Operational Resilience Recruitment

Hire an Operational Resilience Specialist

Operational resilience has become one of the most scrutinised risk disciplines in UK regulated financial services. The FCA and PRA’s operational resilience framework — fully in force since 31 March 2025 following the three-year transition from the March 2022 rules — requires firms to identify Important Business Services, set impact tolerances, map the resources that support each service, test the firm’s ability to remain within impact tolerances, and demonstrate continuous improvement. The framework is demanding, ongoing, and enforced. Firms that have not built credible resilience capability face FCA and PRA intervention, potential Section 166 skilled person reviews, and — increasingly — individual accountability under SMCR for Senior Managers who own the discipline.

FD Capital recruits operational resilience specialists for FCA and PRA-regulated firms: banks, building societies, investment managers, wealth managers, insurance companies, insurance intermediaries, payment institutions, e-money firms, and fintech businesses. We place permanent Heads of Operational Resilience and Operational Resilience Managers through executive search, interim specialists for remediation projects or transition coverage, and fractional support for smaller firms where a full-time senior resilience role is not yet justified.

Our operational resilience placements include a mid-tier payment institution requiring its first dedicated Head of Operational Resilience following the 31 March 2025 deadline; an investment manager engaging an interim Operational Resilience Manager to rebuild the firm’s Important Business Service mapping after FCA feedback; and a fintech appointing a fractional specialist one day per week to establish its resilience framework ahead of FCA authorisation. In each case the critical variable was the candidate’s combination of regulatory interpretation capability, operational understanding of the business, and credibility with Senior Management.

020 3287 9501 — Operational resilience shortlists typically within 5-10 working days

CALL 020 3287 9501

What Is Operational Resilience? Role, Meaning, and Scope

Operational resilience is the discipline of ensuring that a regulated firm can continue to provide its Important Business Services to customers and markets through disruption events — technology failures, cyber attacks, third party failures, pandemic-type events, or other operational incidents. It is distinct from business continuity planning (which tends to focus on the firm’s ability to restore operations after disruption) in that operational resilience emphasises the outcomes delivered to customers and markets, not just the internal operational processes.

In the UK regulatory framework, operational resilience is set out in the FCA’s SYSC 15A, the PRA’s Statement of Policy on operational resilience, and the related rules in the FCA’s Handbook. The framework requires firms to: identify their Important Business Services (IBS); set impact tolerances for each service (defining the maximum tolerable duration and extent of disruption); map the people, processes, technology, facilities, information, and third parties that support each IBS; test the firm’s ability to deliver each IBS within impact tolerance through severe but plausible scenarios; and produce a self-assessment documenting the firm’s resilience capability.

The role of an Operational Resilience specialist is to design, embed, and continuously evolve this framework. The role sits at the intersection of risk management, business operations, technology resilience, and regulatory compliance. A senior Operational Resilience specialist typically reports to the Chief Risk Officer, Chief Operating Officer, or Chief Compliance Officer, with direct Senior Management Function accountability allocated to an SMF holder (most often the COO or CRO). For a full explanation of the UK operational resilience framework and how it applies across different firm types, see our Operational Resilience Guide.

The Legal and Regulatory Framework for Operational Resilience

FCA SYSC 15A and PRA SoP

The FCA’s operational resilience rules are primarily in SYSC 15A of the FCA Handbook, which applies to dual-regulated firms, enhanced-scope SMCR firms, and certain other FCA-regulated firms. The PRA’s corresponding framework is set out in the PRA Statement of Policy on operational resilience and related rules. Dual-regulated firms must comply with both, with the detail of implementation varying by firm type.

The Four-Stage Framework

The UK operational resilience framework has four defined stages that every in-scope firm must implement:

1. Identify Important Business Services (IBS): services which, if disrupted, could cause intolerable harm to consumers or market integrity. Each firm must identify its own IBS list; examples typically include payment initiation, settlement, trading execution, lending origination, and client-facing advice delivery.
2. Set impact tolerances: for each IBS, the maximum tolerable duration and nature of disruption. Impact tolerances must be specific, measurable, and agreed at Board level.
3. Map resources: identify the people, processes, technology, facilities, information, and third parties that support each IBS. Mapping must be granular enough to enable scenario testing.
4. Test and self-assess: through severe but plausible scenario testing, confirm the firm can remain within impact tolerance for each IBS; produce a self-assessment documenting the resilience capability; lessons learned feed back into framework improvement.

Transition Timeline and 31 March 2025 Deadline

The UK operational resilience framework came into force on 31 March 2022, with a three-year transition period ending on 31 March 2025. By 31 March 2025, in-scope firms were required to have completed full implementation: IBS identified; impact tolerances set; mapping completed; scenario testing performed; and the firm must be able to remain within impact tolerance for each IBS. Post-deadline, the FCA and PRA expect firms to maintain and continuously improve their resilience framework, with ongoing scenario testing and annual self-assessment refresh.

Third Party and Outsourcing Dimension

Operational resilience is closely linked to third party and outsourcing risk. Firms must identify the third parties supporting each IBS, understand the operational resilience of those third parties, and have contingency arrangements where third party failure would threaten the firm’s ability to deliver IBS within impact tolerance. The PRA’s Critical Third Party regime and the FCA’s outsourcing rules (SYSC 8 and SYSC 13) both intersect with operational resilience. Digital Operational Resilience Act (DORA) compliance is relevant for UK firms operating cross-border into the EU.

SMCR Accountability

Operational resilience is explicitly identified as a Prescribed Responsibility for Enhanced Firms under the SMCR. The allocated SMF holder — typically the Chief Operating Officer or Chief Risk Officer — carries personal accountability for the effectiveness of the firm’s operational resilience framework. This makes Operational Resilience specialist appointments a direct SMCR support matter, and candidates at senior level must be capable of supporting the SMF holder’s accountability credibly.

Dear CEO Letters and Thematic Supervision

The FCA and PRA have been active in thematic supervision of operational resilience, with multiple Dear CEO letters through 2023-2025 setting out supervisory expectations and common deficiencies. Firms that have received individual feedback following thematic work or routine supervision typically need to strengthen their resilience function, often resulting in specialist hiring requirements.

Operational Resilience Responsibilities: What the Role Covers

Operational resilience roles cover a broad scope; specific responsibilities depend on firm size and the maturity of the existing framework. The following covers the principal areas of a senior operational resilience specialist’s role.

Framework Design and Governance

A senior operational resilience specialist owns the firm’s resilience framework: the policy suite, the methodology for identifying IBS and setting impact tolerances, the mapping standards, the scenario testing approach, and the self-assessment process. The framework must be appropriate to the firm’s specific business model, regulatory category, and risk profile — a one-size-fits-all approach imported from another firm rarely withstands regulatory scrutiny.

Important Business Service Identification and Review

IBS identification is the foundation of the framework. A senior specialist leads the periodic review of the IBS list, applying the regulatory test (intolerable harm to consumers or market integrity) with appropriate rigour. Changes in the business (new product launches, M&A, outsourcing changes) typically trigger IBS review, and the discipline of maintaining an accurate and current IBS list is a continuous workstream.

Impact Tolerance Setting and Review

Each IBS requires an impact tolerance — the maximum tolerable duration and extent of disruption. Setting impact tolerances involves working closely with business lines, technology, operations, and risk teams to understand realistic tolerances and defend them at Board level. Impact tolerances must be reviewed annually and updated for material business change.

Mapping

Detailed mapping of the people, processes, technology, facilities, information, and third parties supporting each IBS is a substantial workstream. The specialist owns the mapping methodology, quality-assures the outputs, and ensures the mapping remains current as the business evolves. Poor quality mapping is one of the most common findings in FCA supervisory feedback on operational resilience.

Scenario Testing

The firm must test its ability to remain within impact tolerance through severe but plausible scenarios. The specialist designs the test programme, selects scenarios (cyber incidents, technology failures, third party failures, supplier insolvency, pandemic events), runs the tests, captures lessons learned, and drives remediation of identified gaps. Scenario testing is typically the most operationally demanding part of the framework, requiring coordination across multiple business and technology teams.

Third Party and Outsourcing Resilience

The specialist coordinates with the third party risk management function to ensure the resilience of critical third parties is adequately assessed. This includes reviewing third party resilience capabilities, assessing concentration risk across the third party portfolio, maintaining contingency arrangements for critical third party failure, and — for firms using designated Critical Third Parties — complying with the PRA/FCA oversight requirements.

Self-Assessment and Board Reporting

Firms produce an annual self-assessment documenting their operational resilience capability. The specialist drafts or supports the self-assessment, ensures it accurately reflects the firm’s actual capability (not an aspirational position), and presents conclusions to the Board. The self-assessment is reviewed by supervisors and is a key document in supervisory engagement on operational resilience.

FCA and PRA Engagement

The operational resilience specialist is typically the firm’s technical contact with the regulator on resilience matters. This includes responding to thematic reviews, managing individual Dear CEO response activity, supporting s.166 reviews that involve resilience scope, and managing any enforcement or remediation engagement. Strong supervisory engagement capability is defining characteristic of senior resilience hires.

Incident Response and Lessons Learned

When the firm experiences an actual operational incident that threatens IBS delivery, the operational resilience specialist plays a central role in incident response — coordinating with technology, operations, communications, and regulatory reporting functions to manage the incident and comply with operational incident reporting obligations. Post-incident lessons learned exercises feed back into framework improvement.

Operational Resilience Salary Guide

Operational resilience compensation varies by firm size, regulatory complexity, and the seniority of the specific role. The following ranges reflect current UK market rates for operational resilience specialists across the sectors FD Capital recruits in. Interim day rates are shown separately.

These ranges are indicative. The most significant premiums are typically paid for candidates with direct experience leading a firm’s operational resilience framework through a full regulatory examination or Dear CEO engagement, or with prior experience managing a s.166 review focused on operational resilience. Contact FD Capital for a current market assessment for your specific requirement.

Which Firms Need Operational Resilience Specialists?

Operational resilience requirements apply across the FCA and PRA-regulated firm population, though the sophistication of the function and the need for dedicated specialists vary by firm size and complexity. Firms that most frequently engage FD Capital for operational resilience recruitment include:

• Banks, building societies, and challenger banks: the most complex operational resilience environments, typically with dedicated Operational Resilience teams of 5+ specialists and an SMF holder personally accountable for the function
• Investment management and asset management firms: Enhanced Firms must comply with the full framework; Core Firms face lighter but still substantive obligations
• Insurance firms and Lloyd’s managing agents: operational resilience intersects with existing business continuity disciplines; insurers typically need specialists who understand both frameworks
• Payment institutions and e-money firms: payment processing is typically a clear IBS with material customer and market impact from disruption
• Wealth managers and stockbrokers: client trading and client money operations are typically IBS with specific impact tolerance implications
• Fintech firms at authorisation stage: operational resilience capability must be demonstrated as part of FCA authorisation for firms within the rule scope
• Firms responding to s.166 findings: skilled person reviews that identify operational resilience weaknesses typically drive both interim cover and permanent remediation hiring — see our Section 166 review recruitment page
• Firms with cross-border operations into the EU: DORA compliance overlaps significantly with UK operational resilience, driving demand for specialists who can manage both frameworks coherently

Fractional Operational Resilience Support

Fractional operational resilience specialists perform the function on a part-time basis, typically one to two days per week. This model is appropriate for smaller FCA-regulated firms where the framework is mature but ongoing resource needs do not justify a full-time dedicated role, or for firms building their resilience function ahead of a permanent hire.

Fractional operational resilience leads typically work across two or three firms simultaneously, building sector breadth that a single-firm specialist rarely has. A fractional specialist supporting a boutique investment manager, a payments firm, and a regional building society will see a wider range of implementation approaches, supervisor interactions, and scenario testing models than a single-firm specialist at comparable seniority.

The fractional model has specific constraints. The individual must be genuinely available for scenario testing exercises, Board meetings, and regulatory engagement. The firm must document the arrangement appropriately and ensure that Senior Manager accountability for operational resilience remains clear. FD Capital’s approach to fractional appointments is consistent with the principles set out on our Fractional CRO and Fractional CFO pages — we place individuals who take genuine accountability, not service providers fulfilling the role nominally.

Interim Operational Resilience Appointments

Interim operational resilience requirements arise in several recurring contexts: an unexpected resignation during a critical implementation phase; an FCA-required remediation project following supervisory feedback; a specific framework-building project (initial IBS identification, scenario testing implementation, Critical Third Party compliance); a s.166 skilled person review with operational resilience in scope; or a gap period during a permanent search where the framework requires continuous ownership.

Interim operational resilience specialists are often the difference between a firm continuing to meet its post-2025 framework obligations and a firm falling behind with the inevitable supervisory consequences. Because the framework requires ongoing scenario testing, self-assessment, and continuous improvement, the function cannot be left unstaffed for extended periods without regulatory risk.

FD Capital maintains a network of experienced interim operational resilience specialists. Our interim network includes former Heads of Operational Resilience at banks and investment managers, Big 4 operational resilience practice alumni, and specialist consultants with sector-specific implementation experience. Typical interim engagements run from three months (specific project cover) to twelve months (remediation or transition projects). Where the assignment runs alongside a permanent search, we coordinate the two processes to ensure an effective handover.

Permanent Operational Resilience Recruitment

A permanent operational resilience appointment at Head of function level deserves the same rigour as any senior risk or compliance search. The individual will own one of the firm’s most prominent regulatory accountabilities, will be the named contact for FCA and PRA supervision on resilience matters, and will typically support an SMF holder with personal accountability for the framework under SMCR.

FD Capital approaches permanent operational resilience search through direct market engagement. We identify candidates through our network of risk, compliance, and operations professionals and direct outreach, not job board advertising. We screen candidates for prior experience leading the relevant framework stages (IBS identification, impact tolerance setting, mapping, scenario testing, self-assessment), assess their regulatory relationship credentials, and verify their technical competence through structured assessment before presenting shortlists.

For senior Head of Operational Resilience appointments at banks and larger asset managers, we conduct retained executive search. For roles below Head level and for mid-market firms, contingency and exclusive engagements are typically more appropriate. We support the appointment process with reference checking, including direct verification of prior regulatory engagement where candidates have managed the firm’s resilience supervisory relationship.

Firms building a broader risk and compliance function will often make operational resilience appointments alongside related hires. See our Chief Risk Officer Recruitment, Chief Compliance Officer Recruitment, and FCA Regulated Firms Recruitment pages for related services.

The Operational Resilience Specialist Profile: What We Look For

The operational resilience specialists FD Capital places combine deep knowledge of the FCA and PRA frameworks with the practical ability to embed resilience discipline in a complex operational environment. The following characteristics define the strongest candidates:

• Direct framework leadership experience: a track record of personally leading the implementation or evolution of an operational resilience framework through a full regulatory cycle, not just supporting individual elements. Candidates at Head level should have completed at least one full self-assessment cycle with Board approval and (ideally) supervisory engagement
• Technical depth across the four stages: genuine expertise in IBS identification methodology, impact tolerance setting, mapping standards, scenario design and testing, and self-assessment production. Candidates with exposure to only one or two of these stages are typically inadequate for senior roles
• Professional qualifications: qualifications vary; common profiles include risk management (IRM, BCI), audit (CIA, ACA), operations (Six Sigma, PRINCE2), or technology (CISSP, ISACA). Specialist operational resilience certifications exist but are not yet consistently required
• Regulatory interpretation capability: the ability to read FCA SYSC 15A, PRA Statements of Policy, and supervisory publications, and form defensible positions on interpretation questions. Senior hires must engage FCA supervisors directly on framework design points
• Third party risk understanding: increasingly critical given the PRA Critical Third Party regime and DORA implications. Candidates must understand how third party resilience intersects with the firm’s own IBS delivery
• Scenario testing capability: experience designing and running severe-but-plausible scenario tests, capturing lessons learned, and translating them into framework improvements. This is the most operationally demanding part of the role and the area most commonly weak in less experienced candidates
• Sector fit: operational resilience implementation varies by firm type. A banking specialist may not be appropriate for a payments business or an investment manager; an insurance-background specialist may not fit an asset management environment. FD Capital identifies candidates whose sector background matches the client’s environment
• SMCR-aware communication: the ability to support SMF holders credibly, explain framework decisions in plain terms to the Board, and manage the personal accountability dimension of SMCR appropriately

Why Use FD Capital for Operational Resilience Recruitment?

FD Capital has built its practice placing finance leaders and compliance specialists into UK regulated firms. Our operational resilience recruitment service draws on that wider practice and on our specific experience with FCA and PRA-regulated firms and SMCR appointments. What distinguishes our approach:

• Direct network access: we maintain active relationships with operational resilience specialists who are not publicly searching. Senior resilience candidates move through professional referral and industry network, not job board applications. The 2022-2025 transition period has concentrated experienced specialists in a relatively small candidate pool that requires active network access to reach
• Technical screening: we assess candidates against the specific framework stages and implementation maturity the role requires before presenting shortlists. Clients receive candidates with directly relevant experience, not adjacent risk or compliance backgrounds requiring significant adaptation
• Speed on interim requirements: for firms facing urgent framework obligations — a supervisory finding, an incident response, a lost specialist — we can typically identify available interim candidates within days
• Sector breadth: we place across banking, investment management, insurance, payments, and fintech — the principal sectors where UK firms make operational resilience hires
• Senior delivery: operational resilience assignments are managed by senior FD Capital consultants. We do not pass specialist SMF-adjacent appointments to junior recruiters
• Integrated risk and finance view: FD Capital’s background in senior finance recruitment means we understand how operational resilience sits alongside enterprise risk management, financial control, and regulatory reporting — the functions the resilience specialist must coordinate with daily

Frequently Asked Questions

What is operational resilience in UK financial services?
Operational resilience is the discipline of ensuring a regulated firm can continue to provide its Important Business Services through disruption events, remaining within defined impact tolerances. The UK framework requires firms to identify IBS, set impact tolerances, map supporting resources, test ability to remain within tolerance, and produce an annual self-assessment. The framework has been fully in force since 31 March 2025 following a three-year transition period.

What is the difference between operational resilience and business continuity?
Business continuity planning traditionally focuses on restoring internal operations after disruption. Operational resilience focuses on the firm’s ability to continue delivering outcomes to customers and markets through disruption, emphasising impact tolerance rather than recovery time objectives. The disciplines overlap substantially but operational resilience requires a more outcome-focused mindset and explicit regulatory framework compliance.

Does every FCA-regulated firm need an Operational Resilience specialist?
The FCA’s operational resilience rules in SYSC 15A apply to dual-regulated firms, Enhanced Firms under SMCR, and certain other firm categories. Firms outside the strict scope still typically benefit from resilience discipline, and smaller firms may combine the function with compliance or risk roles rather than recruiting a dedicated specialist. FD Capital advises on whether a dedicated hire or a combined role is appropriate for each specific situation.

What qualifications should a Head of Operational Resilience hold?
There is no single required qualification. Most Heads of Operational Resilience at UK regulated firms have backgrounds in risk management, operations, audit, or technology, supplemented by direct operational resilience implementation experience. Professional qualifications (IRM, BCI, CIA, ACA, CISSP) are common but not essential if the candidate has strong framework leadership track record.

How does operational resilience interact with DORA?
The Digital Operational Resilience Act (DORA) applies to EU firms and to UK firms with EU operations. DORA’s framework overlaps significantly with UK operational resilience but has specific additional requirements around ICT risk, third party risk, and incident reporting. Firms operating cross-border need specialists who can manage both frameworks coherently, typically with a single unified programme satisfying both.

How long does operational resilience recruitment typically take?
Interim specialists can typically be in place within 5-10 working days for project cover or framework remediation work. Permanent Operational Resilience Manager placements typically run 6-10 weeks from mandate to offer acceptance. Permanent Head of Operational Resilience placements at Tier 1 banks or large asset managers typically run 10-16 weeks due to the depth of candidate assessment and Board stakeholder engagement required.

Related Services and Resources

Firms building or strengthening their operational resilience function often require related recruitment services alongside the specialist hire:

• Risk and compliance leadership: Chief Risk Officer Recruitment | Fractional CRO Recruitment | Chief Compliance Officer Recruitment | Compliance Recruitment | Risk and Compliance Recruitment
• Finance leadership: CFO Recruitment | Finance Director Recruitment | Fractional CFO | Interim CFO
• Regulatory context: Recruitment for FCA Regulated Firms | SMCR Compliance Recruitment | Section 166 Skilled Person Review Support | MLRO Recruitment | NED Recruitment
• Technical reference: Operational Resilience: A Complete UK Guide | Regulatory Reporting: A Complete UK Guide | SMCR: The Complete UK Guide

FD Capital was founded by Adrian Lawrence FCA, a Chartered Accountant and Fellow of the ICAEW with over 25 years of experience working with senior finance professionals, boards and business owners across the UK. He holds an ICAEW practising certificate in his own name. FD Capital has been providing Finance Director services since 2018. FD Capital is accredited by the Good Business Charter and is a recognised Living Wage Employer.

To discuss your operational resilience recruitment requirement, call 020 3287 9501 or email recruitment@fdcapital.co.uk. Initial consultations are confidential and at no charge.