Operational resilience - focusing on the things that matter most

With the first tranche of operational resilience requirements going live on 31 March 2022, there is likely to be a wide variation in the state of readiness among firms, regarding their end-to-end resilience chain.

Here, we consider the key themes of importance to both customers and the FCA. We also discuss the actions firms should take ahead of the initial deadline, to manage expectations of these key stakeholders.


Customers expect that, following any outage or failure, their issue will be resolved and services restored swiftly. Many firms have simplified their approach, focusing only on crucial processes that could cause their customers undue harm. This approach is validated through benchmarking with peers and assists the regulator in their effective supervision of the sector.


Ineffective oversight of operational resilience requirements is likely to delay effective resolution, damaging trust among impacted customers. Ineffective ownership may lead to reputational risk, regulatory fines and customer attrition. Firms should ensure alignment to SMCR and that clear ownership lines facilitate early resolution and recompense.


Vulnerable customers are at the heart of the FCA Business Plan and this new regulation, given they are at most risk of significant harm if a critical process fails. The potential of harm to vulnerable customers is key to identifying business critical processes and the FCA requires firms to evidence the steps they will take to identify and protect these customers.

Third parties

With many firms relying on third parties to provide cloud, IT and other key services, it's clear thatboth operational resilience and customers will have significant dependencies on these suppliers. It remains to be seen how amenable suppliers will be to the level of oversight, control and reassurance firms may seek relating to documentation of end-to-end processes, management information and input to tolerances. For many, there may be shades of David vs. Goliath in their respective size vs. their supplier and, without intervention by the regulators, David may not prevail.

We have seen the regulation of systemically important firms in the past (e.g. credit reference bureaus) and given the increased profile of operational resilience, the regulators may again extend their reach to minimise customer harm.


In our increasingly digital world, customers and regulators? expectations of operational resilience rely on the effective measurement and monitoring of numerous data points. However, many firms are still developing their data strategy and adapting their operating models to use data to its full effect. In that instance, firms should document their current capability to monitor, measure and articulate the improvements they have identified as a key part of their emerging data strategy.There is clear interconnectedness between the needs and expectations of customers and the FCA despite their respective ends of the spectrum. Firms are in the middle and must demonstrate to these stakeholders that they take operational resilience seriously. At this point, this entails ensuring their planning is sound and they are focused on the few things that matter most.