Financial Services IT
The Financial Conduct Authority's (FCA) operational resilience framework has fundamentally reshaped how UK financial services firms approach business continuity and IT governance. Since November 2022, all firms meeting the threshold conditions—typically those with over £15 billion in assets or designated as critical—have been required to comply with the FCA operational resilience IT requirements. Yet the ripple effects extend far beyond these giants. Professional services firms, legal advisers, and wealth managers increasingly face indirect compliance pressures through client relationships, outsourcing arrangements, and regulatory scrutiny. For London-based SMBs operating in finance, understanding these requirements isn't optional—it's essential to maintaining your competitive position and regulatory standing.
Operational resilience is the FCA's framework designed to ensure that firms can continue to deliver critical financial services during severe but plausible disruption events. Unlike traditional business continuity planning, which often focused on recovery time objectives (RTOs) measured in days, operational resilience demands firms identify what can go wrong and build defence mechanisms that ensure critical services remain uninterrupted.
The framework rests on three core pillars:
What makes this framework particularly demanding is its shift away from tick-box compliance. The FCA explicitly states that firms must demonstrate genuine resilience, not simply possess comprehensive documentation. This distinction matters enormously for SMBs operating with limited compliance resources. Your IT infrastructure, data architecture, and recovery capabilities must be engineered to match your stated tolerance levels—and if they don't, you must actively remediate the gaps or adjust your business model.
Your data environment sits at the heart of operational resilience. The FCA expects firms to maintain resilient data architectures that can withstand infrastructure failures, cyber incidents, or supply chain disruptions. This means:
Many SMBs still rely on single-provider cloud solutions or basic incremental backups without proper geographic distribution. This approach creates a critical vulnerability. If your primary cloud provider experiences an extended outage, or if a ransomware attack encrypts your primary data stores, your recovery capability becomes meaningless. Firms increasingly adopt multi-region backup strategies, sometimes via dedicated managed service providers, to ensure true independence from primary infrastructure providers.
The FCA emphasises that critical systems must maintain availability during disruption events. This requires robust change management, capacity planning, and architectural resilience. Consider:
Many professional services firms and financial advisers still operate with legacy systems that lack built-in redundancy. Upgrading these systems purely for compliance reasons often proves difficult to justify financially, but framing the investment as operational resilience—and articulating the genuine business case—can unlock budget approval. VantagePoint Networks has helped numerous London-based advisory firms audit their system architectures against FCA requirements, often identifying surprising gaps in supposed redundancy.
The framework places explicit responsibility on firms for their outsourced service providers. If your firm outsources critical services—whether cloud infrastructure, client reporting systems, or payment processing—you remain accountable for their resilience.
This means you must:
The regulator has been particularly firm about this expectation. You cannot simply assume that a major provider like Amazon Web Services or Microsoft will meet your resilience requirements. You must verify their actual capabilities and establish your own fallback arrangements.
Before you can engineer resilience, you must articulate your impact tolerance: the maximum loss your firm can tolerate across each critical business service. This isn't a technical exercise—it requires business leaders, compliance, and IT to collaborate. Work through scenarios like a two-day trading outage or loss of client communication systems, and agree on the maximum financial or reputational impact your firm can absorb. This becomes your target resilience level.
Document every critical business service your firm operates, the IT systems supporting each service, and the dependencies between systems. This dependency mapping often reveals surprising vulnerabilities—a single person with knowledge of a legacy system, a manual process nobody has documented, or a third-party dependency nobody questioned. Regulators expect this mapping to be detailed, current, and regularly reviewed.
Simulation exercises and tabletop scenarios are essential. The FCA distinguishes between what you claim you can do and what you've actually demonstrated under realistic conditions. Regular testing—at least annually, but preferably twice yearly for critical services—provides evidence that your resilience measures work in practice. Document test results, outcomes, and remediation actions taken.
Your technical controls should match your risk profile and impact tolerance. A £200 million financial services firm may need elaborate multi-region disaster recovery; a legal advisory practice with £10 million in assets may need robust backup and failover systems without the same level of geographic redundancy. The key is alignment: your controls should genuinely protect against scenarios you've identified as plausible.
The FCA operational resilience framework represents a maturation in regulatory expectations around IT governance. Rather than viewing it as compliance burden, firms that genuinely embrace operational resilience gain meaningful business benefits: fewer unplanned outages, faster recovery when incidents occur, and stronger client confidence. The investment required varies significantly based on your firm's size, current infrastructure, and operational complexity. But the fundamental principle remains constant: resilience must be engineered into your systems and processes, not bolted on as an afterthought. Firms that take this seriously today will find themselves better positioned to handle both regulatory scrutiny and genuine operational disruptions.
VantagePoint Networks is an independent senior IT and AI consultancy based in London. No account managers — every engagement is handled directly by the founder.
Book your free call →