UK Operational Resilience Impact Tolerances

FCA Policy Statement PS21/3 and PRA SS1/21 set a 31 March 2025 deadline for firms to operate important business services within defined impact tolerances. The transition period ends on this date, requiring complete remediation of mapping, impact tolerance testing, and scenario response playbooks. This deadline represents the culmination of a four-year setup journey that began with the publication of the operational resilience framework in March 2021, during which firms were expected to identify important business services, set impact tolerances, and develop capabilities to remain within those tolerances.

Regulatory Framework Overview

The UK operational resilience framework represents a fundamental shift from traditional business continuity approaches to a outcomes-focused model centered on customer harm prevention. Rather than prescribing specific controls or recovery timeframes, regulators require firms to determine what level of disruption would cause intolerable harm to customers and markets, then show capability to remain within those boundaries.

The framework applies to banks, building societies, PRA-designated investment firms, insurers, and certain FCA solo-regulated firms meeting threshold conditions. Scope determination requires careful analysis of regulatory permissions and balance sheet characteristics. Groups must consider both individual entity and consolidated requirements.

Important business services represent the core concept of the framework. These are services provided to external end users where disruption could cause intolerable harm. The determination of importance requires analysis of customer dependency, market criticality, and potential for systemic impact. Most firms have identified between 5 and 30 important business services depending on their business model complexity.

Impact Tolerance Requirements

Impact tolerances define the maximum tolerable disruption to each important business service. Unlike recovery time objectives in traditional business continuity, impact tolerances encompass multiple dimensions including duration, customer impact, data integrity, and financial exposure. Tolerances must be calibrated to the point at which harm becomes intolerable rather than merely inconvenient.

Setting impact tolerances requires analysis of customer dependencies and vulnerability. Retail banking services relied upon for daily transactions may warrant tighter tolerances than wholesale services where counterparties have alternative arrangements. Regulatory expectations emphasize that tolerances should be genuinely challenging rather than set conservatively to ensure easy compliance.

Documentation of tolerance-setting methodology shows regulatory engagement with the framework's intent. Boards must approve impact tolerances with clear understanding of the harm thresholds they represent. Tolerance changes require board review and should be infrequent, reflecting genuine changes in service criticality rather than performance management convenience.

Service Mapping and Dependencies

Full mapping of important business services identifies all resources required for service delivery. People, processes, technology, facilities, and information must be documented with sufficient granularity to support disruption scenario analysis. Third-party dependencies require particular attention as they often represent the most significant vulnerability points.

Technology mapping should identify applications, infrastructure components, data stores, and integration points supporting each service. Dependency chains may extend through multiple layers of infrastructure and third-party services. Mapping must be maintained current as technology environments evolve.

Third-party and intra-group dependencies present particular challenges for operational resilience. Cloud service providers, payment processors, market data vendors, and outsourced operations may support multiple important business services. Concentration risk analysis should identify dependencies where single provider failure could affect multiple services simultaneously.

Scenario Testing and Assurance

Scenario testing validates capability to remain within impact tolerances during severe but plausible disruption events. Test scenarios should encompass technology failures, cyber attacks, third-party outages, facility unavailability, and other disruption types relevant to the firm's risk profile. Scenarios should be severe enough to genuinely stress resilience capabilities.

Testing must show actual capability rather than theoretical recovery plans. Tabletop exercises provide value for process validation but should be supplemented with technical testing that validates recovery mechanisms and failover capabilities. End-to-end testing involving third parties provides the most realistic assessment of resilience posture.

Test results must be documented with clear assessment of tolerance adherence. Where testing reveals capability gaps, remediation plans should be developed with clear ownership and timelines. Boards should receive regular reporting on test outcomes and remediation progress. The March 2025 deadline requires that testing shows firms can currently operate within tolerances, not merely that they have plans to achieve compliance.

Third-Party Risk Management

Critical third parties supporting important business services require improved oversight under the operational resilience framework. Contractual arrangements should include provisions for resilience testing, incident notification, and business continuity coordination. Exit planning and transition capabilities must be established to manage provider failure scenarios.

Joint testing with critical third parties validates end-to-end resilience including handoff points and communication protocols. Testing should cover both provider-side disruptions and scenarios where the firm's own systems are affected while depending on provider services. Third-party testing coordination requires advance planning and contractual arrangements.

Concentration risk in third-party relationships may require additional mitigation measures. Where single providers support multiple important business services, firms should evaluate diversification options, improved monitoring, or accelerated exit capabilities. Regulatory scrutiny of third-party concentration has increased alongside operational resilience expectations.

Governance and Board Oversight

Board responsibility for operational resilience is explicit in the regulatory framework. Boards must approve the identification of important business services, impact tolerances, and self-assessments of resilience capability. Board members should have sufficient understanding of operational resilience concepts to provide effective challenge to management.

Self-assessment documentation represents a key governance deliverable. Firms must prepare and maintain self-assessments demonstrating their operational resilience capability. Self-assessments should be honest evaluations of current capability rather than aspirational statements. Regulators expect self-assessments to identify areas for improvement alongside showed strengths.

Escalation and exception processes should be documented and tested. When disruptions occur that threaten tolerance breach, clear protocols should guide response actions, management notification, and regulatory communication. Post-incident analysis should assess tolerance adherence and drive improvements.

Customer Communication and Harm Mitigation

Customer communication planning forms an essential component of operational resilience. When services are disrupted, customers need timely, accurate information about the nature of the disruption, expected resolution, and alternative arrangements. Communication failures can worsen customer harm beyond the direct service impact.

Harm mitigation measures reduce customer impact during disruptions. These may include temporary workarounds, extended service hours post-recovery, fee waivers, or preventive customer outreach. Firms should pre-plan harm mitigation measures for important business services rather than developing responses during incidents.

Vulnerable customer considerations add complexity to harm assessment and mitigation. Customers with limited alternatives, technology barriers, or other vulnerabilities may experience disproportionate harm from service disruptions. Impact tolerances and mitigation plans should account for vulnerable customer populations.

Supervisory Expectations and Examination

Regulators have signaled clear expectations for the March 2025 deadline. Firms should be able to show that they can currently operate within impact tolerances, not merely that they have plans to achieve compliance. Evidence should include test results, remediation completion, and governance documentation.

Supervisory engagement on operational resilience has intensified as the deadline approaches. Firms should expect requests for self-assessment documentation, testing evidence, and board materials. Regulatory feedback should be addressed promptly with clear remediation plans where concerns are raised.

Post-deadline supervisory activity will probably include thematic reviews assessing industry-wide resilience capabilities. Firms with showed weaknesses may face improved supervision, required action plans, or enforcement consideration. Investment in operational resilience should be viewed as ongoing rather than deadline-driven.

More on this topic

Further reading from our research library.

Governance · Credibility 86/100 · January 17, 2025

Governance — European Union

DORA puts ICT resilience directly on the board's plate. Directors cannot delegate this away—they need to show regulators they are steering the program, not just signing off on it. Evidence of active oversight matters.

Governance · Credibility 86/100 · August 7, 2025

Governance — Sustainable finance

FCA Sustainability Disclosure Requirements force asset managers to publish FY2025 entity-level reports by 2 December 2025, giving firms under four months to finalize governance, metrics, and assurance plans.

Governance · Credibility 86/100 · August 28, 2025

Governance — Third-party risk

OSFI Guideline B-10 has been effective since May 2025, and federally regulated financial institutions now have one quarter to prove continuous oversight, concentration monitoring, and exit strategies before year-end…

Governance · Credibility 96/100 · July 27, 2023

APRA CPS 230 operational risk management

APRA's CPS 230 operational risk standard went effective July 1, 2025 for Australian ADIs, insurers, and super funds. It is a big upgrade from CPS 231 and 232, with stricter requirements for operational resilience…

Governance · Credibility 86/100 · March 31, 2025

Korea Esg Disclosure Go Live

Korean issuers with assets above KRW 2 trillion file their first mandatory ESG disclosures alongside 2024 business reports, compelling boards to attest to sustainability governance and data controls under the FSC…

Continue in the Governance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Board Oversight Governance Blueprint

  Unify Basel Committee, PRA, SEC, and ISSB oversight mandates into an auditable board governance operating model with data lineage, assurance cadences, and regulatory source packs.

• Third-Party Governance Control Blueprint

  Deliver OCC, Federal Reserve, PRA, EBA, DORA, MAS, and OSFI third-party governance requirements through board reporting, lifecycle controls, and resilience evidence.

• Public-Sector Governance Alignment Playbook

  Align OMB Circular A-123, GAO Green Book, OMB M-24-10 AI guidance, EU public sector directives, and UK Orange Book with digital accountability, risk management, and service…

Coverage intelligence

Published

March 31, 2025

Coverage pillar

Governance

Source credibility

88/100 — high confidence

Topics

Operational resilience · Impact tolerances · UK regulation

Sources cited

3 sources (fca.org.uk, bankofengland.co.uk, iso.org)

Reading time

6 min

Source material

1. FCA PS21/3 operational resilience — Financial Conduct Authority
2. PRA SS1/21 and policy statement — Prudential Regulation Authority
3. ISO 37000:2021 — Governance of Organizations — International Organization for Standardization