In the final months before the deadline for Operational Resilience compliance, many organisations are under pressure to ensure that their processes, frameworks, and systems meet regulatory expectations. Many of our clients have reached out for support in injecting pace in the final stages of their Operational Resilience programme and also to ensure that their Operational Resilience Framework is fit for purpose ahead of preparing their all-important Self-Assessment for board review and approval. At the heart of this effort is assurance — a process that provides stakeholders with confidence that an organisation’s Operational Resilience framework is effective, compliant, and sustainable. But why exactly does assurance matter, and what is required to ensure it is fit for purpose?

This article is the first of the ICSR Operational Resilience Assurance Week’s series (Follow the conversation on LinkedIn at: #ICSROpResAssuranceWeek), and explores the vital role assurance plays in Operational Resilience, highlighting the regulatory backdrop, the risks of non-compliance, and how firms can ensure their assurance processes are robust, transparent, and aligned with long-term business objectives.

The Importance of Operational Resilience Assurance to Achieve Compliance

The Operational Resilience framework is underpinned by regulatory requirements set by the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), and the Bank of England. These regulators have defined clear expectations for firms to build Operational Resilience by identifying their Important Business Services (IBS), setting Impact Tolerances, and implementing measures to remain within those tolerances during disruptions.

Boards are expected to ensure that their firm has developed Operational Resilience frameworks that are proactive rather than reactive, ensuring that systems are tested and ready to withstand, or quickly recover from, disruptions. Assurance is critical because it provides senior management and board members with a degree of certainty that a firm’s resilience framework is effective and can be relied upon in practice.

By March 2025, firms must have thoroughly tested their Operational Resilience frameworks, addressed identified gaps, and assured key stakeholders of their ability to meet regulatory requirements. Assurance is not just about ticking boxes — it is about demonstrating that firms can confidently manage risk, maintain continuity of services, and protect consumers and the broader financial system from operational failure.

Key Benefits of Assurance

Demonstrating Compliance to boards and Regulators

The FCA and PRA have made it clear that they will scrutinise how firms are preparing for operational disruptions. The deadline of March 2025 is not just a target – it is the moment when firms must demonstrate full compliance with regulations that require:

  • Identification of important business services
  • Setting of clear impact tolerances
  • Evidence that these tolerances can be met during severe disruptions

Independent assurance can provide the objective evidence you need to show that your firm’s Operational Resilience framework meets these expectations. It serves as an external stamp of approval, validating that your organisation has done everything possible to meet regulatory requirements. It will provide added strength to your Self-Assessment ahead of board review and sign off.

Uncovering Blind Spots in Resilience Planning

Even the most well-prepared firms can suffer from internal blind spots. This is particularly true when Operational Resilience efforts are driven by internal teams, where familiarity with processes and services may cause critical risks to be overlooked.

An independent assurance provider (be that internal if the skills are available, or an external resource) brings a fresh, unbiased perspective. They can identify gaps in your resilience strategy, uncover discrepancies between objectives and deliverables, or point out where impact tolerances might not be realistic under severe stress scenarios. This review helps firms avoid the complacency that can come from over-reliance on their original assessments.

Enhancing Stakeholder Confidence

Insurance firms operate in a highly interconnected environment, interacting with a web of stakeholders – including customers, regulators, investors, and third-party suppliers. In the event of an operational disruption, confidence in your firm’s ability to recover quickly and effectively is critical to maintaining trust.

By soliciting independent assurance, your firm sends a clear message to stakeholders: you are taking Operational Resilience seriously and are willing to have your processes rigorously tested by external experts. This can bolster trust, both within your firm and externally, while ensuring that your stakeholders are confident in your ability to manage disruptions effectively. 

Strengthening Third-Party Risk Management

In the interconnected world of insurance, third-party relationships are a critical component of service delivery. However, they also represent a significant risk. A disruption at a third-party provider can have a cascading effect on your firm’s ability to meet its own impact tolerances.

Independent assurance can provide a detailed review of your third-party risk management processes, ensuring that your supply chain is as resilient as your own internal operations. It can also help firms verify that their third-party contracts and service-level agreements are aligned with Operational Resilience requirements, providing a safety net if a key provider experiences disruption.

Preparing for Post-Deadline Scrutiny

While meeting the March 2025 deadline is crucial, the work doesn’t stop there. Regulators are likely to conduct post-deadline reviews, and firms will need to maintain ongoing Operational Resilience. Independent assurance not only prepares firms for the immediate regulatory deadline but also helps to establish continuous monitoring processes that ensure long-term resilience.

By engaging with independent assurance now, your firm can be confident that it is not only ready for March 2025 but also prepared for the long-term challenges of maintaining Operational Resilience in an ever-evolving risk landscape.

What Does Effective Assurance Look Like?

Assurance is the mechanism by which your firm confirms that its Operational Resilience framework is functioning as expected. But what does effective assurance look like in practice? It encompasses a range of activities, including risk assessments, audits, testing, and reporting, all aimed at providing transparency and building confidence in your firm’s ability to remain resilient.

The Core Elements of Assurance

  1. Governance:
    Governance sits at the core of any effective assurance process. It is essential that boards and senior management understand their roles and responsibilities in overseeing Operational Resilience. Assurance requires clear reporting lines and accountability mechanisms to ensure that resilience efforts are properly monitored and evaluated at the highest levels.
  2. Frameworks and Processes:
    A robust Operational Resilience framework should be aligned with a firm’s overall risk management approach. This includes clearly defining IBS, setting and testing Impact Tolerances, and regularly reviewing and updating processes to reflect changes in the external environment or business operations.
  3. Stress Testing and Scenarios:
    One of the most important aspects of assurance is validating that a firm’s resilience framework works in practice. This is achieved through stress testing, where firms simulate disruptive scenarios to assess how well they can continue delivering their IBS. The results of these tests provide valuable insights into gaps and weaknesses, which must be addressed as part of ongoing assurance activities.
  4. Continuous Improvement:
    Effective assurance is not a one-off activity. Instead, it should be part of an ongoing process of continuous improvement. Firms need to be constantly monitoring and reassessing their resilience frameworks, making adjustments where necessary to ensure they remain aligned with both regulatory expectations and business realities.

Role of Leadership in Assurance

Leadership plays a crucial role in ensuring that assurance processes are effective. The board and senior management must not only understand the importance of Operational Resilience but also take active steps to ensure that your firm’s assurance framework is fit for purpose. This involves setting clear objectives, overseeing testing activities, and ensuring that the outcomes of assurance reviews are acted upon.

The Board’s Responsibility

The ultimate responsibility for Operational Resilience lies with the board of directors. Regulators expect boards to be actively engaged in overseeing resilience efforts, ensuring that they receive regular updates on your firm’s progress toward meeting the March 2025 deadline. The board must also ensure that appropriate resources are allocated to resilience initiatives, and that assurance processes are adequately funded and supported.

Senior Management’s Role

While the board has overall responsibility, senior management, and specifically the SMF24 (chief operations function), is tasked with implementing and managing the day-to-day activities related to assurance. This includes coordinating testing, overseeing risk management processes, and ensuring that all necessary actions are taken to address any identified vulnerabilities. Management must also ensure that the outcomes of assurance activities are clearly communicated to the board, enabling informed decision-making.

The Assurance Process: what should you consider?

As organisations approach the March 2025 deadline, it is essential to ask critical questions to ensure that assurance processes are effective and aligned with regulatory expectations. These questions can serve as a valuable tool for boards and senior management as they evaluate their Operational Resilience frameworks:

  1. Are we clear on the regulatory requirements for Operational Resilience?
    Have we fully understood the expectations set by the FCA, PRA, and Bank of England, and are we confident that our frameworks meet these requirements?
  2. How do we ensure our assurance processes are objective and independent?
    Are we conducting thorough and independent reviews of our resilience frameworks, or are we relying on assessments undertaken by the original project teams that may be biased or incomplete? Do we have the skills required in-house (e.g. within internal audit)?
  3. What mechanisms do we have to identify and address gaps in our frameworks?
    Do we have a clear process for identifying weaknesses in our resilience framework, and are we confident that we are taking the necessary steps to address these gaps before the deadline?
  4. Is our board actively engaged in overseeing Operational Resilience?
    Are we providing the board with the information and resources they need to effectively oversee and assess our resilience efforts, and are they fully engaged in the assurance process?
  5. How confident are we in our ability to meet the March 2025 deadline?
    Have we conducted thorough testing of our resilience framework, and are we confident that we will be able to meet the deadline with a fully compliant and effective framework?
  6. Do we have proof?
    Have we gathered enough evidence that our Operational Resilience processes have been sufficiently and appropriately documented, that our testing results have been recorded, analysed and vulnerabilities identified?
  7. Are we in line with market practice?
    Do we know what other firms have delivered in response to Operational Resilience requirements? Are we confident we are at least in line with the standard or deviate from it with clear and logical rationale?

Conclusion

Assurance plays an essential role in providing confidence that a firm’s Operational Resilience framework is fit for purpose. By embedding assurance into governance processes, conducting regular testing, and fostering a culture of continuous improvement, firms can ensure they are well-prepared to meet regulatory expectations and protect their customers and the broader financial system from operational disruptions.

Effective assurance is not just about meeting regulatory requirements — it is about building long-term resilience and ensuring that firms are prepared to handle the challenges of an increasingly complex and interconnected world.

If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulations, please do speak with either of the authors or your usual ICSR contact.

Tomorrow we will be covering how to undertake a review of the project governance process.

Talking Operational Resilience

Kenneth Underhill talks about why Operational Resilience Assurance matters in this short video.

Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience

Related Articles

Advisory & Resourcing

Pin It on Pinterest

Share This