Operational resilience in the UK financial services context refers to the ability of a regulated firm to prevent, adapt to, respond to, recover from and learn from operational disruptions. The FCA and PRA’s operational resilience framework (Policy Statement PS21/3, in force from March 2022) requires firms to identify their important business services, set impact tolerances for each service, and be able to remain within those tolerances through severe but plausible disruption. Firms were required to have mapped and tested their resilience by March 2025.
Why operational resilience matters
The FCA’s expectation is that resilience is a question of when, not if, disruption occurs. Firms that cannot remain within their impact tolerances during a disruption may face regulatory action. The 2025 implementation deadline means many firms are now in an ongoing monitoring and improvement phase.
Operational resilience overlaps with cyber security and business continuity but is broader than both: it takes a customer- and market-outcome view of disruption from any cause, including third-party and technology failures.
Who it applies to
Banks, building societies, PRA-designated investment firms, insurers, and enhanced-scope solo-regulated FCA firms. In practice, all large regulated firms.
Related terms
Cyber security and SYSC.