Operational Resilience: The Complete UK Guide for FCA-Regulated Firms

Operational Resilience Support: Find Senior Risk Leaders Who Have Run the Regime Before

Operational resilience is the UK financial services sector’s response to the recognition that operational disruption — not just financial distress — can create systemic risk. The framework came into force on 31 March 2022 and required firms to be operating within their impact tolerances by 31 March 2025. Every UK bank, building society, insurer, investment firm holding client money or assets, payment services firm, and other in-scope entity has now worked through the identification of important business services, the setting of impact tolerances, the mapping of dependencies, the testing against severe but plausible scenarios, and the production of a formal self-assessment document. The regime is live, it is ongoing, and it is a material supervisory focus area.

Operational resilience is genuinely different from the business continuity and operational risk disciplines that preceded it. Business continuity historically focused on recovery — getting the firm back up after a disruption. Operational risk historically focused on controls — preventing loss events. Operational resilience focuses on tolerability — how much disruption a specific business service can sustain before causing intolerable harm to consumers or market integrity, and what the firm must do to stay within that tolerance across the full range of severe but plausible scenarios. The shift is from internal recovery metrics to externally-facing harm thresholds, and it requires a different analytical approach.

This guide sets out the UK operational resilience regime as it stands, the specific rulebook requirements, the main operational workstreams firms must run, how the regime intersects with third-party risk management and cyber resilience, the UK divergence from the EU’s Digital Operational Resilience Act (DORA), and how FD Capital places the senior risk, compliance and operational specialists who make the regime work. It is written for Chief Risk Officers, Heads of Operational Resilience, senior compliance leadership and boards at FCA-regulated firms.

The Regulatory Framework — Where Operational Resilience Comes From

UK operational resilience obligations sit in a specific rulebook structure, developed jointly by the FCA, the PRA and the Bank of England after an extensive policy development process.

The foundational policy statements

The regime was established by three parallel policy statements published in March 2021:

• FCA PS21/3: Building operational resilience — the FCA’s policy statement and final rules for FCA-regulated firms.
• PRA PS6/21 and Supervisory Statement SS1/21: The PRA’s operational resilience framework for PRA-regulated firms (banks, building societies, PRA-designated investment firms and insurers).
• Bank of England Statement of Policy: Operational resilience expectations for financial market infrastructure firms.

The three policy statements are deliberately aligned, so firms subject to multiple regulators can operate a single framework. But the specific rulebook provisions sit in different places depending on the firm type.

FCA Handbook provisions

For FCA-regulated firms, the primary rulebook location is SYSC 15A (Operational resilience). SYSC 15A applies to:

• Banks, building societies and dual-regulated investment firms (alongside PRA requirements)
• Enhanced scope SMCR firms and certain Core scope firms
• Insurance and reinsurance firms
• Payment services firms and electronic money institutions
• Registered account information service providers
• Recognised investment exchanges

The rules are not universally applied to all FCA-regulated firms — smaller firms and certain firm types are outside scope. Firms should check the specific SYSC 15A application provisions to determine their obligations.

The PRA framework

PRA-regulated firms are subject to the PRA Rulebook’s Operational Resilience Part and to SS1/21. The substantive requirements are consistent with the FCA’s SYSC 15A approach, but the PRA also applies additional specific expectations reflecting the systemic importance of the firms it regulates.

Implementation timeline

The regime came into force on 31 March 2022, with a three-year transitional period to full compliance on 31 March 2025. During the transitional period, firms were expected to identify important business services, set impact tolerances, map dependencies and begin testing — and were expected to achieve the ability to operate within impact tolerances across the full range of severe but plausible scenarios by the end of the transition.

We are now past the 31 March 2025 deadline. The regime is in its ongoing operational phase: firms must continue to demonstrate operation within tolerances, must refresh their analysis annually, must respond to emerging threats, and face specific supervisory attention on how well they are handling real-world disruption events.

Important Business Services — the Foundation of the Framework

The entire operational resilience framework is built on the concept of the important business service. Getting this identification right is foundational; getting it wrong means everything that follows is calibrated incorrectly.

Definition

An important business service is a service provided by a firm to an external end-user where a disruption could:

• Cause intolerable harm to consumers
• Pose risk to market integrity
• Threaten the financial stability of the UK (for larger firms)
• Threaten the firm’s own viability (for firms where this is relevant)

Important business services are defined from the customer’s perspective, not the firm’s internal structure. A business service is an end-to-end service that the customer experiences — such as making a payment, accessing funds, receiving an insurance claim payout, or executing a securities trade. The identification is not a list of internal functions or systems; it is a list of things customers actually use the firm for.

Identification methodology

The firm must:

• Work through its business model to identify the services it provides to external customers
• Assess for each service whether disruption could cause intolerable harm
• Document the basis for inclusion or exclusion of each potential service
• Arrive at a formal list of important business services, approved by the firm’s governing body
• Review the list periodically, at least annually and whenever business changes materially

Most UK firms have identified between 5 and 30 important business services, depending on their size and the breadth of their activities. A retail bank typically has services covering payments in and out, card transactions, cash access, mortgage servicing, lending operations, account servicing, and similar. A wealth manager typically has services covering fund investment, withdrawal, corporate actions processing, client reporting and advice delivery. An insurer typically has services covering policy issuance, claims handling, premium collection and regulatory reporting.

Common identification errors

Supervisory reviews have repeatedly identified errors in important business service identification:

• Listing internal functions (“Treasury”, “IT infrastructure”) rather than customer-facing services
• Over-aggregating multiple distinct services into a single entry, obscuring the specific disruption risks
• Under-aggregating, producing unwieldy lists that obscure the genuinely important services
• Omitting services that are provided but not considered commercially important, without substantively assessing customer harm
• Identifying services at a governance level without meaningful front-line operational input

Impact Tolerances — the Critical Analytical Step

For each important business service, the firm must set an impact tolerance — the maximum tolerable level of disruption, expressed as a specific quantifiable measure. Setting impact tolerances is the analytical heart of the regime.

What an impact tolerance measures

An impact tolerance is typically expressed in terms of:

• Time: The maximum duration the service can be disrupted before intolerable harm occurs (e.g. “4 hours” for payment services).
• Volume: The maximum number of affected customers or transactions before intolerable harm occurs (e.g. “more than 100,000 affected customers”).
• Severity: The depth of disruption that can be sustained (full outage vs. degraded service).
• Combinations: Often combined measures — “a full outage of more than 4 hours” or “a degraded service affecting more than 50,000 customers for more than 8 hours.”

Setting impact tolerances meaningfully

The central discipline is that impact tolerances must reflect genuine harm thresholds, not operational convenience or current capability. A firm that can currently recover payments in 8 hours should not set its tolerance at 8 hours because that is what it can do; it should set it at the point at which customer harm becomes intolerable (which might be 2 hours or 6 hours depending on the customer base and the service). If there is a gap between the tolerance and current capability, the firm must close the gap — not redefine the tolerance.

Evidence and analysis

Impact tolerances must be supported by analysis covering:

• Consumer harm assessment — what specific harms arise at different durations or volumes of disruption
• Market integrity impact — where applicable, how market function would be affected
• Financial stability impact — for larger firms, potential systemic effects
• Customer vulnerability considerations — how vulnerable customers would be particularly affected
• Quantitative evidence where available, qualitative judgment supported by rationale where not

Governance of impact tolerances

Impact tolerances must be approved by the firm’s governing body — typically the board. This is not a purely technical matter to be delegated. The board is being asked to say, in effect, “this is the level of disruption our customers should tolerate as the worst case.” That is a board-level decision with reputational, commercial and regulatory consequences.

Mapping — Understanding Dependencies

Once important business services are identified and impact tolerances are set, the firm must map the resources and dependencies supporting each service. The mapping exercise is large, specific, and foundational to everything else.

What mapping covers

Mapping identifies all the resources needed to deliver each important business service:

• People: The specific roles and teams required, including key-person dependencies and single-points-of-knowledge risks.
• Processes: End-to-end process flows from customer interaction through to service delivery.
• Technology: Systems, applications, databases, communication infrastructure, end-user devices.
• Facilities: Offices, data centres, contact centres, branches as relevant.
• Third parties: External suppliers, platforms, intermediaries, payment infrastructure, market utilities.
• Information: The specific data required and its sources.

Depth of mapping

The FCA expects mapping to be at a level of detail that allows the firm to identify specific vulnerabilities. Shallow mapping — listing “core banking system” as a dependency without identifying the specific components, interfaces and sub-dependencies — is typically insufficient. Deep mapping surfaces the genuine single points of failure and concentration risks that firms need to address.

Third-party mapping — the hardest part

Third-party dependency mapping is where many firms have found the work hardest. It requires:

• Identifying all third parties involved in delivering the service, directly or indirectly
• Understanding the third party’s own dependencies (fourth-party risk)
• Assessing the third party’s operational resilience capabilities
• Mapping concentration risk where multiple services rely on the same third party
• Understanding the exit and substitution options if the third party fails

Cloud providers, core banking system vendors, payment infrastructure operators, and settlement systems are common concentration points. Mapping and managing third-party dependency is a specialist discipline within operational resilience and is increasingly handled by dedicated Third-Party Risk Management functions.

Testing — Severe But Plausible Scenarios

Firms must test their ability to stay within impact tolerances against severe but plausible scenarios. Testing is ongoing, not a one-off exercise.

What “severe but plausible” means

The scenarios must be severe — reflecting the kind of disruption that stretches the firm’s capability — but plausible, meaning realistic within the firm’s operating environment. Too mild and the test proves nothing; too extreme and the test becomes academic.

Typical scenario categories include:

• Cyber attacks (ransomware, data destruction, denial of service)
• Technology failures (major system outages, data centre loss)
• Third-party failures (critical vendor outage, cloud provider failure)
• Physical disruption (building loss, regional infrastructure failure)
• People unavailability (pandemic effects, major workforce incident)
• Data loss or corruption
• Combined scenarios (cyber plus third-party failure, multiple concurrent events)

Testing methodologies

Firms use a range of testing approaches, typically including:

• Desk-based exercises: Tabletop scenarios walked through by the response team, testing decision-making and communication.
• Simulation exercises: More realistic simulations involving actual technology and personnel, testing operational response capability.
• Live fire testing: Controlled actual disruption testing (e.g. shutting down a specific system to verify recovery) — the most demanding form of testing and typically reserved for the most critical capabilities.
• Threat-led penetration testing: Cyber-specific testing using scenarios drawn from known threat actors and tactics.
• Lessons learned from real events: Post-incident reviews of actual disruptions, treating them as unscheduled tests.

Test findings and remediation

The purpose of testing is to identify gaps between current capability and impact tolerance — and then to close those gaps. Tests that consistently show the firm comfortably within tolerance are either well-calibrated (good) or not stretching (bad). Tests that show the firm outside tolerance drive remediation investment. The test-find-fix cycle is what gives operational resilience its teeth; firms that test but do not remediate are not actually building resilience.

Vulnerability Identification and Remediation

Alongside scenario-based testing, firms must identify vulnerabilities in their operational arrangements and remediate them within reasonable timeframes.

Common vulnerability categories

The vulnerabilities operational resilience work typically surfaces:

• Single points of failure: Systems, people, third parties, or facilities whose loss would directly cause breach of an impact tolerance, without adequate redundancy or substitution.
• Concentration risk: Multiple services depending on the same third party, system or facility, such that a single failure has amplified impact.
• Legacy technology: Outdated systems lacking modern resilience features, difficult to test against realistic scenarios, and often with limited vendor support.
• Complex process chains: Services delivered through long sequences of dependencies where disruption to any one link causes overall failure.
• Inadequate recovery capabilities: Recovery time objectives that do not meet impact tolerances, backup systems that have not been tested under realistic load, data recovery processes with gaps.
• Third-party risk: Suppliers without adequate operational resilience themselves, concentration in specific vendors, limited exit options.

Remediation planning

Where vulnerabilities are identified and they result in actual or potential breach of impact tolerance, the firm must develop and execute a remediation plan. The plan should be:

• Specific to the vulnerability identified
• Time-bound with credible target dates
• Resource-committed with identified owner
• Tracked through to completion with evidence
• Reviewed by senior management and the board for progress

Vulnerabilities that the firm cannot close within a reasonable timeframe must be formally acknowledged, with mitigating controls in place and senior management and board acceptance of the residual risk.

The Self-Assessment Document

Firms must produce a formal self-assessment document covering their operational resilience framework, approved by the governing body and available for supervisory review.

What the self-assessment covers

A comprehensive self-assessment typically covers:

• The list of important business services and the rationale for inclusion
• The impact tolerances set for each service with supporting analysis
• Summary of the mapping work and key dependencies identified
• Testing approach, scenarios tested, and outcomes
• Vulnerabilities identified and remediation plans
• Third-party risk management integration
• Communication plans and customer-facing response capability
• Governance arrangements, including board oversight and management responsibility
• Lessons learned from real events and incorporated into the framework
• Forward plan for the next review cycle

Board approval and annual refresh

The self-assessment must be approved by the firm’s governing body and reviewed at least annually. Substantive board engagement — not just formal approval — is expected. The board should understand the impact tolerances they are approving, the key vulnerabilities, and the remediation plans. Self-assessments that appear on board agendas as formalities rather than substantive governance documents have been criticised in supervisory reviews.

Supervisory use of the self-assessment

The self-assessment is not filed with the regulator but must be available on request. The FCA and PRA have been actively requesting self-assessments from firms during supervisory engagement, and the document quality is itself a supervisory signal. Thin, generic or formulaic self-assessments create supervisory concern; substantive, firm-specific documents with honest identification of weaknesses and credible remediation plans tend to be received better.

Third-Party Risk Management

Third-party risk management (TPRM) is a distinct but deeply connected workstream. The operational resilience rules require specific attention to third-party dependencies, and successive FCA and PRA publications have emphasised the importance of robust TPRM.

The third-party landscape

UK firms typically have extensive third-party exposure:

• Cloud infrastructure providers (AWS, Microsoft Azure, Google Cloud)
• Core system vendors (banking platforms, policy administration, trading systems)
• Payment infrastructure (Bacs, CHAPS, Faster Payments, card schemes)
• Market utilities (settlement systems, trade repositories, CCPs)
• Data providers (market data, reference data, customer data)
• Managed service providers (outsourced operations, back-office processing)
• Software-as-a-service providers (customer communications, risk analytics, compliance systems)
• Professional service providers (law firms, accountancy firms, consultancies with operational dependencies)

Critical third-party regulation

Alongside operational resilience, the UK has introduced the Critical Third Party (CTP) regime, which enables HM Treasury to designate certain technology providers as critical to UK financial services and subject them to direct regulatory oversight by the FCA, PRA and Bank of England. This is an important development — traditionally third parties were regulated only through the firms that used them, but the CTP regime creates direct regulatory oversight where systemic importance is established. Firms should understand which of their critical third parties may fall within the CTP regime.

TPRM as a specialist discipline

Mature UK firms operate dedicated TPRM functions handling:

• Third-party inventory and criticality assessment
• Onboarding due diligence and contract negotiation
• Ongoing performance monitoring
• Concentration and fourth-party risk analysis
• Exit planning and substitutability analysis
• Incident response coordination across multi-party dependencies

TPRM leaders are in short supply and high demand — this is one of the areas where our risk and compliance recruitment practice is most actively engaged.

Cyber Resilience — the Most Active Threat Area

Cyber resilience is not formally a separate regime from operational resilience, but the specific focus on cyber threats has become intense. Successive FCA and PRA communications have emphasised cyber as a primary operational resilience risk area, and testing scenarios heavily feature cyber attack profiles.

The cyber threat landscape

UK financial services firms face continuous cyber threat activity. The specific patterns that have driven recent operational resilience focus:

• Ransomware attacks with data exfiltration components
• Third-party compromise cascading to customer firms
• Sophisticated social engineering targeting senior staff
• Nation-state threat actors with increasing capability
• Denial-of-service attacks during peak processing periods
• Supply chain compromise of widely-used software

Regulatory expectations on cyber

Firms are expected to have:

• A specific cyber strategy and framework, integrated with operational resilience
• Continuous threat monitoring capability, appropriate to the firm’s scale and threat exposure
• Incident response capability with clear roles, communication protocols and regulator engagement
• Threat-led testing, often using scenarios provided by industry bodies (CBEST for banks, STAR-FS for insurers and investment firms)
• Third-party cyber due diligence, given the substantial cyber risk that comes through third-party connections
• Board engagement on cyber including regular management information and participation in tabletop exercises

UK vs EU — the Divergence From DORA

The EU’s Digital Operational Resilience Act (DORA) entered into force on 17 January 2025, creating an EU equivalent to the UK regime. The two frameworks are conceptually similar but differ in specific detail, and firms operating in both the UK and the EU must navigate both.

Key areas of alignment

Both regimes focus on ICT risk management, incident reporting, resilience testing, third-party risk management and governance. The fundamental approach — risk-based identification of what matters, tolerance setting, testing and remediation — is common.

Key areas of divergence

• Scope: DORA applies to a broader population of financial entities than the UK regime covers.
• ICT specificity: DORA is explicitly ICT-focused; the UK regime is broader, covering operational resilience across all dependency types (though with strong ICT elements).
• Incident reporting: DORA has specific classification and reporting requirements for ICT-related incidents; UK rules sit within broader Principle 11 and SUP 15.3 frameworks.
• Third-party regulation: DORA contains more prescriptive third-party provisions; the UK’s CTP regime is narrower but covers the systemically critical providers directly.
• Testing specificity: DORA specifies advanced threat-led penetration testing (TLPT) for specific entity types.

Firms with UK and EU operations typically run a unified operational resilience framework but with specific DORA-compliance overlays for their EU activities. The governance complexity is material, and the specialist knowledge to navigate both regimes is a specific recruitment market.

Common Operational Resilience Failings

Supervisory reviews and industry commentary have identified recurring failings.

Important business service lists that do not reflect customer reality

Lists built from internal structures rather than customer services. Lists at wrong levels of aggregation. Lists that omit services the firm considers commercial but not strategic, without substantive customer harm analysis.

Impact tolerances set to current capability

Tolerances calibrated to what the firm can do rather than what genuine customer harm would dictate. Tolerances that create no real pressure to invest in improvement. Tolerances without adequate supporting analysis to defend under supervisory scrutiny.

Shallow mapping

Mapping that lists major dependencies without the specificity needed to identify actual vulnerabilities. Mapping that has not been refreshed as systems and third parties have changed. Mapping that stops at first-party and does not adequately cover fourth-party risk.

Testing as compliance rather than learning

Tabletop exercises run to satisfy the testing requirement rather than to stress-test capability. Scenarios chosen for plausibility rather than stretch. Test outcomes recorded but not translated into remediation action.

Third-party gaps

Inadequate visibility of third-party dependencies beyond the top tier. Limited engagement with third parties on their own resilience capabilities. Weak exit planning for critical third parties. Concentration risk not properly surfaced and addressed.

Governance at formal rather than substantive level

Board engagement that approves documents without substantive challenge. Risk committee review that does not surface the genuine vulnerabilities. Senior management accountability under SMCR that is nominal rather than operational. See our SMCR guide for more on how senior manager accountability applies.

Post-implementation drift

Firms that invested heavily in the 2022-2025 implementation phase but have under-resourced the ongoing operation of the framework. Self-assessments that are annual refreshes rather than genuine reviews. Testing that has continued at the 2023-2024 intensity without keeping pace with emerging threats.

The Specialist Roles Firms Need for Operational Resilience

Operational resilience has created demand for specific senior roles that either did not exist or were much narrower before the regime came into force.

Head of Operational Resilience

The senior operational role owning the firm’s operational resilience framework. Typically reports to the Chief Risk Officer. Owns the important business service list, impact tolerance setting, mapping programme, testing programme, vulnerability remediation, and the annual self-assessment. Leads the interface between operational resilience and adjacent disciplines (TPRM, cyber, business continuity).

Chief Risk Officer

The Chief Risk Officer typically carries overall SMCR accountability for operational resilience within the risk function. At smaller firms the CRO may directly own the operational resilience work; at larger firms there is typically an intermediate layer of resilience leadership.

Head of Third-Party Risk Management

Dedicated TPRM leadership, increasingly common at mid-market and larger firms. Owns the third-party inventory, onboarding diligence, ongoing monitoring, and the interface with operational resilience for third-party-related vulnerabilities.

Head of Cyber Resilience / CISO

Chief Information Security Officer or equivalent, owning the firm’s cyber security and cyber resilience framework. Works closely with Head of Operational Resilience on scenario testing, incident response and vulnerability management.

Operational resilience specialists

Supporting roles handling specific workstreams — important business service analysis, impact tolerance modelling, mapping, testing, third-party analysis. Typically qualified in business continuity, operational risk or technology risk, with FSC-specific regulatory experience.

Chief Operating Officer (SMF24)

Where the firm has a COO holding SMF24, operational resilience often falls within their accountability. The COO owns the operational running of the firm, and operational resilience is a core part of that. The specific allocation between COO, CRO and other Senior Managers varies by firm.

How FD Capital Places Operational Resilience and Risk Specialists

FD Capital operates a specialist FCA-regulated firms recruitment practice. Within this, operational resilience, third-party risk management and broader operational risk are active placement areas. The specialist talent pool is genuinely tight — operational resilience as a discipline is less than a decade old, and the specific combination of technical depth, regulatory expertise and commercial understanding is specific to each search.

Candidate pool

Our candidate pool in this area includes:

• Heads of Operational Resilience at UK banks, investment firms, insurers, payment services firms and wider FCA-regulated population
• Chief Risk Officers with specific operational resilience programme leadership experience
• Third-Party Risk Management leaders with UK FSC-specific expertise
• Cyber resilience leaders, including CISOs at FCA-regulated firms
• Business continuity and operational risk specialists who have transitioned into operational resilience
• Specialist testing leads with CBEST/STAR-FS experience
• Chief Operating Officers (SMF24) at FCA-regulated firms

Engagement models

• Permanent placements for firms building or replacing operational resilience leadership.
• Interim and fractional placements for specific situations — remediation following supervisory review, programme leadership for specific workstreams, cover during recruitment.
• Specialist project placements for finite workstreams — self-assessment production support, third-party risk assessment exercises, specific testing programmes.

Sector coverage

Different UK FCA-regulated sectors have different operational resilience profiles. Banks and payment services firms face the most intense supervisory attention given systemic importance. Insurers focus on claims-handling resilience and policy servicing. Wealth and asset managers focus on market-related services and client asset protection. We match candidates to the specific firm context and the specific operational resilience priorities that sector demands.

Operational Resilience is Permanent — Staff It Accordingly

The firms that have navigated operational resilience well treat it as a permanent capability, not a compliance initiative completed in 2025. They maintain the Head of Operational Resilience role, they refresh the framework annually with substantive analysis, they test continuously against evolving threats, they engage the board substantively, and they integrate operational resilience into ordinary management decision-making rather than treating it as a separate compliance stream.

Firms that under-resourced the ongoing phase — reducing headcount after the 2025 milestone, treating self-assessment as a document refresh, failing to keep testing pace with emerging threats — are now finding themselves behind on supervisory expectations. The cost of reinvestment is typically greater than the cost of maintaining the capability would have been.

FD Capital can help you find the right operational resilience leader, CRO, CISO, Head of TPRM or specialist support — permanent, interim or fractional — matched to your specific firm and operational resilience context.

A Note from Our Founder — Adrian Lawrence FCA

The conversations I have about operational resilience appointments usually come in one of two contexts. The first is firms building out the permanent operational resilience function having relied during implementation on a mix of internal seconded resource and external consultants. The second is firms in remediation following supervisory feedback, where the implementation looked compliant on paper but the substance underneath was not as strong as it needed to be. In both contexts the same pattern applies: the specialists who succeed combine technical depth with strong communication skills, because operational resilience requires constant stakeholder management across IT, operations, compliance, risk, commercial and board audiences.

The most common mistake I see firms make with operational resilience recruitment is treating it as an operational risk role with a new name. It is not. Operational resilience sits at the intersection of risk, technology, operations and regulatory affairs, and the candidates who succeed have fluency across all four. Firms that recruit from a narrower background typically end up with stronger technical output but weaker stakeholder traction, and the framework does not embed operationally.

At FD Capital we place operational resilience specialists, Chief Risk Officers, Heads of TPRM and the wider risk leadership that FCA-regulated firms need. If you are recruiting in this area, assessing your current operational resilience maturity, or working through a specific supervisory engagement, I am happy to have a direct conversation. Every mandate I take on is handled personally.

Adrian Lawrence FCA  |  Founder, FD Capital  |  ICAEW Verified Fellow  |  ICAEW-Registered Practice  |  Companies House no. 13329383  |  Placing operational resilience specialists at FCA-regulated UK firms since 2018

Further Reading and Authoritative Sources

The primary authoritative sources on UK operational resilience are the FCA, the PRA and the Bank of England. The FCA’s operational resilience pages cover the regime, the final policy statement PS21/3, and ongoing supervisory commentary. The FCA Handbook SYSC 15A contains the specific rules for FCA-regulated firms.

The Prudential Regulation Authority’s operational resilience framework sits in the PRA Rulebook’s Operational Resilience Part and in Supervisory Statement SS1/21. The Bank of England publishes additional material for financial market infrastructure firms and on the Critical Third Party regime.

For firms operating across UK and EU jurisdictions, the Digital Operational Resilience Act (DORA) creates parallel EU obligations. ESMA, the EBA and EIOPA publish implementing technical standards and guidance on DORA application.

Industry resources include sector guidance published by trade bodies (UK Finance, the Investment Association, the Association of British Insurers), and specialist material from the Chartered Institute of Internal Auditors on operational resilience audit approaches, and from BCI (Business Continuity Institute) and similar organisations on the underlying business continuity and resilience disciplines.

Professional body resources include the ICAEW for chartered accountants in regulated roles, and the Institute of Risk Management for operational risk and resilience CPD and qualifications.

Related Guides: Compliance and Regulatory Guidance for UK Financial Services

Part of FD Capital’s series of practical compliance and regulatory guides for UK financial services firms. This guide sits alongside our broader Knowledge Centre resources:

Prudential and operational: Operational Resilience: The Complete UK Guide (this page) | Regulatory Reporting: The Complete UK Guide | Section 166 Skilled Person Reviews (forthcoming)

Governance and conduct: SMCR Explained: Senior Managers & Certification Regime | Consumer Duty: The Complete UK Guide | FCA Conduct Rules and Principles: The Complete UK Guide

Financial crime and AML: MLRO: The Money Laundering Reporting Officer Role Explained | Customer Due Diligence: The Complete UK Guide | Suspicious Activity Reports (SARs): UK Compliance Guide (forthcoming)

Finance for UK growth companies: EBITDA Explained: Meaning, Calculation and Exit Valuation | Management Accounts: A Complete Guide for UK Businesses | Cash Flow Forecasting: A Complete Guide for UK Businesses | Financial Ratios: The UK CFO’s Guide | Financial Metrics & KPIs: A UK CFO’s Guide

Specialist recruitment pages: Risk and Compliance Recruitment | Chief Risk Officer Recruitment | Chief Compliance Officer Recruitment | Compliance Recruitment | SMCR Compliance Recruitment | Consumer Duty Recruitment | MLRO Recruitment | AMLRO Recruitment | Financial Crime Recruitment | Head of Regulatory Reporting | Section 166 Review | Recruitment for FCA-Regulated Firms