Skip to content
CityLearning
Data & operational

Operational resilience

Operational resilience is a UK regulated firm's ability to prevent, adapt to, respond to, recover from and learn from operational disruptions. Under the FCA and PRA framework (Policy Statement PS21/3), firms must identify important business services, set impact tolerances, and stay within them through severe but plausible disruption.

Operational resilience in the UK financial services context refers to the ability of a regulated firm to prevent, adapt to, respond to, recover from and learn from operational disruptions. The FCA and PRA’s operational resilience framework (Policy Statement PS21/3, in force from March 2022) requires firms to identify their important business services, set impact tolerances for each service, and be able to remain within those tolerances through severe but plausible disruption. Firms were required to have mapped and tested their resilience by March 2025.

Why operational resilience matters

The FCA’s expectation is that resilience is a question of when, not if, disruption occurs. Firms that cannot remain within their impact tolerances during a disruption may face regulatory action. The 2025 implementation deadline means many firms are now in an ongoing monitoring and improvement phase.

Operational resilience overlaps with cyber security and business continuity but is broader than both: it takes a customer- and market-outcome view of disruption from any cause, including third-party and technology failures.

Who it applies to

Banks, building societies, PRA-designated investment firms, insurers, and enhanced-scope solo-regulated FCA firms. In practice, all large regulated firms.

Cyber security and SYSC.

Frequently asked questions

What is operational resilience in financial services?
Operational resilience is a UK regulated firm's ability to prevent, adapt to, respond to, recover from and learn from operational disruptions. Under the FCA and PRA framework in Policy Statement PS21/3, firms must identify their important business services, set impact tolerances for each, and remain within those tolerances through severe but plausible disruption.
What are impact tolerances?
An impact tolerance is the maximum tolerable level of disruption to an important business service, expressed as a measure such as time. Under the FCA and PRA operational resilience rules, firms must set an impact tolerance for each important business service and demonstrate they can remain within it during severe but plausible scenarios, having tested their resilience by March 2025.

Reviewed by Margaret Hassett

← Back to the compliance glossary

Turn definitions into training

See how CityLearning's UK compliance courses help your team understand terms like this in practice.