The Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have published policy documents on operational resilience, which are the results of a long-running consultation period.

The regulators issued a number of documents on March 29th 2021, including:

Documents for the above two areas can be downloaded from here.

The policies become effective on Thursday 31st March 2022.

The FCA’s parallel operational resilience Policy Statement, PS21/3 ‘Building operational resilience: Feedback to CP19/32 and final rules’ also comes into force on 31st March 2022. The FCA says that by then regulated firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing ‘to a level of sophistication necessary to do so’. Firms must also have identified any vulnerabilities in their operational resilience. As soon as possible after 31st March 2022, and no later than 31st March 2025, firms ‘must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances’. 

The PRA also published SS2/21 ‘Outsourcing and third party risk management’, a Supervisory Statement that sets out the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. This complements the requirements and expectations set out in the above operational resilience documents.