By the end of March 2025, firms were expected to have completed the core operational resilience work required by both the FCA and the PRA. At that point, firms were required to have identified key business services, set impact tolerances, mapped dependencies, and carried out testing so they could remain within those tolerances in severe yet plausible scenarios.
While many firms established frameworks and finalised governance structures, the difficulties came after implementation. The framework was built, but the governance, evidence management and ownership required were less developed than documentation suggested.
More than a year on from the deadline, many firms are finding that operational resilience takes more upkeep than the programme phase suggested.
In a number of organisations, operational resilience was delivered as a project with a fixed deadline. Once that deadline passed, attention and resources naturally shifted elsewhere. As project teams stepped back, testing became irregular and day-to-day ownership lost clarity, so what had been a programme with pace and structure became something more static.
As an ongoing requirement, operational resilience requires more sustained work than the initial programme phase may suggest. Particularly within London Market insurers and Lloyd's syndicates, operational resilience ownership often becomes fragmented once programme teams disband and responsibility passes into multiple business and technology functions. Keeping resilience effective then requires ongoing coordination across those teams as processes, systems and third-party arrangements evolve. Without regular review, service mapping can become outdated, testing becomes less useful, and the self-assessment no longer reflects how the business actually operates.
The PRA has been clear that boards and senior management must review important business services, impact tolerances and the self-assessment, noting that accountability can become blurred when responsibility is distributed too widely. Implementation alone does not mean the requirement is met, and the gap between formal completion and ongoing management is where many operational resilience programmes stall.
Supervisors are now looking beyond framework completion and asking harder questions about how resilience is being maintained. The FCA’s one-year-on observations encourage firms to review and evolve their approach, while the PRA’s 2026/27 Business Plan confirms that supervision is continuing through operational and cyber resilience assessments, review of self-assessments and work on third-party dependencies.
This places much more importance on the quality of evidence firms produce and on the extent to which resilience remains governed as a live capability. Supervisors will want to see how the firm is testing, where decisions are being taken, what has changed since implementation and how gaps are being addressed.
Further, the Bank of England expects firms to document their resilience journey through self-assessments. According to the BoE, the self-assessment should identify risks that could prevent firms from ‘delivering important business services within impact tolerances in severe but plausible scenarios’, taking the conversation beyond implementation and into day-to-day governance, evidence and oversight.
The firms making progress here tend to have moved operational resilience out of programme mode and into regular management, with clearer ownership and governance forums to make decisions, track actions, and review changes.
Testing follows a defined cycle and reflects the way services are delivered now, rather than at the point of implementation. More mature firms are also reassessing key business services and impact tolerances each year or after material changes, and using test outcomes to inform remediation and governance reporting.
As the Bank of England recommends, the self-assessment should also reflect the current state of the organisation, highlight where vulnerabilities remain and support decisions on where investment or remediation is still needed.
Over a year on from the deadline, it is clear that operational resilience is not static, yet many firms have lost momentum.
At Brighter Consultancy, we help firms looking to operationalise resilience more fully, whether that means strengthening governance, clarifying ownership, improving evidence management or putting more structure around testing and oversight.
If your framework is in place but proving harder to sustain than expected, we can help. Get in touch with our team.