Operational Resilience – What’s up with the Regulators?

We are now at the first anniversary of the end of the transitional period for Operational Resilience rules from the PRA and FCA. Both regulators are clearly taking stock and have come up with a surprising burst of activity to mark this auspicious occasion.

On the 18^th March, both regulators published their findings and new rules on Operational Incident Reporting. These rules will be effective in March 2027. Just over a week later, the FCA published their take on the progress (and lack of progress in some cases) that firms are making in the area.

Flurries of activity from regulators should never be ignored. Is this activity coincidental? The Operational Incident papers were the culmination of a consultation exercise (but they could easily have chosen a different date to publish) and an anniversary is a natural time to reflect. Even if it is a pure coincidence, the message couldn’t be clearer. The Operational Resilience project that firms worked so hard on, cannot be consigned to a filing cabinet in deep storage in an old salt mine, it has to be refreshed, constantly kept up to date and be ready for not only regulators’ scrutiny but also the brown smelly stuff hitting the revolving air moving device. This latter point is after all, the whole point of the exercise. Keeping regulators happy is fifty-eighth on the priority list while ensuring your business keeps on functioning and clients receive the services they expect are the first fifty-seven.

There were however a couple of really notable things that came out from the regulators’ papers. They were things that subtly but irrevocably change the game. They are both things that we at Aldbury International are either not surprised by or that we actively advocated for at the consultation phase several years ago (and rebuffed by the FCA).

The first is in the threshold for reporting an Operational Incident. The notification threshold, which is predictably vague, is set at the point that the incident “…poses a risk…of causing intolerable levels of harm…”. For the first time in the context of Operational Resilience, the regulators have accepted that once you have caused intolerable harm, the game is up and it’s too late. You need to spark a bit sooner. This brings in the concept of Early Warning Indicators. We’ve suggested this at the consultation phase and were roundly ignored. It’s not as if the regulators don’t understand the concept; threshold triggers have long been expected to be in place at Asset Managers. Aldbury has helped firms identify and embed triggers as we have always believed this is a key way to reduce the chance of Impact Tolerances being breached.

The second notable inclusion came in the Introduction to the Anniversary round up from the FCA. Previously in papers released by the FCA, there has been an implicit inclusion of firms not within scope of the new rules. Subtle use of language has left out the phrase “in-scope” and just things open. This time however, the FCA has been explicit. “However, there is information here that all firms could benefit from considering, even those not in scope of these rules”. This is a clear warning that all firms need to read, understand and put in place proportionate measures to ensure the resilience of their business.

Putting it simply, the FCA has been like an owner of an XL Bully walking past you with the dog on a lead. Worrying but not dangerous. Now, the owner is threatening to slip the leash if he doesn’t like the way you are looking at him. How many Final Notices are there that have said something along the lines that the huge great fine has been made more likely because the firm ignored FCA publications, speeches and other forms of communication?

I’m not going to drone on and on about the detail in all these papers as there are few surprises – communication plans are not properly tested, mapping is not good enough to identify third party and other vulnerabilities and test scenarios are not severe enough leading firms to believe they are invulnerable. This was all predictable (particularly given the feed back to individual firms we have seen following submission of Self-Assessment documents). What was interesting was the note that some firms were using Dashboards to illustrate key metrics to improve Governance. This is something we have developed at Aldbury together with our technology partners, CoBOS Technology and clients have found to be of real value in measuring progress.

We came to Operational Resilience bringing about a century of combined relevant experience to its component parts and we do this because we enjoy it and find it incredibly satisfying to help clients make their firms and by extension, their clients, that little bit safer. Contact us via our website www.aldburyinternational.com to discuss how we can best help you.

Links to Regulators’ documents:

• https://www.fca.org.uk/publications/good-and-poor-practice/operational-resilience-insights-observations-one-year

• https://www.fca.org.uk/publication/finalised-guidance/fg26-3.pdf

• https://www.bankofengland.co.uk/prudential-regulation/publication/2026/march/operational-resilience-incident-reporting-supervisory-statement

• https://www.bankofengland.co.uk/prudential-regulation/publication/2026/march/operational-incident-and-third-party-reporting-policy-statement