Operational resilience: insights and observations for firms

Important business services

You must identify your important business services and keep these regularly under review.

Observations and insight on important business services

• Firms appropriately identifying their important business services remains varied within the sector. Outlier firms exclude certain business services based on substitutability from competitor firms, believing that in the event of an outage their competitors will be able to service the consumer/client need.
• You should consider all factors set out in our Handbook[2] when identifying your important business services. An important business service shouldn’t be excluded by considering one factor alone and should be determined without reference to response or recovery capabilities.
• Your justification for identifying an important business service should be evidenced in the self-assessment. You should also consider including the rationale and justification for not having identified other business services as important, especially when choosing to remove an important business service following the annual review process.

Impact tolerance

You must set impact tolerances for each of your important business services and keep these regularly under review.

Observations and insight on impact tolerance

• We’ve seen a wide range of impact tolerances identified by firms, with limited rationale for when intolerable consumer harm or a risk to market integrity is reached. This often requires additional clarification from firms to help us to fully understand the impact tolerances set. The full rationale should be included in your self-assessments to ensure your board understands what has been set and why.
• Impact tolerances across the industry have also been primarily set as time-bound tolerances and you should consider using other metrics to complement this measure. Additional metrics may be defined by considering types of customers, values and types of transactions, criticality of transaction and estimated losses etc.
• When recovery is not feasible within a time-based impact tolerance, you should consider responding with mitigating actions as part of a response plan, to ensure the impact tolerance of these additional metrics aren’t breached.
• It’s also worth noting that impact tolerances are different from recovery time objectives. A recovery time objective is the maximum time taken to recover the service. But in most cases, to avoid intolerable harm, processing will need to be undertaken once recovery of services is complete. It’s common therefore to see recovery time objectives set well within impact tolerances to ensure you can remain within tolerance.

Further information on the factors to consider when setting impact tolerances can be found in the Handbook[2].

Mapping and third parties

You must identify and document the people, processes, technology, facilities, and information necessary to deliver each of your important business services.  This includes any relationships with third parties which could impact your ability to remain within your impact tolerance.    

Observation and insight on mapping and third parties

• We expect your mapping of resources and processes to mature over time, to enable you to fully understand all the dependencies and interconnectivity required to deliver your important business services.  
• If a third-party provider supporting or delivering your important business services fails to remain within impact tolerance, you should remember that the failure to remain within impact tolerance is your responsibility. 
• Relationships with third parties should be actively managed so you can be satisfied with their resilience. 
• Detailed mapping should support the identification of vulnerabilities which may cause you to breach impact tolerance during an operational disruption. 

Further information on the factors to consider can be found in our Handbook[3].

Scenario testing

You must develop and keep up to date testing plans that detail how you can remain within impact tolerances for each of your important business services. This means identifying severe but plausible scenarios across an appropriate range of adverse circumstances, varying in nature, severity, and duration, that are aligned to your risks and vulnerabilities.

This will provide vital information as part of the self-assessment for your governing body and senior management, to ensure appropriate and fully funded plans are developed to remedy any vulnerability. 

Observations and insight on scenario testing

• To support the identification of a range of severe but plausible scenarios, you should, among other things, consider at a minimum the scenarios found in our Handbook[4]. 
• We expect scenario testing and mapping to have matured and developed in sophistication throughout the transition period, enabling you to have greater understanding of your own resilience capabilities.  
• Effective testing plans incrementally increase the severity of disruption by both increasing the number/type of resources unavailable and the length of time of the disruption period to fully understand the effectiveness of the associated response and recovery plan. 
• This testing enables you to understand the severity at which you're no longer able to remain within impact tolerance and, in doing so, understand the full impact of the disruption and any vulnerability required to be remediated. 
• You should also mature the format and type of testing used to understand the resilience of your organisation. Scenario testing should be evolving from judgment, desk-based scenario tests, to a wider range of testing that provides empirical data including, but not limited to: 
  • penetration tests 
  • disaster recovery/fail over tests 
  • simulations 
  • lessons learned from real scenarios  
• The inclusion of third parties in testing should help ensure you understand their capability to remain within your impact tolerance. 
• Testing of a third party’s resilience can be undertaken by the third party themselves, but you need to be satisfied that their methodology and tested scenarios are appropriate and sufficient for your requirements.

Vulnerabilities and remediation

Your mapping and scenario testing should identify any vulnerabilities which may cause you to not remain within impact tolerance for severe but plausible scenarios.

Observations and insight on vulnerabilities and remediation

• You should have significantly progressed remediation activities for vulnerabilities identified in the early part of the transition period, to ensure you can remain within impact tolerance for all important business services by 31 March 2025.
• We expect remediation plans to be approved, fully funded, and appropriately governed to ensure delivery, with evidence at closure through repeated scenario tests to verify that the vulnerability has been resolved.
• As mapping and scenario testing matures, additional vulnerabilities may be identified which will require remediation. You should regularly review vulnerabilities, prioritising those that have the greatest potential to impact your ability to remain within impact tolerance.
• You should mature your testing across severe but plausible scenarios, to enable potential identification of new and additional vulnerabilities.

Response and recovery plans

Exercising and/or testing of recovery plans is a fundamental part of understanding (in a severe but plausible scenario) whether you can remain within impact tolerance. However, it’s equally important to understand your response plan should a disruption occur. 

Response plans provide alternative actions you can take during a disruption to buy time for recovery plans to complete. They can also help you avoid breaching your impact tolerance.

Response plans can also provide tactical options as part of a wider remediation plan for identified vulnerabilities, especially if a strategic remediation may take significant time to implement. 

Observation and insight on response and recovery plans

• Reviews of self-assessments showed limited evidence of the testing of response plans, and firms primarily relied on recovery to understand if they could remain within their impact tolerance.

Governance and self-assessment

Observations and insight on governance and self-assessment

• The minimum requirements for what you must include in your self-assessment are defined in the Handbook[5].  
• Your self-assessment should detail your journey to becoming operationally resilient.
• We expect that self-assessments, like many other elements of the policy, will mature and develop over time as you develop your resilience, response, and recovery capabilities.
• Your governing body is required to approve and regularly review your self-assessment, so this must provide sufficient information and justifications on the determinations, decisions, and plans to ensure your continued resilience.
• Good examples of self-assessment documents allow governing body members to understand their firm’s position and roadmap to resilience. They include an overview of vulnerabilities found, scenarios tested (with the outcome of those tests), remediation plans, and the firm's strategy to ensure they can remain within impact tolerances for all important business services no later than 31 March 2025.
• Should you have any concern over your firm's ability to remain within impact tolerance, these concerns should be clearly documented in the self-assessment with detailed information on the work needed to remediate the issue.

Embedding operational resilience

Observations and insight on embedding operational resilience

• Our Building operational resilience policy statement (PDF)[6] is an outcomes-based policy which looks to minimise the impact of operational disruptions for consumers, firms, and markets across the financial services sector.
• 31 March 2025 marks the end of the transition period, but the requirement to be operationally resilient is not a once and done activity, or something that should be seen as tick-box regulatory compliance. Instead, this should be a way of working that is embedded into your overall culture.
• The most effective operational resilience frameworks are embedded within firms' overall enterprise-wide risk frameworks, including change management and strategic planning. Operational resilience is a core consideration when assessing risks of transformation and change.

Horizon scanning

Observations and insight on horizon scanning

• As operational resilience becomes embedded within your firm, it’s also important to ensure that risks from your severe but plausible scenarios are refreshed regularly.
• Horizon scanning to establish an understanding of new and emerging risks, and the proximity of impact, are key to ensuring testing is appropriate and that controls are in place to detect, respond and recover from operational disruptions, both current and in the future.

Important points

• We expect all firms to be resilient and provide services for their customers when needed.
• The operational resilience policy (PS21/3) transition period ends on 31 March 2025. Ahead of this deadline, you must ensure that you can remain within impact tolerance in severe but plausible scenarios for any identified important business services, and have your plans approved by your Board in good time.
• Important business services, impact tolerances and mapping should be reviewed on at least an annual basis, or if there is a material change to your business or the market you operate in.
• Changes to important business services, impact tolerances and mapping should be clearly identified in your self-assessment, along with any rationale.
• Scenario testing underpins your evidence for how you will remain within impact tolerances for severe but plausible scenarios for your important business services. It should become part of business as usual and be reviewed on a regular basis as evidence of your operational resilience.