Complyport Specialises in providing governance, risk and compliance services

FCA Operational Resilience Policy (PS21/3)

In December 2019 the FCA had consulted in its consultation paper CP19/32 on proposed changes to how firms approach operational resilience. These proposals had been developed together with the Bank of England (BoE) and the Prudential Regulation Authority (PRA) to improve the operational resilience of the UK financial sector.

The FCA implemented the proposals as consulted on and made amendments to reflect the feedback received and set out the feedback and its response in Policy Statement PS 21/3. The FCA, together with the BoE and the PRA, have set out final rules and guidance on new requirements to strengthen operational resilience in the financial services sector. The rules and guidance came into force on 31 March 2022.

Who this applies to?

This affects the firms in scope of the Policy Statement including:

  • Banks
  • Building societies
  • PRA-designated investment firms
  • Insurers
  • Recognised Investment Exchanges
  • Enhanced scope SM&CR firms
  • Entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011
Required actions by firms

Firms in-scope must have undertaken by 31 March 2022 the below steps:

  • Identified their important business services,
  • Set impact tolerances for the maximum tolerable disruption; and
  • Conducted adequate mapping and testing to a level of sophistication necessary to do so.

Firms must also have identified any vulnerabilities in their operational resilience. As soon as possible after 31st March 2022 but no later than 31st March 2025, the firms must perform mapping and testing so that they are able to remain within their impact tolerances for each important business service. In-scope firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.

In addition, firms are expected to have established comprehensive communication strategies, both internally and externally, to address operational disruptions swiftly and efficiently and reduce the harm caused. In formulating their external communication approach, firms must have in place mechanisms for issuing crucial alerts or guidance to consumers and other relevant stakeholders, even when a direct communication channel is absent.

Self-assessment document

Additionally, the firms must compile a self-assessment document that shows how they meet the requirements set by regulators. The document will not need to be submitted to the FCA, but it should be made available on request.

Oversight over this self-assessment document should rest with the board or the firm’s management body, necessitating periodic review and approval.

Operational Resilience Impact Assessment (ORIA)

Complyport’s Operational Resilience Impact Assessment (ORIA) can help firms in-scope by providing the following:

  • Present an assessment of your Operational Resilience framework in line with the Operational Resilience Policy and expectations of the FCA.
  • Outline gaps within your existing Operational Resilience framework.
  • Support the definition/redefinition of your approach towards the risk scenarios of operational disruptions and the optimisation of the continuity strategies and tactics to improve your operational resilience posture.
  • Provide summary with respect to the Operational Resilience framework arrangements and mechanisms that need to be in place to comply with the FCA’s Operational Resilience requirements.

Following this review, our consultants will provide a report that will function as a roadmap, outlining what needs to be completed to ensure compliance with regulatory requirements.

How we can help your firm

Complyport is uniquely positioned to provide guidance and support to firms that fall under these regulatory obligations and are currently in the midst of navigating the process. We understand that it can be challenging to ascertain whether your current position aligns with compliance requirements, or how best to successfully navigate the rules and guidance for meeting these obligations in the future. We can assist you grasp the necessary thought processes and actionable steps.

In situations where an organisation’s senior executive management is seeking for support to understand the dimensions of operational resilience within the financial services sector, we can offer bespoke training through our associated and accredited training academy the LGCA

Broadly speaking, our accomplished team is equipped to deliver customised support that paves the way for firms to achieve full compliance with their Operational Resilience obligations through targeted project initiatives.


Contact Us
If you would like to know more about how we can help you with your operational resilience arrangements or any other regulatory compliance issues, Complyport’s team of experts is here to help.

Your compliance questions answered. Just ask ViCA - Your virtual compliance assistant