On 15 April 2025, Suman Ziaullah, Head of Technology, Resilience and Cyber at the United Kingdom Financial Conduct Authority (UK FCA), offered a forward-looking perspective on the future of operational resilience, following the sector-wide compliance deadline of 31 March 2025. UK FCA concluded the final stage of its operational resilience framework, reaffirming that the journey now moves beyond compliance into cultural transformation. In a reflective commentary which underlined that while regulated firms have met the mandatory deadline, the true test lies in how well they anticipate and respond to disruptions that could cause intolerable harm to consumers and markets. The message is clear that the operational resilience must now be integrated into the very design, strategy, and governance structures of firms and not treated merely as a regulatory raincoat. Ziaullah, through a metaphor of being caught unprepared in the rain, emphasised that operational resilience is not about preventing all disruptions but about ensuring preparedness to recover without causing significant harm. He warned that future challenges—ranging from cyber threats and third-party dependencies to emerging technologies like AI and quantum computing—demand continual evolution of firms’ resilience frameworks.
This requirement applies to a wide range of regulated entities, including banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope Senior Managers and Certification Regime (SM&CR) firms, as well as entities authorised and registered under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011. However, it does not extend to European Economic Area (EEA) firms. Under the UK FCA’s finalised framework, these firms were required, by no later than 31 March 2025, to complete full mapping and testing of their important business services, ensuring they are capable of remaining within impact tolerances under severe but plausible scenarios. This followed the earlier milestone of 31 March 2022, by which firms had to identify important business services, define impact tolerances for maximum tolerable disruption, conduct scenario testing at a suitable level of sophistication, and assess any vulnerabilities in their operational resilience.
The UK FCA, under its five-year strategic plan, has placed operational resilience at the core of maintaining public trust and financial market stability. It expects firms to:
- Show leadership engagement at board level, treating resilience as a business priority.
- Design scenarios that may lead to controlled failure, revealing systemic weaknesses before real-world disruption occurs.
- Establish robust, adaptive communication frameworks with tested contingency plans.
Ziaullah identifies three features that set resilient firms apart: designing challenging, failure-prone scenarios to uncover true vulnerabilities; embedding resilience into the firm’s culture and strategic decision-making; and fostering a no-blame approach to post-incident reviews. These practices align with the UK FCA’s statutory objectives under the United Kingdom financial regulatory regime and reflect a shift from compliance to proactive governance of resilience. With the 31 March 2025 deadline now behind, the UK FCA has drawn a line between regulatory formality and genuine preparedness. Going forward, it will assess not just what firms have documented, but how they act and react in real crises. Operational resilience is now expected to be part of a firm’s DNA: embedded, lived, and constantly tested, so that when the next storm hits, firms stand ready, not merely with an umbrella, but with the foresight and resilience to protect consumers and uphold market confidence.
(Source: https://www.fca.org.uk/news/blogs/operational-resilience-beyond-regulatory-raincoats)
