A&O Shearman | FinReg | UK FCA findings from multi-firm review on operational resilience
Financial Regulatory Developments Focus
This links to the home page
Financial Regulatory Developments Focus
Filters
Recent Posts
BoE and PRA response on AI in financial services
UK PRA and FCA consult on changes to loan to income flow limit rule
UK FCA confirms an increase to FOS award limits

  • UK FCA findings from multi-firm review on operational resilience
    27 March 2026
    The UK Financial Conduct Authority (FCA) has published a new webpage highlighting good and poor practice observed in firms' annual operational resilience self‑assessments following the end of the transition period on 31 March 2025, relating to the application of the FCA's rules. The FCA encourages firms to use these observations to help review and evolve their approaches.

    The FCA's findings are categorised under six headings:
    • Important business services and impact tolerance: While good practice was observed in relation to methodologies and rationale for defining important business services and setting impact tolerances, documenting review cycles, and scenario testing to inform impact tolerance calibration, the FCA would like to see firms able to identify when harm would occur to consumers and when it would impact the market.
    • Mapping resources: Firms have matured their approaches to mapping. Good practice includes clear ownership and accountability of mapping data and diversifying where key staff are based. The FCA emphasises the need for comprehensive mapping of people, processes, technology, facilities, information and third party dependencies, noting that firms often focus too narrowly on technology and insufficiently address third party vulnerabilities.
    • Scenario testing: While firms have been expanding scenario testing and integrating outcomes into remediation planning and governance reporting, the FCA has observed some firms state that there is no scenario that they would not be able to recover from without including evidence of having tested this using sufficiently severe scenarios. The FCA is concerned that this means there is not enough information to give boards the assurance that they need.
    • Vulnerability management: The FCA notes that some self-assessments do not include details on the framework or end-to-end process for vulnerability identification and remediation. Equally, the FCA has observed that when firms report few or no outstanding vulnerabilities, and there is a lack of information or evidence on mapping, testing, and vulnerability management in their self-assessments, which makes it difficult to check whether they have identified vulnerabilities properly.
    • Communications plans and strategy: Firms are expected to maintain tested internal and external communications strategies capable of operating during disruption, including contingencies for the loss of usual communication channels.
    • Governance: Strong board oversight remains central, with boards expected to approve self assessments, understand their resilience responsibilities and ensure clear accountability, audit trails and senior oversight for remediation.
    Return to main website.
    Topic: Operational Resilience