Operational Resilience After the Deadline

Unknown Speaker

Hello and welcome back to Beyond the Buzz! I’m Vicky Pearce, and I’m here with Rachel MacRae. Today we’re doing what we do best, Rachel, having a nice calm chat about regulation; first up on our agenda is Operational Resilience.

Rachel MacRae

Thank's Vicky.... Yes, we're kicking off with the FCA’s latest observations from firms’ operational resilience self-assessments. This regime and the transition period applied only to certain firms — including banks, insurers, electronic money institutions and payment institutions, as well as larger firms or firms considered material to market integrity — and those firms still need to keep on top of it now that we’re almost a year on from the transition period ending on the 31st March 2025.

Unknown Speaker

Yeah, and the tone from the FCA is actually reasonably encouraging. They’ve said there’s been strong engagement and good progress, which, in compliance terms, is basically a warm round of applause. Firms have completed their mapping and testing, and that’s all about making sure they can stay within impact tolerances for important business services during severe but plausible disruptions.

Rachel MacRae

I always think that phrase, severe but plausible, is doing a lot of heavy lifting. It’s not just, “what if something goes wrong?” It’s, “what if something goes properly wrong, and people still need you to function?” And that’s really the point here. Firms have had to identify those important business services, map what supports them, and test whether they can keep going within the limits they’ve set.

Unknown Speaker

Exactly. And I think one of the more positive points in the update is that operational resilience seems to be getting embedded into wider risk frameworks, instead of sitting in a lonely little corner as a standalone exercise everyone dusts off once a year and hopes not to see again. And the reason we’re talking about it is that there are transferable lessons in the FCA’s observations for all firms, not just the ones directly in scope.

Rachel MacRae

Yes, that was really clear. The FCA’s basically saying this has to become part of the way firms think, not just a compliance file with a very worthy title. Boards are still playing a key role as well, because those self-assessments are giving them a clearer basis for decision-making and investment.

Unknown Speaker

And that matters, because if boards can see where the pressure points are, they can make proper decisions about where money and attention need to go. Not glamorous, maybe, but very important. Well, I say not glamorous. Nothing says excitement like governance and resilience testing.

Rachel MacRae

You do know how to sell an episode, Vicky. But seriously, the FCA’s message is very clear: operational resilience is not static. It’s not a one-off project, it’s not something firms did to get over the transition line and then forget about. They’re expected to review their approach regularly, address vulnerabilities as they emerge, and make sure resilience is built into how products and services are designed and delivered.

Unknown Speaker

That bit is crucial. Build it in. Don’t bolt it on afterwards and hope for the best. The regulator is really pushing firms to move beyond simple compliance and treat operational resilience as a core business capability. And there’s a bigger reason for that too, because this supports consumer protection, market integrity and long-term growth.

Rachel MacRae

Which is a good reminder that resilience isn’t just inward-looking. It’s not only about whether a firm feels organised. It’s about whether customers are protected and whether the wider market can rely on firms to keep operating when things get messy.

Unknown Speaker

And in practical terms, the reminder from us is very much in line with that. Firms should review their operational resilience risks on a regular basis, with appropriate measures in place to manage or reduce those risks. this should be at least annually, not “when someone remembers,” not “when the regulator asks,” and definitely not “after the disruption has already happened.”

Rachel MacRae

Yes, exactly. Annual as a minimum, not a target to scrape over. Because the whole point is that vulnerabilities change. Third parties change, systems change, products change, threat levels change. So if a firm’s approach never changes, that’s probably the warning sign right there.

Unknown Speaker

Nicely put. So, overall, this first update is a bit of both: credit where progress has been made, but also a very clear nudge from the FCA that the work carries on. The transition period may have ended but the expectation absolutely did not.

Rachel MacRae

Yes. If anything, the real test starts after the deadline, doesn’t it? Because now it’s about proving resilience is real, repeatable and actually usable when a disruption hits.

Rachel MacRae

And that takes us neatly into what firms should be thinking about now, because 2025 gave us some big reminders. The FCA specifically points to recent operational disruptions, including major cloud outages and high-profile cyber incidents, which really reinforce why all this resilience work matters.

Unknown Speaker

Yeah, and when those sorts of events happen, they make resilience feel very real very quickly. The FCA notes that many firms have used the resilience framework as a catalyst to rethink their risks, strengthen third-party oversight and invest in practical measures. And practical is the key word!

Rachel MacRae

Definitely. The examples they give are enhanced back-ups, data vaulting and standby processing capabilities. So this isn’t just theory and lovely diagrams. It’s about the actual arrangements that might reduce the likelihood or impact of disruption.

Unknown Speaker

And third-party oversight is a big one. If a firm depends on others to deliver key parts of an important business service, that has to be understood and managed properly. Because outsourcing something doesn’t make the risk disappear sadly.

Rachel MacRae

And there’s also the cyber insurance point, which I think is worth touching on. We’re seeing more firms becoming increasingly conscious of the need for cyber insurance because of the evolving threat landscape. But the key message is that insurance can form part of a broader resilience strategy, it should not be relied on in isolation.

Unknown Speaker

Exactly right. It’s part of the picture, not the whole picture. Firms still need preventative and protective measures: robust cyber security controls, effective governance, strong third-party oversight and well-tested recovery arrangements. Insurance is not some magical “there, sorted it” button. Shame, really.

Rachel MacRae

A real shame. Now, while we’re on updates firms should have on the radar, the PRA has also published its final policy statement confirming the FSCS Management Expenses Levy Limit, or MELL, for the 2026 to 2027 financial year.

Unknown Speaker

And that limit has been set at one hundred and thirteen million pounds. That covers the FSCS’s ongoing operating costs, plus a small unlevied reserve to allow some flexibility for unforeseen expenses. The PRA also said there was broad industry support for the proposals they consulted on earlier in the year, and they’ve made no changes to the approach.

Rachel MacRae

So, nice and straightforward on that one. The levy limit applies from the 1st of April 2026 to the 31st of March 2027, and it’s relevant to all PRA- and FCA-authorised firms that contribute to the FSCS.

Unknown Speaker

And finally, a little event reminder. Rachel and I will be taking to the stage at the PFS Local event in Manchester on Monday the 13th of April. The theme for the day is turbo-charging your brand, which sounds fast and slightly dangerous, and we’ll be speaking about financial promotions.

Rachel MacRae

Yes, one of our favourite topics. We’ll be looking at how firms can build a strong, eye-catching brand while staying on the right side of the rules, which is always the trick, isn’t it? You want something memorable, but not memorable for the wrong regulatory reasons.

Unknown Speaker

That is the dream. So if you’re local and you would like to join us and get involved, drop us an email and we can send you on the details for how to register. And I think that’s a good place to leave it for this episode.

Rachel MacRae

I think so too. Thanks for listening, everyone. Keep reviewing those resilience risks, keep your documents current, and we’ll be back soon with more updates.

Unknown Speaker

Thanks all. Bye, Rach.

Rachel MacRae

Bye, Vicky. Bye everyone.