Operational resilience: Rules and guidance in the UK

Operational resilience: Rules and guidance in the UK

The UK government has recently launched a new regulatory framework that aims to provide formal guidance on how organisations can tackle and build strong operational resilience. In our latest blog, we discuss the what, when and how of the UK’s new upcoming operational resilience mandate.

Author: Cygnetise – cygnetise.com


The 2008 Financial Crisis spurred the review and reform of many financial practices on a global scale. Structural changes, such as much higher levels of capital and liquidity, became the norm that has significantly improved financial organisations’ ability to absorb financial shocks. ‘Financial Resilience’ is now pretty widely embedded in most companies’ business culture.

But ‘Financial Resilience’ is only one side of the coin, and ‘Operational Resilience’ seems to be the other. That’s why the UK government has recently launched a new regulatory framework that aims to tackle the issue and provide formal guidance on how organisations can build strong operational resilience.

In our latest blog, we discuss the what, when and how of the UK’s new upcoming operational resilience mandate.


What is ‘Operational resilience’?

The Financial Conduct Authority (FCA) in the UK defines operational resilience as “the ability of firms and financial market infrastructures, and the financial sector as a whole, to prevent, adapt, respond to, recover and learn from operational disruptions.”

Simply said, operational resilience is the ability of organisations to adapt during times of crisis or disruption, and effectively manage operational risks like cyber threats, technology failures, economic or natural disasters. Whilst it might sound like an easy task, operational resilience is actually a complex process that goes beyond crisis management and business continuity planning. It involves developing a comprehensive, pan-organisational strategic framework that covers all potential impacts, risk factors and tolerance levels affecting a business’s successful operation.

Recognising the challenge and importance of operational resilience for firms and the entire financial system, the UK financial regulators, the Bank of England, the Prudential Regulation Authority (PRA) and the FCA, have initiated a new policy development to provide formal guidance on how organisations can build operational resilience.

The initiative kicked off in 2019, with the publication of a suite of consultation papers (the proposals) outlining the government’s proposed approach to embedding a new operational resilience mandate into the UK financial services regulatory framework. The consultation was broadly based on the initial 2018 Discussion Paper by the BoE and FCA, ‘Building the UK financial sector’s operational resilience’. Earlier this year, the UK regulatory trio published their final and long-awaited policy statement and rulebook on ‘Building operational resilience’ in the UK financial sector.

Below we’ve summarised some of the new policy’s key implications and requirements.


Who is in scope for the UK’s new operational resilience regulatory mandate?

The new operational resilience regulatory rules will apply to all the following financial organisations in the UK:

  • building societies

  • PRA-designated investment firms

  • insurers

  • recognised investment exchanges

  • enhanced scope SM&CR firms / entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011


When does the new operational resilience rulebook come into force?

The new rulebook is set to come into force on 31st March 2022. The timeline set-up includes a one-year implementation period, during which firms would have to identify their “important business services” and define “impact tolerances” for those services and start operationalising the framework.

From 31st March 2022, firms must ensure that, in the event of severe but plausible disruption, the resilience strategies, systems and processes they have in place are sufficient to remain within their impact tolerances to operational disruption. Whilst this is expected to be a gradual process, organisations will have to become fully compliant by 31st March 2025.


What is an ‘important business service’?

An “important business service” is defined as a service provided by a firm, or by another person on behalf of the firm, to one or more clients which, if disrupted, could:

1)     cause intolerable levels of harm to one or more of the firm’s clients, or

2)     pose a risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets.


How do you define or set an ‘impact tolerance’?

Firms are responsible for setting ‘impact tolerances’ for each ‘important business service’. According to the new operational resilience rulebook, impact tolerance is the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics. This should also reflect the point at which any further disruption to the important business service could cause intolerable harm to one or more of the firm’s clients, or pose a risk to the stability of the entire UK financial system or the orderly operation of the financial markets.

To put this into perspective, let’s take a look at what business services and impact tolerances would be for an asset management company.

Business services of asset managers could be:

  • Technology platforms for order management, relationship management and trading

  • Third parties such as custodians and fund administration companies

  • Operational information including customer details and authorisation requirements

Impact tolerance thresholds could then be calculated for one or more of the above in terms of both financial and reputational risk using the number of services impacted and the length of time each service was affected by an event.


What’s the connection between operational resilience and governance?

Governance is key to the success of the board’s operational resilience strategy – boards must ensure they have appropriate management information to inform decisions that have consequences for the firm’s operational resilience. Senior management will be more accountable than ever for ensuring the effectiveness of a company’s resilience strategy and its execution. Firms should, therefore, establish clear accountability measures and internal controls for the management of operational resilience, using existing committees and roles, or establishing new ones, if necessary.


Given the depth and scope of the new operational resilience mandate, it’s clear that many firms will be facing a major regulatory burden, in a relatively short timeline. Ironically, the COVID-19 pandemic and rising cyber tensions have galvanised firms into making this a top priority. The “big four” have published several informative papers on the subject:

EY –Building and improving enterprise resilience is no longer a choice. It’s an imperative

KPMG – “Operational resilience in financial services. Seizing business opportunities

PwCOperational resilience, crisis and continuity

DeloitteFinal UK policy on Operational Resilience – financial regulators reimagine resilience for the sector


One theme prevalent throughout all those publications is the role of emerging technology and how it could facilitate the overall compliance process. In fact, it’s clear technology will be instrumental not only in building resilience but also in managing operations across the board. Indeed. Deloitte has set out 8 predictions about the adoption of digital technology in financial services in the next few years. Entitled “Finance 2025”, it looks at, amongst other things, “the finance factory: transactions will be touchless as automation and blockchain reach deeper into finance operations”.

The prediction about blockchain is particularly interesting as we, at Cygnetise, have developed a Blockchain-based application which revolutionises how firms manage both their own, their customers and their counterparts’ authorised signatories. Central to any firms’ contract management or governance protocols, the effective management of authorised signatories (including banking authorities) will undoubtedly be part of the future operations resilience planning, implementation and best practices.

The Cygnetise application has already enabled some of the world’s biggest financial institutions to add security and efficiency to their authorised signatory procedures during the enforced remote working caused by the ongoing COVID-19 pandemic. Business continuity and ESG have also been enhanced for firms adopting the application as it removes the requirement for paper or spread-sheet based processes.

Make possibility reality

Become an IA FinTech Member
and see where it takes you.

Login to your account