Legal development

Operational resilience: It's not just DORA you need to think about

Insight Hero Image

    Whilst firms are busy with their DORA implementation plans (see our briefings here and here for a background), it is worth noting that the end of the transition period for the UK operational resilience rules occurs on 31 March 2025. The FCA has issued a webpage on preparations being made by firms in respect of the regime, which can basically be seen as a report card setting out good practices that the FCA has observed, as well as areas for improvement.

    Key Points

    The FCA stresses the following:

    • all firms are expected to be resilient and to provide services for their customers when needed;
    • ahead of the March 2025 deadline, firms must ensure that they can remain within their impact tolerance in severe but plausible scenarios for any identified important business services, and have their plans approved by their board;
    • scenario testing underpins the evidence for how firms will remain within impact tolerances and should be reviewed regularly as evidence of operational resilience;
    • important business services, impact tolerances and mapping should be reviewed on at least an annual basis, or when there is a material change to the business or market operated in; and
    • changes to important business services, impact tolerances and mapping should be clearly identified in firms' self-assessments, along with any rationale.

    The FCA stresses the importance of embedding operational resilience, adding that the requirement to be operationally resilient "is not a once and done activity" or a tick-box exercise. The FCA considers the most effective operational resilience frameworks to be those embedded within firms' overall enterprise-wide risk frameworks (this includes change management and strategic planning).

    Observation and insight on important business services

    • Firms' approaches to identifying business services still vary within the sector. An important business service should not be excluded by considering one factor alone (e.g., substitutability) and should be determined without reference to response or recovery capabilities.
    • Justification for identifying an important business service needs to be evidenced in the self-assessment (consider rationale/justification for not identifying other business services as important, especially when removing an important business service following the annual review process).

    Observation and insight on impact tolerance

    • Wide range of impact tolerances observed by the FCA, with limited rationale for when intolerable consumer harm or a risk to market integrity is reached.
    • Industry seems to be primarily using time-bound tolerances as impact tolerances and needs to consider other metrics that complement this measure (additional metrics may be defined by considering types of customers, values, and types of transactions etc.).
    • If recovery is not feasible within a time-based impact tolerance, firms should consider responding with mitigating actions as part of a response plan.
    • Recovery time objectives are different from impact tolerances and are expected to be set well within impact tolerances.

    Observation and insight on mapping and third parties

    • Firms are responsible for ensuring that third-party providers supporting or delivering important business services remain within the respective impact tolerances.
    • Detailed mapping of important business services should support the identification of vulnerabilities which may cause breaches of impact tolerances.

    Observation and insight on scenario testing

    • Firms are expected to mature the format and type of testing used to understand the resilience of the organisation. Scenario testing should be evolving from judgment, desk-based scenario tests, to a wider range of testing that provides empirical data.
    • Effective testing plans incrementally increase the severity of disruption to identify the point at which an impact tolerance is breached and to understand the full impact of the disruption and any vulnerability to be remediated.
    • Third parties can carry out the testing of their own resilience, but firms should ensure that the methodology and tested scenarios meet the requirements.

    Observation and insight on vulnerabilities and remediations

    • Remediation plans need to be approved, fully funded, and appropriately governed to ensure delivery.
    • Firms are expected to regularly review vulnerabilities (as these can change over time, new ones can emerge) and give priority to those that are most likely to impact their ability to remain within impact tolerance.
    • Firms should mature testing across severe but plausible scenarios to enable potential identification of new and additional vulnerabilities.

    Observation and insight on response and recovery plans

    • Response plans are equally important as recovery plans. Firms should test their response plans, as well as their recovery plans, to understand whether they can remain within impact tolerances.

    Observation and insight on governance and self-assessment

    • The governing body is required to review and approve the self-assessment. Any concerns over a firm's ability to remain within impact tolerance should be clearly documented in the self-assessment along with a detailed remediation plan.
    • Good examples of self-assessment documents allow governing body members to understand their firm’s position and roadmap to resilience. They include an overview of vulnerabilities found, scenarios tested (with the outcome of those tests), remediation plans, and the firm's strategy to ensure it can remain within impact tolerances for all important business services no later than 31 March 2025.

    Observation and insight on horizon scanning

    • The FCA considers horizon scanning a key tool for firms to ascertain new and emerging risks that could lead to severe but plausible scenarios, and the proximity of impact (this ensures testing is appropriate and that controls are in place for detecting, responding and recovering from operational disruptions).

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.