The UK Financial Conduct Authority (FCA) has set out new guidelines for UK financial services firms that need to be complied with by 31st March 2025. Ahead of this deadline coming into effect, they released a series of “insights and observations” to enforce their expectations of in-scope organizations.
Two key areas of note are the impacts on expectations around important business services (IBS) and scenario testing.
Important business services
For the most part, firms have previously taken a technology-first approach to resilience, creating recovery plans to help protect or recover systems. The FCA is now telling firms to take a business-first approach, meaning that every in-scope organization needs to list its IBS, document everything required to support and recover each IBS, and also set an impact tolerance which clearly states the maximum length of time an outage or failure can occur without harming clients or market integrity.
They observed:
“We’ve seen a wide range of impact tolerances identified by firms, with limited rationale for when intolerable consumer harm or a risk to market integrity is reached. This often requires additional clarification from firms to help us to fully understand the impact tolerances set. The full rationale should be included in your self-assessments to ensure your board understands what has been set and why.”
Essentially, the FCA wants greater consistency and for firms to undertake this work in a comprehensive manner. The FCA and Bank of England important business services framework applies to operational resilience and cyber response.
Scenario testing
The FCA handbook is clear about the types of scenarios firms should conduct as part of their testing regime:
“We expect scenario testing and mapping to have matured and developed in sophistication throughout the transition period, enabling you to have greater understanding of your own resilience capabilities. Effective testing plans incrementally increase the severity of disruption by both increasing the number/type of resources unavailable and the length of time of the disruption period to fully understand the effectiveness of the associated response and recovery plan.”
This means that traditional testing regimes will not be sufficient to meet this expectation due to the burden of test planning. Organizations will benefit from solutions that enable them to test more efficiently and thoroughly and report the results of these tests to regulators.
Exercising and testing recovery plans is a key part of understanding whether you can remain within defined impact tolerances for IBS. Specifically the FCA noted: "Reviews of self-assessments showed limited evidence of the testing of response plans, and firms primarily relied on recovery to understand if they could remain within their impact tolerance."
Cutover significantly reduces the burden of regular testing and allows for a business-first approach to impact tolerances. Cutover’s SaaS platform with automated runbooks provides automation, orchestration, and visibility while keeping people in the process for decision making. Our automated runbooks help teams standardize, accelerate, increase efficiency and reduce errors in disaster recovery and regulatory reporting.