Get the latest cyber news and updates straight to your inbox.
It has now been almost a year since the FCA’s operational resilience transition deadline on 31 March 2025. By that date, firms were expected to complete mapping and testing activities to demonstrate they could remain within impact tolerances during severe but plausible disruption scenarios.
The FCA’s latest publication, Operational resilience: insights and observations one year on, provides one of the clearest indicators yet of how regulators are assessing operational resilience maturity across UK financial services firms.
The findings show that while many organisations have made strong progress, there are still significant gaps in governance, testing, third-party risk, and evidence-based assurance. Most importantly, the FCA makes clear that operational resilience is not a one-off compliance exercise — it must continuously evolve alongside changing threats, technologies, and operational dependencies.
The FCA acknowledged that firms have invested heavily in strengthening operational resilience, particularly around:
However, the regulator also highlighted that many firms still lack sufficient evidence that their resilience measures would hold up during genuinely severe disruption.
One of the FCA’s strongest observations was that some firms claimed they could recover from all scenarios without demonstrating sufficiently severe testing to validate those assumptions.
The FCA expects firms to test:
using realistic, evidence-based scenarios tied to business impact.
The FCA repeatedly referenced the importance of understanding dependencies on:
Many firms have improved their mapping and oversight processes, but regulators believe more work is needed to identify and remediate vulnerabilities across the supply chain.
The regulator placed significant emphasis on board oversight and executive accountability.
The FCA expects boards to:
Firms with unclear ownership, weak governance trails, or limited executive engagement were identified as areas of concern.
Perhaps the most important takeaway from the FCA’s publication is that resilience must become continuous and adaptive.
The regulator explicitly states:
“Operational resilience is not static.”
That reflects the reality facing modern financial services firms:
Point-in-time assurance is no longer enough.
For COOs and CTOs, the FCA’s findings point to a broader strategic shift.
Operational resilience is moving beyond compliance and becoming a core business capability tied directly to:
Three priorities should now be front of mind:
Annual testing and static documentation are no longer sufficient. As environments change, point-in-time assurance is quickly outdated. Firms should regularly validate:
Practical next step:
Continuous validation through regular penetration testing, vulnerability management, and resilience exercises is becoming increasingly important for firms operating in regulated environments. FoxTech provides continuous penetration testing subscriptions and always-on SOC services designed to help firms identify emerging risks before they become operational issues.
The FCA is increasingly focused on demonstrable assurance. Organisations should be able to evidence:
Confidence without validation creates operational risk.
Practical next step:
Boards and regulators increasingly expect evidence-based assurance. Mature firms are investing in centralised reporting, vulnerability tracking, and continuous monitoring capabilities that provide clearer visibility into operational resilience posture and remediation progress. FoxTech’s UK-based SOC helps firms centralise monitoring, vulnerability management, and evidence-based reporting into a single operational capability managed by experienced security specialists.
The most mature firms are integrating resilience into:
Operational resilience should not sit separately from the business — it should support how the organisation operates, grows, and manages risk.
Practical next step:
Operational resilience is becoming a cross-functional leadership issue rather than purely an IT responsibility. Many firms are using vCISO services, resilience workshops, and governance reviews to align operational, technology, and compliance stakeholders around a shared resilience strategy.
The FCA’s observations show that UK financial services firms have made meaningful progress over the last year. But they also make clear that resilience maturity will increasingly be measured not by the controls firms say they have, but by their ability to prove they can withstand disruption under real conditions.
For COOs and CIOs, the challenge now is ensuring resilience becomes an ongoing operational capability — not a completed compliance project.
In an environment of increasing operational complexity and regulatory scrutiny, continuous validation is rapidly becoming the new standard for resilience.
A quick-reference tool for boards, compliance leads, and developers
The key areas covered by the DSIT Software Security & Cyber Governance Codes of Practice. Use this checklist to spot your gaps and prepare to align.
A practical and tactical AI security guide for Operations, IT, and Compliance Leaders in regulated firms. Include control frameworks and an implementation roadmap.
Cyber security threats come in a variety of forms but many organisations are asking: “what is the biggest threat to cyber security?” For years, businesses have been focused on shielding their networks from external hackers.
