The Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (‘the Bank’), collectively “the supervisory authorities” detailed their finalised rules and guidance for firms in respect of operational resilience on 29 March 2021. The diagram below outlines the key milestones that firms should have been working towards since the rules were finalised:

In May 2024, the FCA published observations and insights on the preparation firms have made towards compliance with the operational resilience requirements. The FCA advised firms to use its observations as a means of reviewing their approach and assess readiness to comply with rules by 31 March 2025. Some of the key points raised in this publication, that we have also highlighted in the independent assessments we have undertaken for our clients include:

• Appropriate identification of important business services in line with the regulatory definitions and guidance.

• Methodologies used by the firm to identify and categorise some business services as important and not others should form part of the firm's self-assessment.

• Rationale to support set impact tolerances should clearly articulate when intolerable consumer harm or a risk to market integrity is reached and should also form part of the firm's self-assessment.

• Most firms have set impact tolerances as time-bound tolerances. Firms should consider using additional metrics such as types of customers, types or criticality of transactions or estimated losses.

• Impact tolerances are different to Recovery Time Objectives (RTO). RTOs are set based on the time to recover a service, whereas avoiding intolerable harm can involve additional time for processing and remediation activities once system function is restored. For this reason, RTOs are typically set well within impact tolerances.

• Firms must be satisfied with the operational resilience measures that any third-party service providers involved in the delivery of important business services have in place. Firms are ultimately responsible for breaches of impact tolerances relative to third-party providers.

• Scenario testing should be undertaken across a broad range of severe but plausible scenarios including as a minimum the scenarios detailed within SYSC 15A.5:

o corruption, deletion or manipulation of data critical to the delivery of its important business services;

o unavailability of facilities or key people;

o unavailability of third party services, which are critical to the delivery of its important business services;

o disruption to other market participants, where applicable; and

o loss or reduced provision of technology underpinning the delivery of important business services.

• Testing plans should have evolved over time with incremental increases to the unavailability of resources and period of disruption in test scenarios to measure the effectiveness of both recovery and response plans
• Different types of testing should be undertaken as opposed to only desk-based testing. A wider range of testing will provide greater assurance of the firms' resilience capabilities, such as by including:
  • penetration tests
  • disaster recovery/fail over tests
  • simulations
  • lessons learned from real scenarios
• Third parties should be included in testing for firms to understand their resilience capabilities and factor this into impact tolerances. Third parties may conduct their own scenario testing. Where this is the case, firms should ensure the level of testing provides an appropriate level of assurance.
• Firms should be able to evidence progress in the remediation of vulnerabilities identified through the transition period with additional testing undertaken to provide assurance that vulnerabilities have been resolved.
• Remediation activities should be subject to appropriate governance arrangements.
• Changes to business strategy, processes or other systems and controls relative to important business services over the transition period may have the potential to create additional vulnerabilities. It is imperative that firms continually review mapping and testing scenario to identify additional vulnerabilities that could impact the firm's ability to operate within set impact tolerances.
• Self-assessments should provide the Board or governing body with an overview of the firms' journey to achieving resilience. They should include an appropriate level of rationale for the decisions and determinations made by the firm, such as in relation to the setting of impact tolerances and the types and frequency of testing undertaken.

Self-assessments should also highlight any vulnerabilities or issues that exist which can affect the firms' ability to remain within impact tolerances. The firm will need to address such issues and resolve them no later than 31 March 2025.

In May 2024, the FCA published observations and insights on the preparation firms have made towards compliance with the operational resilience requirements. The FCA advised firms to use its observations as a means of reviewing their approach and assess readiness to comply with rules by 31 March 2025. Some of the key points raised in this publication, that we have also highlighted in the independent assessments we have undertaken for our clients include:

• Appropriate identification of important business services in line with the regulatory definitions and guidance. 
• Methodologies used by the firm to identify and categorise some business services as important and not others should form part of the firm's self-assessment.
• Rationale to support set impact tolerances should clearly articulate when intolerable consumer harm or a risk to market integrity is reached and should also form part of the firm's self-assessment.
• Most firms have set impact tolerances as time-bound tolerances. Firms should consider using additional metrics such as types of customers, types or criticality of transactions or estimated losses.
• Impact tolerances are different to Recovery Time Objectives (RTO). RTOs are set based on the time to recover a service, whereas avoiding intolerable harm can involve additional time for processing and remediation activities once system function is restored. For this reason, RTOs are typically set well within impact tolerances.
• Firms must be satisfied with the operational resilience measures that any third-party service providers involved in the delivery of important business services have in place. Firms are ultimately responsible for breaches of impact tolerances relative to third-party providers. 
• Scenario testing should be undertaken across a broad range of severe but plausible scenarios including as a minimum the scenarios detailed within SYSC 15A.5:
  • corruption, deletion or manipulation of data critical to the delivery of its important business services;
  • unavailability of facilities or key people;
  • unavailability of third party services, which are critical to the delivery of its important business services;
  • disruption to other market participants, where applicable; and
  • loss or reduced provision of technology underpinning the delivery of important business services.
• Testing plans should have evolved over time with incremental increases to the unavailability of resources and period of disruption in test scenarios to measure the effectiveness of both recovery and response plans
• Different types of testing should be undertaken as opposed to only desk-based testing. A wider range of testing will provide greater assurance of the firms' resilience capabilities, such as by including:
  • penetration tests 
  • disaster recovery/fail over tests 
  • simulations 
  • lessons learned from real scenarios
• Third parties should be included in testing for firms to understand their resilience capabilities and factor this into impact tolerances. Third parties may conduct their own scenario testing. Where this is the case, firms should ensure the level of testing provides an appropriate level of assurance. 
• Firms should be able to evidence progress in the remediation of vulnerabilities identified through the transition period with additional testing undertaken to provide assurance that vulnerabilities have been resolved. 
• Remediation activities should be subject to appropriate governance arrangements.
• Changes to business strategy, processes or other systems and controls relative to important business services over the transition period may have the potential to create additional vulnerabilities. It is imperative that firms continually review mapping and testing scenario to identify additional vulnerabilities that could impact the firm's ability to operate within set impact tolerances.
• Self-assessments should provide the Board or governing body with an overview of the firms' journey to achieving resilience. They should include an appropriate level of rationale for the decisions and determinations made by the firm, such as in relation to the setting of impact tolerances and the types and frequency of testing undertaken. 

Self-assessments should also highlight any vulnerabilities or issues that exist which can affect the firms' ability to remain within impact tolerances. The firm will need to address such issues and resolve them no later than 31 March 2025.