Skip to content
All insights
Operational ResilienceFCAPRABusiness ContinuityRisk Management

Operational Resilience: Keeping Your Regulated Business Afloat

Navigating the complexities of operational resilience for FCA/PRA-regulated firms without succumbing to unnecessary panic.

Operational Resilience: Keeping Your Regulated Business Afloat
TL;DR Operational resilience is a regulatory requirement, not just a good idea. Proactive planning and testing are key to maintaining critical business functions during disruptions.

Beyond the Buzzwords: What Operational Resilience Really Means

In regulated financial services, the term 'operational resilience' has become ubiquitous. For firms overseen by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA), it's not just a piece of jargon; it's a fundamental requirement. But what does it truly entail, and how can you achieve it without getting lost in a sea of compliance checklists and unnecessary anxiety?

At Amaya Technology, we see operational resilience as the ability of a firm to prevent, adapt to, respond to, recover from, and learn from operational disruptions. It's about ensuring that your critical business services can continue to be delivered, even when things go wrong. Think of it as the robust scaffolding that supports your entire operation, designed to withstand storms and ensure the lights stay on.

The Regulatory Landscape: FCA and PRA Expectations

The FCA and PRA have made their expectations clear. They are less concerned with the *causes* of disruption and more focused on the *impact*. The core principle is safeguarding consumers and market integrity. This means identifying your most important business services and ensuring they can remain within impact tolerances when faced with severe but plausible disruptions.

Key expectations often revolve around:

  • Identifying and mapping critical business services: Understanding what services are essential and who relies on them.
  • Setting impact tolerances: Defining the maximum tolerable level of disruption for each critical service.
  • Assessing vulnerabilities: Identifying potential weaknesses in systems, processes, people, and third-party dependencies.
  • Scenario testing: Regularly testing your ability to withstand specific, severe disruption scenarios.
  • Communication and governance: Establishing clear lines of communication and decision-making during a crisis.

Building Your Resilience Framework: A Pragmatic Approach

Panic is never a strategy. A structured, pragmatic approach is far more effective. Here’s how to build a robust operational resilience framework:

1. Know Your Critical Services

Start by identifying the services that are absolutely vital to your clients and your firm's function. If a service fails, what is the immediate and cascading impact? This isn't just about IT systems; it includes people, processes, and third-party suppliers. For example, a payment processing service is clearly critical, but so is the team that manages client onboarding or the third-party provider handling your core data.

2. Define Your 'Good Enough'

Impact tolerances are crucial. These are the maximum acceptable levels of disruption to your critical services. They are not about achieving zero downtime, that's often unrealistic and prohibitively expensive. Instead, they define what level of outage or degradation is acceptable before it causes unacceptable harm to consumers or market integrity. Be specific: 'no more than 4 hours of unavailability for critical payment processing' is much more useful than 'payments must always be available'.

3. Map Your Dependencies

No firm operates in a vacuum. Your critical services rely on a complex web of internal systems, processes, and external suppliers. Understanding these dependencies is vital. A disruption to a single, seemingly minor, third-party provider could have a catastrophic impact on a critical service if not properly managed.

4. Test, Test, and Test Again

This is where resilience truly is built and proven. Scenario testing is paramount. Don't just rely on theoretical assessments. Simulate realistic, severe events. This could include:

  • Cyber-attacks: Ransomware, denial-of-service, data breaches.
  • Technology failures: Major system outages, data centre failures.
  • People-related disruptions: Pandemics, key personnel unavailability.
  • Supply chain failures: Critical third-party provider collapse.

Testing should be rigorous, involving both your internal teams and, where appropriate, your key suppliers. The goal is to identify gaps and weaknesses *before* a real crisis strikes.

5. Embed a Culture of Resilience

Operational resilience isn't just an IT or risk department concern. It needs to be embedded within the firm's culture. This means:

  • Clear governance and accountability: Who is responsible for what during a disruption?
  • Regular training and awareness: Ensuring all staff understand their roles.
  • Continuous improvement: Learning from tests and actual incidents.

Moving Forward: Proactive Preparedness

Achieving operational resilience requires a proactive, ongoing effort. It's about understanding your firm's vital functions, anticipating potential threats, and having robust plans in place to maintain service delivery. By focusing on critical services, setting realistic tolerances, understanding dependencies, and rigorously testing your defences, you can build a resilient organisation that not only meets regulatory expectations but also instills confidence in your clients and stakeholders. This isn't about fearing disruption; it's about being prepared for it, ensuring your firm remains steadfast when it matters most.

Share

Working on something like this?

If this is live for you right now, a short conversation is usually the fastest way forward.

Prefer email? phil.baker@amaya.technology