Operational resilience stress-tested for reality: Beyond paper plans

By Priscilla Gaudoin, 29 September 2025

Earlier this year, the UK’s Financial Conduct Authority (FCA) struck a frank and open tone when emphasising the point once again that operational resilience is not a box-ticking exercise: it is business critical.

The FCA’s blog, Operational resilience: beyond regulatory raincoats [1], was a call to rethink risk, recovery and responsibility in the face of mounting geopolitical, technological and systemic stressors. 

Shifting priorities

While the UK’s operational resilience rules came into force in 2022, the FCA has indicated a shift in how it is now assessing firms. It is important to note the following areas:

• Focus on real-world results: Firms should be able to demonstrate that their resilience frameworks work under realistic stress, not just theory. This requires collaboration across a firm, and externally where third parties are involved. 
• Put planning first: Incidents are inevitable – what matters is how firms prepare, respond, learn and communicate. Raising awareness across the business enables firms to respond better. 
• Clarity about required actions: There is a clear emphasis on actionable recovery, challenging firms to prove that their response plans would actually work in a crisis.
• Make cultural changes: Operational resilience needs to be seen as a strategic and cultural pillar that should shape decision-making within a firm. The resilience strategy needs to be communicated and understood across the business. It’s important that employees do not just respond, but understand the reasons why, and consider how their actions might impact clients. 

Why is this crucial?

Firms are facing a volatile mixture of threats, such as AI risks, digital infrastructure outages, supply chain disruption and geopolitical instability. Against this backdrop, operational resilience is emerging as a key competitive differentiator, not just a regulatory obligation. In practical terms, this means: 

• Board accountability is paramount. Linked to the UK’s Senior Managers and Certification Regime (SM&CR), senior executives need to own resilience. It is not a role assigned to an individual. How are decisions made within the firms and are they aligned with the strategy? 
• Supervisory oversight is focused upon targeted assessments and scenario testing to identify those firms whose resilience capabilities are superficial or siloed. 
• Firms are expected to show that they have identified their important business services, mapped dependencies, and tested their ability to remain within impact tolerances. This requires ongoing oversight and understanding of weaknesses, as well as looking out for alerts. 

Identified weaknesses

Many businesses still struggle with fragmented ownership of resilience, spread across IT, compliance and operations without strategic alignment. Improved strategic direction is required to ensure energy is focused in the right areas, with everyone collaborating towards the right goal.

Superficial scenario testing is another area highlighted by the regulator. Testing often lacks realism or meaningful board engagement. There is value to be had in the stress testing that fails, as it enables firms to identify why, as well as how the firm should respond. Tests that are guaranteed to succeed do not help firms to prepare.

Legacy infrastructure is still evident in firms. Again, a repeated message is that firms need to assess third party software and solutions. Robust oversight will help to have a better idea of any weaknesses in their processes.

Underestimating cyber and third party risk is another area where we have seen the UK supervisors being vocal. There is greater scrutiny of supply chains, especially the more complex chains with subcontractors. Firms are reminded of their responsibility to not only know with whom they are doing business, but to understand the risks that those suppliers pose to the regulated firm.

Take practical steps

There is a simple message that firms should note: start asking better questions internally.

Here are a few actions for consideration:

• Scenario-based board exercises: These exercises should include real operational impacts and decision-making under stress. 
• Maturity assessments: The regulators continue to encourage firms to use maturity models to demonstrate their journey towards full compliance. When conducted it enables firms to gauge current capabilities vs regulatory expectations. 
• Cultural audits: These audits should evaluate that risk and resilience are understood across teams. 
• Engagement with third party providers: Firms need to ensure continuity and transparency under stress, including collaboration with third parties. 

Clear regulatory messages

The FCA’s blog should not be ignored. There are some clear messages that firms need to contemplate. Resilience should be viewed as a differentiator. The cost of a failed business impacting the markets goes beyond regulatory sanctions. This requires firms to view resilience holistically. 

If your firm has not revisited its resilience strategy, it should do so now. The next incident is not a matter of IF, but WHEN. Is your plan sufficient to weather the storm when it occurs?