Back to Listing
fca-operational-resilience-2026-what-firms-must-evidence
  • Compliance Management
  • 30th Jun 2026
  • 1 min read

FCA Operational Resilience 2026: What Firms Must Evidence

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short..
  • The implementation period ended 31 March 2025. The FCA now expects firms to demonstrate a functioning programme, not a plan. Supervisory reviews are examining evidence quality, not just documentation existence.
  • The FCA published its observations in March 2026. Its 'insights and observations one year on' publication identified common gaps: incomplete third-party mapping, scenario testing that isn't severe enough, and self-assessments that haven't been updated since the deadline.
  • Four evidence categories are under scrutiny: IBS identification, impact tolerance justification, dependency mapping, and scenario testing. Each requires specific documented evidence, not just a statement of intent.
  • The self-assessment document is a living record. SS1/21 requires it to be reviewed annually and updated whenever material changes occur. Boards must be able to demonstrate they've reviewed it.
  • New incident reporting requirements come into force March 2027. FCA PS26/2 and PRA SS1/26 introduce operational incident reporting obligations. Firms should be building their reporting capability now.

The March 2025 deadline under FCA PS21/3 has passed. Firms were required to have identified their important business services (IBS), set impact tolerances, mapped those services to their underlying resources, and demonstrated the ability to remain within impact tolerances. The FCA isn't accepting plans anymore: it's reviewing evidence.

 

Supervisory visits and thematic reviews in 2025-2026 are examining whether firms have genuinely operationalised their resilience programmes, or whether their self-assessment documents are compliance artefacts. This article sets out what the FCA expects firms to evidence, where the most common gaps are, and what firms still building their programmes must prioritise.

Expert View

undefined-May-25-2026-06-11-05-9774-PM

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

 

 

What our experts say about FCA operational resilience evidence quality

 

"What we see most often isn't missing documentation: it's documentation that stopped being accurate six months ago. A self-assessment written for March 2025 that hasn't been updated after a core banking migration or a key outsourcing change is the kind of gap that draws supervisory attention. Currency matters as much as completeness."

The PS21/3 framework: what firms were required to build

PS21/3 and the accompanying PRA Supervisory Statement SS1/21 established the UK's operational resilience framework for financial services. The framework applies to banks, building societies, PRA-designated investment firms, insurers, and FCA-solo regulated firms meeting the asset or income thresholds set out in the Handbook. The core requirement is straightforward in concept: identify the services to clients whose disruption would cause intolerable harm (important business services); set maximum tolerances for disruption (impact tolerances); understand the resources and dependencies underpinning each IBS; and prove, through scenario testing, that the firm can continue delivering each IBS within tolerance when something goes wrong.

 

The March 2025 deadline marked the transition from implementation to operation. During the implementation period, firms were expected to be working towards their targets. Since March 2025, the FCA expects firms to be running their programmes. And in March 2026, the FCA published its first formal set of observations on what it found when it looked.

 

In March 2026, the FCA also published PS26/2 alongside the PRA's SS1/26, introducing new operational incident and third-party reporting requirements that come into force on 18 March 2027. Firms with dual FCA and PRA regulation need to be aware of both the evidence requirements for the existing PS21/3 framework and the new reporting obligations coming into effect next year.

What the FCA expects firms to evidence in 2026

The FCA's supervisory approach to operational resilience is built around four questions it asks of every firm it reviews. Each question corresponds to a core component of the PS21/3 framework and requires specific evidence.

 

1. Have you identified the right important business services?

The FCA defines an important business service as a service provided to external clients that, if disrupted, could cause intolerable harm to consumers or market participants, or risk to market integrity. IBS are defined by their impact on clients, not by internal importance or technical criticality. The identification process must be documented: the firm must show the methodology it used to determine which services qualify as IBS, including services that were considered and excluded with their rationale.

 

The FCA's March 2026 observations noted that the extent to which firms have accurately identified their IBS varies considerably. Firms that identified IBS solely by mapping IT systems rather than starting from client outcomes tend to produce lists that are either too narrow (missing services whose disruption would cause client harm) or too broad (including internal processes that don't qualify). The starting point is always the client: what would they lose, and would losing it cause intolerable harm?

 

Evidence the FCA expects to see: the IBS identification methodology; the IBS list with inclusion rationale; services considered but excluded with exclusion rationale; evidence the IBS list has been reviewed since initial identification, particularly following business model changes, new product launches, or actual disruptions.

 

2. Are your impact tolerances justified and applied?

An impact tolerance is the maximum level of disruption to an IBS the firm is prepared to accept before that disruption causes intolerable client harm. It's expressed in time (maximum duration of disruption) and, in some cases, in data loss or degradation thresholds. The threshold must be set at the point of intolerable client harm, not at zero disruption, which would be impractical, and not at the firm's current recovery time objective, which conflates a capability target with a harm threshold.

 

The most common failure pattern on impact tolerances is circularity: setting a tolerance of 24 hours because the current RTO is 24 hours, without asking whether 24 hours of disruption would cause intolerable harm to clients. The FCA expects the tolerance to be grounded in client harm analysis. A payment services firm and an asset manager serving retail investors will have very different thresholds for the same duration of disruption.

 

Evidence the FCA expects to see: documented impact tolerances for each IBS; the rationale for each threshold; evidence that tolerances have been communicated to and approved by the board; and evidence that tolerances are used in scenario testing, not just filed.

 

3. Have you mapped your IBS to their underlying resources?

Mapping is the process of identifying all the people, processes, technology, facilities, and information the firm uses to deliver each IBS. The FCA Handbook (SYSC) requires this mapping to be documented and maintained. Mapping is the analytical foundation for testing: without knowing what an IBS depends on, a firm can't design meaningful tests or identify where a single point of failure could breach an impact tolerance.

 

The FCA's March 2026 publication identified mapping of third-party dependencies as a consistent gap. Firms had mapped internal technology but treated external providers as endpoints rather than mapping through them to the services and sub-services they provide. The FCA was clear: third-party dependencies, including ICT providers and outsourced operational services, must be included in the mapping for any IBS that depends on them.

 

Evidence the FCA expects to see: mapping documentation for each IBS covering all five resource categories; identification of single points of failure and critical dependencies; third-party dependencies mapped by service and provider; evidence that mapping is updated when material changes occur, including technology migrations, outsourcing changes, or organisational restructuring.

 

4. Have you tested your ability to remain within impact tolerances?

Testing has received the most supervisory attention of the four requirements. A resilience plan is a necessary input to testing, but the test itself is what produces evidence. The FCA expects scenario-based testing using realistic disruption scenarios: ransomware attacks, key site loss, critical third-party failure. And it expects testing to involve the actual teams and systems that would respond to a real disruption, not a theoretical exercise conducted by the operational resilience team alone.

 

The FCA's observations highlighted a recurring pattern: firms conducted a testing exercise ahead of the March 2025 deadline and produced a one-page summary report. That summary is not sufficient evidence. The FCA wants the full testing record: scenario design, participant lists, timing data, gaps identified, and specific remediation actions taken. The outcomes of testing must then feed back into the resilience programme.

 

Evidence the FCA expects to see: a documented testing programme with scenarios; full testing results including outcomes and gaps identified; remediation actions taken; evidence that lessons from testing have been incorporated into the programme; and, for significant firms, evidence that testing results have been presented to the board or a designated board committee.

The self-assessment document: what it must contain

SS1/21 requires firms to produce and maintain a self-assessment document that demonstrates compliance with the operational resilience requirements. It's a living document: reviewed and updated at least annually, and whenever material changes occur to the firm's IBS, impact tolerances, or resilience posture. The document isn't a submission to the FCA, but the FCA expects to be able to read it during a supervisory visit and understand the firm's actual resilience posture.

 

The FCA's supervisory visits in 2025-2026 identified two recurring failure patterns. The first is completeness: self-assessments that contain all the required sections but lack substantive content. Impact tolerances stated without justification; mapping diagrams with technology placeholders rather than real system names; testing sections that describe a testing programme rather than its results. The second is currency: self-assessments accurate as at March 2025 that haven't been updated after organisational changes, system migrations, or subsequent testing.

 

Self-assessment section

Minimum evidence required

IBS identification

Methodology document; IBS list with rationale for each service; list of services considered but excluded with exclusion rationale.

Impact tolerance setting

Tolerance for each IBS; client harm analysis justifying the threshold; evidence of board approval; date of last review.

Mapping

Current mapping for each IBS to people, processes, technology, facilities, and information; third-party dependencies by service and provider; version date and change history.

Scenario testing

Testing programme with scenario descriptions; full test results with outcomes; gap identification; remediation log with actions taken; date of last test for each IBS.

Governance

Board and senior management oversight structure; accountability framework; incident reporting and learning process; record of board review of self-assessment.

Lessons learned

Record of disruptions or near-misses since last self-assessment; actions taken; changes to the programme as a result.

 

Currency is where many firms are currently exposed. A self-assessment written for the March 2025 deadline is now over a year old. If your firm has migrated a core platform, changed a material outsourcing arrangement, or experienced a disruption since March 2025, and the self-assessment doesn't reflect those changes, you're carrying a gap the FCA will identify.

Common evidence gaps in 2026 supervisory reviews

The following gaps are consistently identified in FCA supervisory engagements across retail banking, insurance, and investment management.

 

Testing evidence is thin

Many firms conducted a testing exercise ahead of the March 2025 deadline and produced a summary report. The FCA is asking for the full testing evidence: scenario design, participant lists, timing data, gaps identified, and specific remediation actions. A one-page summary doesn't constitute a testing record. And for firms that haven't tested since the deadline, the clock is running: testing must be ongoing, not a one-time exercise.

 

Third-party dependencies not mapped

IBS mappings that identify internal people, processes, and technology but treat third-party providers as endpoints haven't met the mapping requirement. The FCA's March 2026 observations were explicit on this: mapping must encompass the full range of third-party dependencies, particularly for services delivered through cloud infrastructure or managed service providers. If you can't say which third-party services underpin each IBS, you can't test whether those dependencies are resilient.

 

Impact tolerance justification is circular

Setting impact tolerances equal to current RTOs without asking whether that duration would cause intolerable client harm is a compliance failure the FCA is finding consistently. The tolerance must be grounded in client harm analysis. A payments firm and a custody provider serving professional investors face very different harm thresholds for the same duration of service disruption. The FCA expects to see that analysis, not just the number.

 

Board engagement is absent from the evidence

The FCA expects the board or a designated board committee to have reviewed and approved the self-assessment, the impact tolerances, and the testing results. A self-assessment produced by the operational resilience team and never formally presented to the board doesn't demonstrate the governance structure the FCA requires. Board minutes, approval records, and evidence of challenge are what the FCA is looking for.

 

For guidance on the technology that supports a continuous operational resilience programme, see SureCloud's operational resilience software guide. For the new incident reporting requirements, see our guide to PRA SS1/26.

GRC Glossary: 30+ Key Governance, Risk and Compliance Terms Every Business and Compliance Leader Should Know

GRC Glossary by SureCloud, an industry-leader in GRC with 19 years of experience, brings together over 30 key terms that form the foundation of GRC. It’s designed for professionals who need a practical grasp of the essentials - whether you’re reviewing a policy, planning an audit, assessing third-party risk, or just trying to make sense of compliance frameworks.

See how SureCloud supports FCA operational resilience compliance

SureCloud's platform supports the full operational resilience evidence cycle: IBS identification and review, impact tolerance management, dependency mapping, scenario testing documentation, self-assessment production, and board reporting. Gracie AI Agents with Personas and Skills reduces manual evidence collection by 50-65%, so your operational resilience team spends its time on risk decisions rather than document management.
Book your Demo TODAY!
Related articles:
  • Compliance Management

Compliance Management Software: Top 10 Tools for DORA, NIS2 & FCA 2026

  • Business Continuity

Operational Resilience Software 2026: FCA & PRA Guide

  • ISO 42001

AI Governance for Financial Services: FCA & PRA 2026

Share this article

FAQ’s

What is an important business service under FCA PS21/3?

An important business service (IBS) is a service provided to external clients that, if disrupted, could cause intolerable harm to consumers or other market participants, or risk to market integrity. IBS are defined by their impact on clients, not by internal criticality or technical function. A firm's core payment processing, retail deposit access, or claims settlement capability will ordinarily qualify. An internal IT function that supports those services doesn't qualify as an IBS in its own right.

Firms must identify their IBS using a documented methodology, reviewed as the business changes. The FCA doesn't prescribe a list of what should be an IBS: that's a firm-level decision, subject to supervisory review of whether the methodology and conclusions are credible.

What is an impact tolerance and how is it set?

An impact tolerance is the maximum level of disruption to an IBS that the firm is prepared to accept before clients suffer intolerable harm. It's expressed as a maximum duration of disruption, and in some cases in data loss or degradation thresholds. The threshold must be set at the point of intolerable client harm, not at zero disruption, and it can't simply mirror the current recovery time objective without supporting analysis.

Setting an impact tolerance requires the firm to assess what level of service disruption would cause material client harm, considering the nature of the service, the clients who depend on it, and the alternatives available to them. The FCA expects the tolerance to be justified, documented, and board-approved.

 

What should be included in the operational resilience self-assessment?

The operational resilience self-assessment required by SS1/21 must cover: the methodology and rationale for IBS identification; the impact tolerances for each IBS and their justification; the mapping of each IBS to its underlying people, processes, technology, facilities, and information, including third-party dependencies; the testing programme and its results, including gaps identified and remediation actions; the governance structure; and lessons learned from disruptions or near-misses.

The self-assessment must be reviewed and updated at least annually and whenever material changes occur. It should reflect the firm's actual state of resilience, and the board must be able to show they've reviewed it.



How does FCA operational resilience interact with DORA?

DORA (Regulation (EU) 2022/2554) applies to EU financial entities and is a separate regulatory framework from the FCA's PS21/3. UK-only firms aren't directly subject to DORA. But firms operating in both the UK and EU, or that are part of EU groups, may carry dual obligations.

Conceptually, the two frameworks share significant common ground: both require firms to identify critical services, set tolerances, test resilience, and manage third-party dependencies. Firms with dual obligations should design their programme to satisfy both frameworks using a single evidence base, rather than maintaining parallel workstreams.

What do the new FCA and PRA incident reporting requirements require?

FCA PS26/2 and PRA SS1/26, published in March 2026, introduce new operational incident and third-party reporting obligations that come into force on 18 March 2027. They require firms to notify their regulator when an operational incident meets defined thresholds, and to report on material third-party arrangements.

The reporting requirements build on, but are separate from, the existing PS21/3 resilience framework. Firms should treat the period between now and March 2027 as implementation time: defining incident classification criteria, building notification workflows, and confirming which third-party arrangements meet the material threshold.

What happens if firms can't demonstrate they're within impact tolerances?

The FCA's supervisory approach involves direct engagement with firms whose evidence is insufficient. That engagement can escalate to formal supervisory action if gaps are material and unremediated. Where testing reveals that a firm can't remain within an impact tolerance, the FCA expects a documented remediation plan with clear milestones, not a revised tolerance that makes the problem disappear on paper.

Boards that haven't formally reviewed and approved their resilience posture are particularly exposed. The governance evidence is often the first thing the FCA asks for, and its absence tends to accelerate the supervisory process.