Financial Services IT
The Financial Conduct Authority (FCA) has fundamentally reshaped how UK financial services firms approach operational risk. The operational resilience framework, introduced through the PRA and FCA's building blocks approach, requires organisations to demonstrate they can survive severe but plausible operational disruptions without compromising critical functions. For London-based SMBs in professional services, legal practices, and financial advisory—whether you're directly regulated or supporting the financial ecosystem—understanding FCA operational resilience explained is no longer optional. It's a strategic imperative that affects how you manage technology, staffing, third-party dependencies, and business continuity.
Operational resilience is the Financial Conduct Authority's framework designed to ensure that firms can absorb shocks and continue serving customers, even when faced with significant operational disruptions. Unlike traditional business continuity planning, which often focuses on recovery time, the FCA's approach centres on impact tolerance—the maximum level of harm a firm can sustain whilst remaining viable.
The framework introduces three core concepts:
For smaller professional services firms and financial advisers, this isn't about becoming a systemically important institution overnight. Rather, it's about proving you've thought systematically about where your operation is genuinely vulnerable and what you'll do if something breaks.
The concept of impact tolerance fundamentally shifts responsibility from "do you have a business continuity plan?" to "can you survive genuine disruption within acceptable limits?" This distinction is critical for SMBs, where operational margins are often tight and recovery capacity is limited.
Impact tolerance isn't set by the FCA; it's determined by your firm in dialogue with your regulator. You'll need to define acceptable thresholds across multiple dimensions:
A financial advisory firm might determine that it can tolerate a 2-hour disruption to client communications, but not a 24-hour outage that prevents portfolio valuations. A legal practice might establish that case filing delays of up to 4 hours are acceptable, but not overnight.
Once you've set impact tolerance, you work backwards to identify which business functions are critical to staying within that threshold. This requires granular mapping of your operations—not just broad categories like "IT systems" or "client-facing services," but specific, discrete functions.
For example:
The FCA's insistence on "severe but plausible" scenarios deliberately excludes fantasy disaster planning. You're not budgeting for meteorite strikes or civil war. You're stress-testing against genuinely credible threats that could occur in the next three to five years.
For London professional services and SMBs, typical scenarios include:
The exercise isn't just theoretical. You must run through these scenarios with your actual team, using real data volumes and realistic constraints. If you discover you'd breach your impact tolerance, you need to explain how you'll remediate the gap—whether that's investing in redundant systems, building staff backup capacity, or revising your tolerance thresholds.
The FCA acknowledges that testing rigour should scale with firm size and systemic importance. A 30-person advisory firm isn't expected to run the same level of detailed modelling as a major investment bank. However, you must still demonstrate that you've thought through what happens when critical resources fail, and you must be able to show the FCA (or your regulator) that you've actually tested your assumptions, not just written a nice plan.
Many SMBs find that engaging an experienced resilience consultant—someone who understands both the FCA's expectations and the practical constraints of smaller operations—helps translate regulatory requirements into workable processes. Firms like VantagePoint Networks, which specialise in operational resilience implementation for mid-market organisations, can help structure your approach without turning resilience planning into a multi-year compliance project.
The framework requires robust documentation and demonstrable governance. You'll need to maintain records showing:
For SMBs, this doesn't require a dedicated resilience officer (though larger firms may benefit from one). It does require nominated accountability—usually a director or senior manager responsible for ensuring resilience governance is maintained and communicated to your board or senior management team on an annual basis at minimum.
The operational resilience framework is now a permanent feature of the FCA's regulatory landscape. Rather than viewing it as an additional compliance burden, forward-thinking firms are using it to clarify their operational dependencies, identify hidden vulnerabilities, and build genuinely robust businesses that can survive genuine shocks. That clarity isn't just good for the regulator's peace of mind—it's good for your business continuity and your reputation with clients and partners who increasingly expect operational resilience as a baseline expectation.
VantagePoint Networks is an independent senior IT and AI consultancy based in London. No account managers — every engagement is handled directly by the founder.
Book your free call →