The deadline for UK firms to fully embed their resilience frameworks passed on 31 March 2025. Now that the implementation period is over, firms should shift their focus from designing and implementing the frameworks to demonstrating compliance with operational resilience regulations. This will require a continuous commitment to managing risk and demonstrating their ability to withstand severe disruptions.
How Can Financial Firms Meet Their Operational Resilience Requirements?
Firms will be required to implement an evidence-based approach to clearly demonstrate to regulators that they intend to comply with their operational resilience requirements. This will involve several key stages:
- Identify important business services: The first step is to identify which critical services would cause the most harm if disrupted and therefore pose the greatest risk to market integrity.
- Set impact tolerances: Firms must then set impact tolerances for each important business service, which sets the maximum tolerable level of disruption before causing significant harm. This is a key metric needed by regulators to manage wider systemic market risk.
- Map dependencies: Firms must map all people, processes, technologies and third parties that are essential for the delivery of each defined important business service.
- Conduct regular scenario testing: This framework must be regularly tested against severe but plausible scenarios, such as cyber attacks or third-party failures, to ensure the firm can remain within its stated impact tolerances
Response Recovery Plans and Governance Requirements
Beyond the scope of the initial operational resilience framework, firms must then build remediation plans for any vulnerabilities identified during scenario testing. This will involve creating their own comprehensive self-assessment document that details the firm’s resilience capabilities and tolerance thresholds. Firms must have clear recovery plans in place to manage and mitigate any major incidents that occur. This entire process will require direct board oversight, and regulators expect that this will be fully supported by senior leadership. Creating a culture of proactive resilience throughout the organisation will demonstrate a board-level commitment to embedding operational resilience as a priority.
What are the Key Challenges for Firms Embedding Operational Resilience?
Embedding resilience as a permanent and evidence-based function may present several challenges for firms, including the need to overhaul internal systems and processes. Regulators will expect to see proof of proactive compliance, including comprehensive records of testing and remediation. Implementing and embedding new practices will drain resources and require significant investment. Many firms will struggle with the sheer volume and complexity of data involved in accurately mapping all dependencies across the entire organisation. Manual systems are no longer capable of monitoring and processing the vast amounts of data required for a modern operational resilience framework. Firms must now demonstrate a proactive and embedded approach to resilience or face regulatory penalties now that the implementation period is over. In addition to compliance considerations, firms that adapt quickly and embed resilience as a core function will be better positioned in a rapidly changing, unpredictable landscape. This is a distinct competitive advantage for firms that are agile, secure and proactive in their approach to meeting operational resilience requirements.
Operational resilience isn’t a one-off milestone.
Speak to us about demonstrating ongoing compliance and building regulator-ready self-assessments.
