When was the last time you got caught in the rain? It happens to me from time to time. I’ve forgotten my umbrella or dashed out without my coat, only to be greeted by an unexpected downpour. I should have anticipated it – checked my weather app, packed an umbrella, noted the foreboding grey clouds – but sometimes even the prepared get caught out.
My personal experience captures the essence of what I’ve been thinking since our operational resilience policy deadline passed on 31 March 2025. Firms need to expect the unexpected and be prepared to maintain their services in all severe but plausible scenarios to prevent intolerable harm – in my case, merely drenched clothes, but for firms, potentially significant market disruption and customers left high and dry.
Yes, we’ve marked the compliance milestone – firms have been working hard to comply with our rules by mapping their important business services, setting impact tolerances, completing scenario testing and addressing identified vulnerabilities.
But the work doesn’t stop here.
The real test is in how firms will evolve to weather all types of storms as the financial climate changes – from cyber threat actors targeting the UK’s critical national infrastructure, to increasingly complex supply chains, to emerging technologies like quantum computing and AI that present both opportunities and significant challenges.
The FCA’s new five-year strategy emphasises deepening trust as fundamental to creating a financial sector that supports growth and improves lives. Operational resilience sits at the heart of how we deepen trust in financial firms and the services they provide.
What sets resilient organisations apart
Last month’s shutdown of Heathrow Airport from an electricity substation fire and last July’s CrowdStrike outage exemplify the types of disruptions firms should prepare for – both in their impact on vital services and in the back-up plans needed when systems, processes and buildings are compromised.
In my role, my teams and I see hundreds of operational incidents that firms face each year. When disruptions hit, the differences in how firms respond become immediately apparent. As we engage across the sector, 3 patterns distinguish the most resilient organisations.
First, they have prepared for severe scenarios in advance. Rather than designing manageable tests guaranteed to succeed, they create challenges so demanding they might ‘fail’ the exercise. These ‘failures’ often generate the most valuable insights, revealing vulnerabilities that would otherwise remain hidden until a real crisis strikes. Their preparation means they aren’t surprised by incidents. Instead, they have prepared their people, processes, technologies, and – crucially – their mindsets, to respond in a way that minimises harm to consumers, markets, and the firms themselves.
Next, they have robust communication plans which are adaptable to various situations, and they regularly test these plans under pressure. They know what and how to communicate with their customers and stakeholders when usual channels are unavailable.
Third, resilience permeates their culture. You can spot these firms by how their senior executives and their boards engage with resilience – not as a regulatory checkbox but as a strategic priority. Their product design incorporates resilience from the beginning rather than bolting it on at the end. These firms review incidents focused on learning, rather than blame, and adhere to the adage ‘never let a good crisis go to waste’.
In short, they know what to do when things go wrong.
Rebalancing risk to support growth
Effective resilience isn’t about preventing all disruptions. It’s about responding and recovering in ways that protect consumers and markets.
As our strategy highlights, growth requires rebalancing risk rather than trying to eliminate it entirely. We want to see firms taking appropriate risks to innovate, but with resilient foundations to manage disruption when it occurs. Operational resilience is fundamentally important to competitiveness and economic growth.
Looking beyond the deadline
With the 31 March 2025 deadline behind us, our supervisory focus is shifting. Firms have laid down the foundations to continue to build resilience by design, and we’ll be looking at how they strengthen their resilience culture by learning from incidents and ongoing scenario testing to remediate any newly discovered vulnerabilities.
We want to help the sector improve its operational resilience through shared insights and a collaborative approach. That said, where we see failings that put customers or markets at risk, we will use our powers to drive necessary change.
The journey continues
Operational resilience is more than a regulatory requirement – it’s fundamental to competitiveness, customer service, and financial stability. Let’s ensure it becomes part of our sector’s DNA.
After all, nobody wants to be caught in a downpour without an umbrella – especially when you’re responsible for keeping millions of customers dry.