Financial Services IT

What Is Operational Resilience Under the FCA Framework?

2 May 2026 · 5 min read · By Hak, VantagePoint Networks

The Financial Conduct Authority (FCA) has fundamentally reshaped how UK financial services firms approach operational risk. The operational resilience framework, introduced through the PRA and FCA's building blocks approach, requires organisations to demonstrate they can survive severe but plausible operational disruptions without compromising critical functions. For London-based SMBs in professional services, legal practices, and financial advisory—whether you're directly regulated or supporting the financial ecosystem—understanding FCA operational resilience explained is no longer optional. It's a strategic imperative that affects how you manage technology, staffing, third-party dependencies, and business continuity.

What the FCA Operational Resilience Framework Actually Means

Operational resilience is the Financial Conduct Authority's framework designed to ensure that firms can absorb shocks and continue serving customers, even when faced with significant operational disruptions. Unlike traditional business continuity planning, which often focuses on recovery time, the FCA's approach centres on impact tolerance—the maximum level of harm a firm can sustain whilst remaining viable.

The framework introduces three core concepts:

Impact tolerance: The threshold of harm your firm can withstand in relation to customer outcomes, market integrity, and financial stability
Vital business functions: The activities that, if disrupted, would breach your impact tolerance
Scenario testing: Regular, severe but plausible scenarios that test whether your firm can stay within its impact tolerance thresholds

For smaller professional services firms and financial advisers, this isn't about becoming a systemically important institution overnight. Rather, it's about proving you've thought systematically about where your operation is genuinely vulnerable and what you'll do if something breaks.

Why Impact Tolerance Matters More Than You Think

The concept of impact tolerance fundamentally shifts responsibility from "do you have a business continuity plan?" to "can you survive genuine disruption within acceptable limits?" This distinction is critical for SMBs, where operational margins are often tight and recovery capacity is limited.

Setting Your Impact Tolerance Thresholds

Impact tolerance isn't set by the FCA; it's determined by your firm in dialogue with your regulator. You'll need to define acceptable thresholds across multiple dimensions:

Customer outcomes (service delays, financial losses, data breaches)
Market integrity (execution quality, pricing accuracy, regulatory compliance)
Financial viability (acceptable losses before insolvency risk)

A financial advisory firm might determine that it can tolerate a 2-hour disruption to client communications, but not a 24-hour outage that prevents portfolio valuations. A legal practice might establish that case filing delays of up to 4 hours are acceptable, but not overnight.

Identifying Your Vital Business Functions

Once you've set impact tolerance, you work backwards to identify which business functions are critical to staying within that threshold. This requires granular mapping of your operations—not just broad categories like "IT systems" or "client-facing services," but specific, discrete functions.

For example:

A financial adviser needs real-time access to client investment records—that's vital
The same adviser might tolerate a 24-hour delay in generating quarterly performance reports—that's important, but not vital
A legal practice needs to file court documents on schedule—vital. Updating the firm intranet—not vital

Severe but Plausible Scenario Testing—The Practical Reality

The FCA's insistence on "severe but plausible" scenarios deliberately excludes fantasy disaster planning. You're not budgeting for meteorite strikes or civil war. You're stress-testing against genuinely credible threats that could occur in the next three to five years.

For London professional services and SMBs, typical scenarios include:

Cyber incident: Ransomware encryption affecting client data systems for 48–72 hours
Third-party failure: Your cloud provider, payment processor, or outsourced service provider experiencing a prolonged outage
Staffing shock: Loss of key personnel (sudden departure, illness outbreak) reducing operational capacity by 30–50%
Regulatory action: Sudden suspension of a critical licence or authorisation affecting permitted activities
Infrastructure failure: Building closure (fire, flooding, contamination) forcing remote-only operations

The exercise isn't just theoretical. You must run through these scenarios with your actual team, using real data volumes and realistic constraints. If you discover you'd breach your impact tolerance, you need to explain how you'll remediate the gap—whether that's investing in redundant systems, building staff backup capacity, or revising your tolerance thresholds.

Making Scenario Testing Proportionate for Smaller Firms

The FCA acknowledges that testing rigour should scale with firm size and systemic importance. A 30-person advisory firm isn't expected to run the same level of detailed modelling as a major investment bank. However, you must still demonstrate that you've thought through what happens when critical resources fail, and you must be able to show the FCA (or your regulator) that you've actually tested your assumptions, not just written a nice plan.

Many SMBs find that engaging an experienced resilience consultant—someone who understands both the FCA's expectations and the practical constraints of smaller operations—helps translate regulatory requirements into workable processes. Firms like VantagePoint Networks, which specialise in operational resilience implementation for mid-market organisations, can help structure your approach without turning resilience planning into a multi-year compliance project.

Documentation, Governance, and Ongoing Compliance

The framework requires robust documentation and demonstrable governance. You'll need to maintain records showing:

How you identified vital business functions and impact tolerance thresholds
What scenario testing you've conducted and when
What key vulnerabilities you've identified
What remediation steps you're taking
Board-level oversight of resilience performance

For SMBs, this doesn't require a dedicated resilience officer (though larger firms may benefit from one). It does require nominated accountability—usually a director or senior manager responsible for ensuring resilience governance is maintained and communicated to your board or senior management team on an annual basis at minimum.

The operational resilience framework is now a permanent feature of the FCA's regulatory landscape. Rather than viewing it as an additional compliance burden, forward-thinking firms are using it to clarify their operational dependencies, identify hidden vulnerabilities, and build genuinely robust businesses that can survive genuine shocks. That clarity isn't just good for the regulator's peace of mind—it's good for your business continuity and your reputation with clients and partners who increasingly expect operational resilience as a baseline expectation.

From VantagePoint Networks

Book a Free 20-Minute IT Strategy Call

VantagePoint Networks is an independent senior IT and AI consultancy based in London. No account managers — every engagement is handled directly by the founder.

Book your free call →

Purpose	Data Used
Responding to enquiries & providing consultations	Name, email, phone, message
Delivering agreed IT services	Name, email, company details
Improving our website experience	Analytics, cookies
Legal & regulatory compliance	As required by law
Fraud prevention & site security	IP address, usage data

Type	Purpose	Required?
Essential	Cookie & theme preferences. Required for site functionality.	Always active
Analytics	Understanding visitor behaviour to improve the site.	Consent required