FCA Consultation on Operational resilience

NOTE: This briefing note is intended as general guidance and no action should be taken in reliance on it without specific legal advice.

FCA Consultation Update

European and UK supervisory authorities have significantly increased their focus on operational and outsourcing risk. The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint Discussion Paper (DP) on Operational Resilience in July 2018, highlighting:

“The operational resilience of firms and FMIs is a priority for the supervisory authorities and is viewed as no less important than financial resilience”

On 30th September 2019, the European Banking Authority (EBA) guidance on outsourcing came into force. The guidelines set out a new harmonised framework for outsourcing.

In December 2019, UK regulators published a policy summary and Consultation Papers (CP) in order to expand on the discussion papers. The FCA’s ultimate aim is to increase firms’ operational resilience and drive change where it is needed. Where weaknesses in operational resilience are identified, firms will be expected to act. The final policy is expected to be published in 2021 with the rules taking effect a year later.

Not all firms will initially be subject to rules. Initially:

  • Approximately 1,050 banks, building societies, PRA designated investment firms, Solvency II firms, Recognised Investment Exchanges and Enhanced scope SM&CR firms
  • Approximately 1,100 Payment Institutions (PIs), Registered Account Information Service Providers (RAISPs) and Electronic Money Institutions (EMIs)

After the final rules have been published the FCA will consider whether to extend the rules should be applied to other firms.


The Consultation Paper (CP) proposes that firms should:

Map – firms should identify their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system. Then document the people, processes, technology, facilities and information that support their important business services. The identification of important business services should be reviewed annually.

Set Impact Tolerances – firms should define thresholds for each business service that represent the maximum tolerable disruption.

Test and Adapt – firms should test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios. Once complete, organisations should conduct a lessons learnt exercise, to identify weaknesses and make changes so that they recover from disruptions more effectively. By addressing resilience gaps, and building resilience, the FCA believe firms will become more capable of supplying their most important business services even during severe operational disruption.

Build a communications plan – organisations should develop internal and external communications for
when important business services are disrupted.


  • Firms’ boards and senior management should be engaged in setting effective standards for operational resilience.
  • Under the SM&CR, individuals that perform the Chief Operations Function (SMF24) are likely to be responsible for implementing the proposals outlined within the CP.
  • Boards are expected to have appropriate management information available to them to inform decision making which has consequences for operational resilience.

Self-assessment – to demonstrate to the relevant supervisory authority that a firm is meeting its responsibilities, a self-assessment document will need to be maintained and provided on request.

Outsourcing and third-party service provision – a number of observations and concerns are highlighted by the FCA:

  • the percentage of operational incidents reported to the FCA caused by third-parties increased to 15% in 2017-2018
  • there are high levels of concentration risk due to the dependency on single third-party providers
  • suppliers are operating in other regions with lower quality resilience than expected by FCA
  • reduced cyber resilience within firms due to cyber risks that originate from within third-parties
  • intra-group outsourcing should not be treated as inherently less risky

The UK authorities confirmed they will comply with existing EBA guidelines on outsourcing and indicated that they may expand the domestic use of the outsourcing register “We want to have consistent analytical capability on the amount and type of outsourcing that firms are undertaking”.


Communication – Update and educate the senior management team and Board on the regulatory guidance and frameworks that have been and are being implemented.

Approval – Establish a clear mandate from senior management to deliver operational resilience and confirm responsibilities within the senior management team.


  • Identify business services and categorise them using a pre-agreed classification model
  • Map out the chain of events required to deliver the service
  • Using the map to understand the key business activities and associated risks, identify plausible description scenarios
  • Test and assess the resilience of each service against each scenario

Response – Rank the risks identified within a dashboard that is shared with senior stakeholders. Prioritise your response based on the potential disruption to market integrity or consumers. Implement a project plan to reduce the operational risks identified, ensuring stakeholders are kept informed.


  • Having a clear end to end understanding of key business activities and their associated risks makes it easier to focus on the services that matter most to the business and its customers.
  • Assessing, monitoring and mitigating operational risk is an on-going task. Implementing a clear, structured process from the outset will pay dividends in the longer term.
  • Covid-19 is only likely to increase the regulators focus on operational resilience.
  • Challenges faced by the industry with operations outsourced to other regions will reinforce the FCA’s concern around outsourcing to other regions with lower quality resilience.
  • Initial regulatory focus is likely to be on whether firms are taking the regulations seriously and can evidence the actions being undertaken to meet the new rules.
  • Mapping important business services is proving challenging for some firms, as is setting impact tolerances for those not previously familiar with similar applications in risk and DR frameworks.


Adoptech provides products and consultancy services that support firms in their adoption of technology, reduction of outsourcing risk and compliance with regulations.

Contact one of our operational resilience experts:
Email: OpRes@adoptech.co.uk

More papers…