Operational resilience

FCA building operational resilience regulations: challenges proving compliance

2 minute read

In March last year, the Financial Conduct Authority (FCA) released its ​​Building operational resilience: Feedback to CP19/32 and final rules policy statement. This outlined changes to how firms need to operate to remain resilient, taking into account changing threats and external factors, such as the effects of the pandemic. 

The new regulations require firms to:

  • Identify important business services that could cause intolerable harm to customers or risk market integrity, and who uses them.
  • Set and review impact tolerances at least once a year and use the mandatory metric of time/duration to measure them.
  • Identify and document the people, processes, technology, facilities, and information necessary to deliver each important business service, enabling them to identify and address vulnerabilities and gain assurance that an important business service can remain within set impact tolerances.
  • Have internal and external communication strategies in place to respond quickly and effectively to reduce the harm caused by operational disruptions.

The initial implementation period for these new rules ended March 31st, 2022, and we are now in the period of ‘reasonable time’ for firms to demonstrate that they can remain within their impact tolerances for important business services in severe but plausible scenarios, which they must do no later than March 31st, 2025. 

Firms will likely face several challenges in not only meeting but proving that they have met these new regulatory requirements. Many are still using tooling that does not make visibility, audit, or accurate reporting to the regulator an easy task, because existing recovery plans:

  • Are not standardized, easily accessed/distributed across the organization, or integrated with the tools used to carry out the recovery process.
  • Don’t have impact tolerances, recovery time objectives, or service-level agreements embedded into them.
  • Don’t map every aspect of the recovery - people, processes, technology, and information.
  • Don’t have in-built communications capabilities that are suitable for today’s mix of in-person, remote, and hybrid work.
  • Don’t help you mitigate against the risk of key people being unavailable.
  • Require a lot of manual effort in the post-event report stage and have no way to verify that all post-event data is accurate.
  • Are static documents, not living, breathing records of the compliance framework.

If this sounds like your organization, accurately proving compliance with the new FCA building operational resilience requirements could be an uphill struggle.


Don’t let outdated tools and processes hold you back.

If you want to find out how Cutover can help you to prove FCA compliance, get in touch with us or book a demo for a free discovery workshop to understand your current state and how Cutover can help you improve. 


Case study: Clarity Management Group helps major global bank meet CCAR requirements with Cutover.