerances, Scenario Testing And Vulnerabilities Resolution
Explore how assurance reviews can provide firms with confidence that their OpRes measures around IBS, Impact Tolerances, Scenario Testing and vulnerability management are sound, actionable, and aligned with regulatory expectations.
Operational Resilience: The Project Governance Process – An Assurance Review
Learn more about the role of project governance in Operational Resilience, looking in particular at how assurance processes support the successful delivery of actions and deliverables.
Operational Resilience Compliance – Doing The Right Thing Is Not Enough; You Must Prove It!
The clock is ticking for insurance firms ahead of the March 2025 deadline to fully implement and demonstrate Operational Resilience. Claire King and Benoit Steulet explore the importance of being able to evidence compliance with the regulations.
Operational Resilience Assurance Week – Preparing For Q1 Board Review And Sign-Off
The Operational Resilience regulations require firms to undertake a process of self-assessment and sign-off, but what are the regulatory expectations for that work?