The UK operational resilience requirements for the Financial Services and Markets Act (FSMA) came into force in March 2025. Yet, many firms are still scrambling to demonstrate that they can keep critical services running within set tolerances. Supervisors are now reviewing programs against the PRA’s 2026 priorities and the FCA’s focus on consumer protection and market integrity, asking hard questions and expecting stronger testing and embedded decision-making.
The good news? The framework itself is clear. The challenge lies in execution. Furthermore, firms must now ensure alignment between UK Operational Resilience and the EU’s Digital Operational Resilience Act (DORA) to support seamless cross-border operating models. Let’s break down what regulators expect, why it matters, and how to build a programme that works when things go wrong.
What the UK Operational Resilience Framework Actually Requires
At its core, UK operational resilience is about protecting customer outcomes during disruption. Regulators want firms to identify the services that matter most, set tolerances for how long those services can be unavailable, map what keeps them running, and test whether recovery plans actually work.
The rules took effect on 31 March 2022, giving firms three years to prepare. By 31 March 2025, every in-scope firm was expected to demonstrate that they could remain within the impact tolerances for each Important Business Service and to produce evidence of mapping and testing. Now, regulators are watching how firms respond to real incidents and whether the work done on paper holds up under pressure. Crucially, regulators have signaled that static PDFs are no longer accepted as sufficient evidence; firms are now expected to provide dynamic, data-driven proof of their resilience posture.
5 Building Blocks Every Firm Needs
-
Important Business Services (IBS)
Start by defining what counts as an Important Business Service. These are customer-facing services where disruption could cause serious harm to customers, threaten market integrity, or destabilise the wider financial system. Think “enable customers to send and receive domestic payments” rather than “maintain the payments platform.”
Each service needs a clear owner who is accountable for keeping it within tolerance. Use plain language that anyone in the business can understand. If your board cannot immediately grasp what a service does and why it matters, rewrite it. Furthermore, ensure that IBS mapping explicitly aligns with FCA requirements, specifically focusing on how service delivery impacts consumer protection and market stability.
-
Impact Tolerances
An impact tolerance sets the maximum acceptable level of disruption. Most firms use time-based measures because they are straightforward to monitor during an incident. Some add volume or geographic thresholds that genuinely improve decision-making.
The tolerance becomes your yardstick. When something breaks, the question is not “how bad is this?” but “are we still within tolerance, and if not, what do we activate?” Set tolerances through proper governance. They should reflect real customer harm, not arbitrary numbers chosen to make the testing easier. Regulators now expect these service-level tolerances to flow down into supplier contracts, ensuring that third-party Service Level Agreements (SLAs) are legally aligned with your firm’s resilience obligations.
-
Dependency Mapping
Every Important Business Service depends on layers of people, technology, data, facilities, and third parties. Map these dependencies so you can identify single points of failure and concentration risks before they bite you.
Build a structure that links services to processes, processes to applications, applications to infrastructure, and infrastructure to suppliers and locations. To manage this complexity effectively, modern programs are adopting an Organisational Hierarchy approach. This allows firms to manage and visualize how different business units interact within the broader organization, ensuring no siloed risks are missed. Keep the map current through change control rather than waiting for an annual refresh. If your map is out of date, it’s useless during an incident.
-
Scenario Testing
Test your ability to operate within tolerances using severe but plausible scenarios and capture what you learn. Choose scenarios that stress real weaknesses: a cloud region failure, a payments scheme outage, an identity provider compromise, or loss of a critical site. For each test, name the IBS, state the target tolerance, set clear objectives, define recovery steps, and specify the evidence to collect.
-
Governance and Self-Assessment
Boards need visibility of the entire programme. They should know which services are in scope, what the tolerances are, which tests have been run, where tolerances were breached, and what’s being done about it.
A self-assessment document ties everything together. Keep it concise and decision-ready. State your scope, your methods, what you tested, where you met tolerance, and where investment is needed. Be ready to produce this on short notice when supervisors come calling.
How Resilience Connects To Your Existing Programmes
Operational resilience is far more than a standalone oversight layer; it is the central engine of your firm’s stability. Rather than simply sitting alongside existing silos, a mature Operational Resilience framework should automatically trigger updates to Business Continuity Management (BCM), IT Disaster Recovery (IT/DR), and Third-Party Risk Management (TPRM). This ensures that when a service mapping changes or a testing gap is identified, the tactical recovery plans across the organization are updated in real-time to reflect the new reality, maintaining a continuous loop of improvement.
Common Implementation Pitfalls
Nearly a year past the deadline, clear patterns have emerged. Dependency maps sit static in SharePoint, outdated the moment they’re published. Tolerances get set by compliance teams who’ve never spoken to the people who would actually recover the service. Testing involves the same small group every time while ignoring how third-party failures would cascade through your services. Self-assessments read like box-ticking exercises rather than honest capability reviews.
The firms making progress treat resilience as an ongoing discipline. They ask “what does this mean for our tolerances?” before launching services or onboarding suppliers. They embed resilience into change management, procurement, and incident reviews.
Build a Programme That Actually Works
Start With Governance
Pick an executive sponsor who has the authority to make decisions and move resources. Assign accountable owners to each Important Business Service. Define the approval path for tolerances and tests. Set a reporting rhythm that keeps leadership engaged without drowning them in detail. Monthly works for most firms.
Define Services and Set Tolerances
Run short workshops with service owners and people who understand what customers actually need. Write each service statement in one sentence. Draft a tolerance that someone outside your team could measure during a live incident. Socialise the proposals with operations, risk, and compliance before seeking formal approval.
Map What Matters
Capture the critical processes, applications, data, sites, and third parties that keep each service alive. Tag components that represent single points of failure. Use your change management process to keep the map up to date. If a new system goes live or a supplier changes, update the map immediately.
Test Hard and Learn Fast
Pick two or three scenarios that cut across multiple services or expose known weaknesses. Tie test objectives to your tolerances. Time each recovery step. Record what happened. After the test, log actions with clear owners and deadlines. Follow up relentlessly until gaps are closed.
Need inspiration for realistic scenarios? Our guide ‘Stress-Testing Your Operational Resilience Tools: 6 European Threat Scenarios‘ walks through severe but plausible events designed to test modern financial services infrastructure.
Strengthen Third-Party Oversight
List the critical suppliers for each service. Check whether their SLAs align with your tolerances. Confirm incident escalation paths. Capture exit strategies for truly critical providers. Monitor supplier incidents and track how close they push your services toward tolerance thresholds.
To see this integration in action (specifically how your external dependencies must align with your recovery objectives) explore our blog, ‘Why Business Continuity Planning Must Be Central to TPRM’. This deep dive explains why siloed vendor management is a risk and how leading firms are now embedding BCM directly into their third-party risk strategies to ensure end-to-end service resilience.
Report Clearly and Often
Build a dashboard that mirrors your self-assessment. Show your list of services, their status, tolerances, and any breaches, tests completed, and open actions. Use the same view in leadership meetings and supervision conversations. Consistency builds credibility.
Making the UK Operational Resilience Directive Work For Your Firm
Operational resilience is a mindset as much as a framework. It asks firms to think clearly about what customers need, measure what matters during disruption, and build the capability to recover before things break. Done well, it protects customers, satisfies supervisors, and gives your board confidence when pressure hits.
Nearly a year on from the compliance deadline, the question has shifted. It’s no longer “have we met the requirements?” but “can we prove it when it counts?”
Proof isn’t found in documentation alone. It’s built through regular exercises, simulations, and tabletop sessions that develop muscle memory so teams react instinctively during real incidents. Understanding the evolving landscape of cross-border risks is the first step, which is why we’ve created an infographic on EU threat scenarios to help you identify what you’re up against and turn compliance into genuine readiness.
