GovernanceOperational Resilience

Operational Resilience: FCA Rules, Impact Tolerances & IBS

Operational resilience explained: identifying important business services, setting impact tolerances, mapping and scenario testing under SYSC 15A / PS21/3, the board self-assessment, and the March 2025 compliance point.

By MEMA Regulatory Team·10 min read·

What It Is

Operational resilience is the ability of a firm, and the financial sector as a whole, to prevent, adapt to, respond to, recover from, and learn from operational disruption. The FCA's operational resilience framework, set out in SYSC 15A of the Handbook and introduced through policy statement PS21/3, requires in-scope firms to build resilience around the services that matter most to consumers and markets, rather than treating disruption as a purely internal IT or business-continuity issue.

The framework is built on a sequence of connected obligations. Firms must identify their important business services — the services whose disruption would cause intolerable harm to end users or threaten market integrity or the firm's soundness. For each of these services, the firm must set an impact tolerance, the maximum tolerable level of disruption. It must then map the people, processes, technology, facilities, and third parties that support each service, and carry out scenario testing to assess whether it can remain within its impact tolerances in severe but plausible scenarios. Where testing reveals that it cannot, the firm must remediate the vulnerabilities. Finally, the firm must produce a self-assessment document, approved by its governing body, that records and justifies these decisions.

Operational resilience is deliberately outcomes-focused. It does not prescribe specific technology or recovery arrangements; it requires firms to understand the harm that disruption would cause and to build the resilience needed to keep that harm within tolerable bounds.

Why the FCA Cares

Operational disruption has become one of the most significant risks in financial services. High-profile IT failures at banks, payment outages, cyber attacks, and third-party incidents have left consumers unable to access their money, make payments, or obtain services, sometimes for extended periods. As financial services have become more digital, more interconnected, and more dependent on third parties and shared infrastructure, the potential for disruption — and for that disruption to spread — has grown.

The FCA's concern is the harm that disruption causes to consumers and to the integrity and stability of markets. A payment service that fails can leave people unable to pay for essentials; an outage in trading or settlement can affect market integrity; a widespread incident can undermine confidence in the financial system. The regulator concluded that traditional business continuity and disaster recovery planning — focused on restoring the firm's own operations — did not adequately protect consumers and markets, because it assumed disruption could be avoided rather than accepting that it will happen and planning to limit the harm.

The framework therefore starts from the premise that operational disruption is inevitable and asks firms to focus on the services whose failure matters most, to define how much disruption is tolerable from the customer's and market's perspective, and to build the resilience needed to stay within those limits. The FCA has reinforced this with its work on third-party and cloud dependencies and the Critical Third Parties regime, recognising that resilience increasingly depends on the wider ecosystem, not just the individual firm.

Who It Affects

The rules in SYSC 15A apply to a defined population of firms: banks, building societies, PRA-designated investment firms, insurers, enhanced-scope firms under the Senior Managers and Certification Regime, firms authorised under the Payment Services Regulations and Electronic Money Regulations, recognised investment exchanges, and certain other entities. Dual-regulated firms are also subject to parallel PRA requirements, and the two regulators have coordinated their approaches.

Within scope, the obligations apply at the level of the firm's important business services, so the practical burden varies with the firm's size, complexity, and the criticality of the services it provides. A large bank with many customer-facing services faces a substantial mapping and testing exercise across numerous important business services; a smaller in-scope firm with a narrower service set has a more contained but equally rigorous obligation.

Firms that fall outside the strict scope of SYSC 15A are not exempt from the expectation of resilience. The FCA increasingly treats operational resilience as an element of good governance under the wider SYSC rules and as relevant to the Consumer Duty, since disruption directly affects customer outcomes. Payment and e-money firms in particular, given their role in enabling everyday transactions, face clear expectations around resilience whether or not every detailed SYSC 15A obligation applies.

Third parties are also affected indirectly. Because firms depend on outsourced and cloud service providers to deliver important business services, those providers' resilience is central, and the Critical Third Parties regime extends regulatory attention to the most systemically important of them.

What Firms Get Wrong

The most common failure is identifying important business services incorrectly. Firms often define them internally — by business line, system, or process — rather than from the perspective of the harm caused to end users if the service fails. An important business service is defined by the external outcome (a customer being able to make a payment), not by the firm's internal architecture. Getting this wrong distorts everything that follows, because impact tolerances, mapping, and testing all depend on it.

The second failure is setting impact tolerances by reference to internal recovery capability rather than external harm. Firms sometimes set the impact tolerance at the level they think they can achieve, rather than at the level beyond which intolerable harm to consumers or markets results. The impact tolerance is a harm-based boundary; a tolerance set to flatter the firm's current capability defeats the purpose.

Third, mapping is often superficial. Effective mapping identifies the specific people, processes, technology, facilities, and third parties that each important business service depends on, to a level of granularity that reveals vulnerabilities and single points of failure. Firms that produce high-level maps without this depth cannot meaningfully test resilience or identify what needs to be fixed.

Fourth, scenario testing is too benign. The rules require testing against severe but plausible scenarios, including scenarios the firm might prefer not to contemplate — the loss of a critical third party, a cyber attack, the simultaneous failure of multiple dependencies. Firms that test only mild scenarios, or that treat testing as a documentation exercise, do not obtain genuine assurance and are not meeting the standard.

Finally, firms treat operational resilience as a one-off compliance project rather than an ongoing discipline. Resilience must be maintained as the business, its services, and its dependencies change, with regular re-mapping, re-testing, and board oversight. A self-assessment completed once and shelved does not meet the expectation of continuous resilience.

What Evidence the FCA Expects

The FCA expects a documented identification of the firm's important business services, with a clear rationale grounded in the harm that disruption would cause to end users, markets, or the firm's soundness. For each important business service, it expects a documented impact tolerance, expressed in appropriate metrics and justified by reference to intolerable harm.

Mapping evidence must show the people, processes, technology, facilities, and third parties supporting each important business service, at sufficient granularity to identify vulnerabilities and dependencies. Scenario testing evidence must demonstrate that the firm has tested its ability to remain within impact tolerances under severe but plausible scenarios, recorded the results, and identified where it fell short.

Where testing or mapping revealed vulnerabilities, the FCA expects evidence of a remediation plan and progress against it — resilience is not just about identifying weaknesses but about fixing them. Firms must be able to show that, following the transitional period, they can remain within their impact tolerances for each important business service.

The self-assessment document is central. The FCA expects a self-assessment that records the firm's important business services, impact tolerances, mapping and testing approach and results, vulnerabilities and remediation, and the firm's overall assessment of its resilience — approved by the governing body. The board's engagement with operational resilience, and the allocation of responsibility for it (including under the SMCR), should be evidenced.

Good Implementation

A firm with strong operational resilience begins by identifying its important business services rigorously and from the outside in — asking what services, if disrupted, would cause intolerable harm to its customers or to markets, and defining those services accordingly. This external, harm-based lens is applied consistently across the framework.

Impact tolerances are set by reference to that harm, as genuine boundaries the firm commits to staying within, not as restatements of current capability. The firm maps each important business service in depth, tracing the full chain of people, processes, technology, facilities, and third parties it relies on, and using that map to surface single points of failure and concentration risks.

Scenario testing is genuinely severe but plausible. The firm tests against demanding scenarios — third-party failure, cyber incidents, multiple simultaneous disruptions — and uses the results honestly, treating a breach of impact tolerance in testing as a vulnerability to remediate rather than a result to explain away. Remediation is planned, resourced, and tracked to completion.

Operational resilience is embedded in governance. The board owns the framework, engages with the self-assessment, and holds a senior manager accountable for it. Resilience is maintained as a living discipline: important business services, impact tolerances, mapping, and testing are reviewed and refreshed as the business and its dependencies evolve, and lessons from real incidents and from the wider sector are fed back into the framework.

Third-party and outsourcing dependencies are managed as a core part of resilience, with due diligence, contractual protections, oversight, and contingency arrangements for critical providers, recognising that much of the firm's resilience now sits outside its own walls.

How Our Service Helps

MEMA helps in-scope firms build and evidence operational resilience frameworks that meet SYSC 15A and the FCA's expectations. We help firms identify their important business services correctly — from the perspective of harm to end users — set defensible impact tolerances, and build mapping and scenario-testing approaches that are rigorous enough to reveal and remediate genuine vulnerabilities. Our team includes ex-regulators who understand how the FCA assesses resilience.

For firms preparing or refreshing their self-assessment, we provide independent challenge — testing whether important business services are correctly identified, whether impact tolerances are harm-based, whether mapping is deep enough, and whether scenario testing is genuinely severe but plausible. This independent perspective is often what turns a compliant-looking document into a resilient firm.

We also help firms embed operational resilience into governance and the SMCR, manage third-party and outsourcing dependencies, and keep pace with the evolving regime, including the Critical Third Parties framework and the growing overlap between operational resilience and the Consumer Duty.

Relevant Sectors

Banks, building societies, and larger investment firms face the most extensive operational resilience obligations, with multiple important business services, complex dependencies, and significant mapping and testing exercises. For these firms, resilience is a board-level priority and a frequent focus of supervisory attention.

Payment and e-money firms are squarely in scope and face clear expectations, because the services they provide — enabling people to pay and be paid — are exactly the kind of important business services whose disruption causes immediate, tangible harm. Resilience of payments infrastructure and of the third parties supporting it is a particular focus.

Insurers must ensure that important business services such as the ability to make a claim remain resilient, recognising that disruption at the point of claim causes acute harm to customers at their moment of need.

Across all sectors, firms that depend heavily on outsourced and cloud providers must treat third-party resilience as integral to their own, and the most systemically important providers are themselves being brought within regulatory scope through the Critical Third Parties regime. Even firms outside the strict scope of SYSC 15A are increasingly expected to demonstrate proportionate operational resilience as part of good governance and Consumer Duty compliance.

Frequently Asked Questions

What is an important business service?

An important business service (IBS) is a service a firm provides to external end users which, if disrupted, could cause intolerable harm to those users or pose a risk to market integrity or the firm's safety and soundness. Examples include the ability to make a payment, access an account, execute a trade, or make a claim. The key point is that an IBS is defined from the perspective of the harm caused to consumers or markets if the service fails — not by the firm's internal processes. Identifying the right IBSs is the foundation of the whole operational resilience framework, because impact tolerances, mapping, and testing all flow from them.

What is an impact tolerance?

An impact tolerance is the maximum tolerable level of disruption to an important business service, expressed as a metric such as the maximum time the service can be unavailable before intolerable harm results. Firms must set an impact tolerance for each important business service and must be able to remain within it in severe but plausible scenarios. The impact tolerance is a hard boundary set by reference to harm to end users and markets, not by what is operationally convenient for the firm. Setting impact tolerances too loosely, or by reference to internal recovery capability rather than external harm, is a common weakness.

Which firms are subject to the operational resilience rules?

The FCA's operational resilience requirements in SYSC 15A apply to a defined population including banks, building societies, PRA-designated investment firms, insurers, enhanced-scope SMCR firms, entities authorised under the Payment Services Regulations and Electronic Money Regulations, and certain other firms such as recognised investment exchanges. The PRA has parallel requirements for dual-regulated firms. Firms outside the strict scope of SYSC 15A are still expected to have proportionate operational resilience arrangements, and the FCA increasingly views operational resilience as a general expectation of good governance under the wider SYSC rules and the Consumer Duty.

What was the March 2025 operational resilience deadline?

The FCA's operational resilience rules took effect on 31 March 2022, from which date firms had to have identified their important business services, set impact tolerances, and begun mapping and testing. Firms were then given a transitional period until 31 March 2025 to be able to demonstrate that they can remain within their impact tolerances for each important business service in severe but plausible scenarios. From that point the expectation is full compliance: firms must have completed sufficient mapping and testing, remediated vulnerabilities, and be operating within their impact tolerances.

operational resilienceimportant business servicesimpact tolerancesSYSC 15Ascenario testing

Need help implementing this?

Our regulatory consultants can help your firm meet FCA requirements with practical, evidence-based implementation support.

Book a Free Consultation