Operational Resilience: Is Your Firm Ready to Prove It Can Absorb Disruption — or Just Claim That It Can?

The FCA and PRA's operational resilience framework is no longer a future obligation. The March 2025 implementation deadline has passed — and firms are now expected to be operating within their impact tolerances, not still mapping them.

Operational resilience has moved from policy commitment to supervisory reality. Regulators expect firms to have identified their important business services, set meaningful impact tolerances, tested their ability to remain within those tolerances under severe but plausible disruption scenarios, and produced the self-assessment documentation to evidence it all. For many firms, the uncomfortable truth is that their self-assessment exists in name only — and a supervisory visit or operational incident would expose that quickly.

In this episode, we examine what a genuinely robust Operational Resilience Self-Assessment looks like, what the regulators are expecting to find, and why the firms most at risk are those that treat this as a documentation exercise rather than a genuine test of their ability to withstand disruption.

Whether you are a compliance officer, a chief operating officer, a risk manager, or a senior manager with operational resilience accountability under SMCR, this episode gives you the practical framework to assess whether your self-assessment would stand up to scrutiny.

We cover:

— The regulatory foundation: PS21/3, the FCA and PRA's joint policy statement, and what the supervisory expectations look like now the implementation deadline has passed

— Identifying important business services correctly: the common scoping errors that leave firms exposed and how to apply the customer harm lens the regulators expect

— Setting impact tolerances that are meaningful: why vague or untested tolerances are worse than none, and how to express tolerances in terms regulators and boards can interrogate

— Mapping and testing: what scenario testing must demonstrate, how to document the results, and what constitutes adequate evidence that your firm can remain within tolerance

— The self-assessment document itself: what it must contain, how it should be structured, and the governance sign-off requirements that sit behind it

— Third-party and outsourcing dependencies: how to identify and document concentration risk and what regulators expect firms to have done about it

— The role of the board and senior management: accountability under SMCR, the governance oversight requirements, and why operational resilience is not an IT or operations issue in isolation

— Lessons from FCA supervisory engagement and industry incidents — what has gone wrong for other firms and what your self-assessment should do differently as a result

— How operational resilience connects to your broader risk management framework, business continuity planning, and Consumer Duty obligations around service continuity

This episode is essential listening if your firm:

— Has not updated its self-assessment since the March 2025 implementation deadline

— Has set impact tolerances but not yet tested whether it can remain within them under realistic disruption scenarios

— Is approaching an FCA supervisory visit or internal audit of its operational resilience framework

— Has significant third-party dependencies that are not fully reflected in its mapping or scenario testing

Resources mentioned in this episode:

Compliance Consultant's Operational Resilience Self-Assessment Workbook is a comprehensive, ready-to-use toolkit built for FCA-regulated firms. It provides a structured self-assessment framework, fully formatted workbook, and step-by-step guidance that enables compliance, risk, and operations teams to complete, document, and evidence their operational resilience obligations to a standard that reflects current regulatory expectations.

Built by qualified regulatory consultants who know exactly what "good" looks like.

Visit complianceconsultant.org to find out more, or call us on 0800 689 0190.

Compliance Consultant — Making Compliance Work