News & Trends
The Financial Conduct Authority's (FCA) operational resilience framework continues to evolve, and 2025 marks a critical inflection point for UK financial services firms of all sizes. If you're running a professional services firm, legal practice, or financial advisory business in London, the FCA operational resilience requirements 2025 framework directly affects how you must operate—from IT infrastructure to incident response protocols. What changed, what's staying, and what your organisation needs to do now forms the core of this guide for SMBs who cannot afford to fall behind on regulatory compliance.
Operational resilience is no longer a "nice to have" addition to your compliance checklist. The FCA's framework, which took effect in phases from 2021 onwards, requires authorised firms to demonstrate they can withstand, adapt to, and recover from operational disruptions—without breaching regulatory requirements or causing harm to consumers and markets.
For London-based SMBs, this means three core pillars:
What makes 2025 different is not necessarily new rules, but enforcement intensity. The FCA has shifted from a "learning phase" to active, detailed scrutiny. Firms that have treated operational resilience as a box-ticking exercise rather than a business imperative are now facing heightened supervisory attention.
The FCA has made explicit that cyber resilience sits at the heart of operational resilience. This isn't limited to having a cybersecurity policy; it extends to demonstrating that your digital infrastructure—and the third-party providers who support it—can withstand and recover from sophisticated attacks.
Specifically, the FCA expects:
For professional services and legal firms, this often means revisiting third-party IT arrangements. If you're relying on shared cloud services, an outsourced helpdesk, or managed IT support, you need contractual certainty about their resilience commitments and regular assurance that they're meeting them.
Another area where the FCA has tightened scrutiny is third-party risk. If your firm depends on external providers—whether cloud platforms, payment processors, or managed IT providers—you must have a clear, up-to-date map of these dependencies and be able to articulate the impact if each fails.
Many SMBs have found this harder than expected. Unlike large banks with dedicated third-party risk teams, smaller firms often discover they don't have a single, authoritative view of their critical suppliers. This year, the FCA expects better.
The FCA has reinforced that operational resilience is not a compliance team responsibility; it sits with the board and senior management. Directors and partners must be able to demonstrate personal understanding of their organisation's impact tolerances and resilience posture. Generic delegation to IT or compliance functions will not satisfy regulatory scrutiny.
Before you build anything, define it. Work with your leadership team to answer: What operational disruptions would breach our regulatory or client-facing commitments? How long can critical systems be down? What financial loss is unacceptable? What reputational damage would harm our licence?
Document these in writing. They should be specific, measurable, and clearly linked to your business model. A legal firm's tolerance for a document management system outage differs vastly from a financial adviser's tolerance for email disruption.
Map your critical processes and the systems, people, and third parties they depend on. Identify gaps between your current capabilities and your impact tolerances. This is often the moment when firms realise their business continuity plans are outdated, untested, or exist only on a hard drive in someone's office.
Many organisations find it helpful to engage external expertise at this stage—not to avoid responsibility, but to bring fresh eyes and benchmarking. Firms like VantagePoint Networks can help map these dependencies and identify resilience risks that internal teams might have normalised over time.
The FCA expects scenario testing, and it must be genuine. This means simulating outages and disruptions that are plausible for your threat landscape. A professional services firm in London should test scenarios like:
Desktop exercises are a starting point; full simulations—where teams actually try to recover systems—are more credible and more useful. Test results should be documented and findings should drive tangible improvements to your resilience posture.
Review your contracts with critical IT, cloud, and professional service providers. Ensure they include:
Don't simply collect certificates; verify they're current and actually relevant to the services you use. A managed IT provider's ISO 27001 certification is only valuable if it covers the specific infrastructure and services supporting your critical systems.
Operational resilience should be a standing agenda item at board or partnership meetings. Report on testing results, remediation actions, and any changes to your resilience posture. This demonstrates to the FCA (and to yourselves) that resilience is a genuine business priority, not compliance theatre.
The FCA's operational resilience regime is maturing. In 2025 and beyond, expect:
The window for treating operational resilience as a compliance afterthought has definitively closed. Firms that take it seriously now—that invest in mapping, testing, and governance—will navigate 2025 with confidence. Those that don't will face increasingly uncomfortable questions from regulators, and worse, will be caught unprepared when disruption inevitably strikes.
VantagePoint Networks is an independent senior IT and AI consultancy based in London. No account managers — every engagement is handled directly by the founder.
Book your free call →