The FCA's operational resilience deadline has already passed for self-assessment, but the harder deadline is still ahead. By 31 March 2025, firms in scope of PS21/3 must be able to remain within their impact tolerances for each important business service through severe but plausible disruption. That is not a paper exercise. It is an operational standard the FCA will test against real incidents.
We are now in the final stretch. Most firms our team works with have completed the easy parts — naming a few important business services, drafting impact tolerances, running a tabletop. The hard part is the mapping. Specifically: tracing each important business service end-to-end across people, processes, technology, facilities, third parties and data, and proving you can stay within tolerance when one of those links breaks.
This post is for the compliance leads and COOs still working through that mapping. The clock is short. Here is what matters.
What PS21/3 Actually Requires
PS21/3 was published jointly by the FCA, PRA and Bank of England in March 2021. It applies to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope SMCR firms, and entities under the Payment Services Regulations 2017 and E-Money Regulations 2011. If you are unsure whether you are in scope, check the FCA Handbook SYSC 15A directly — do not rely on summaries.
The FCA operational resilience requirements break down into four obligations. Identify your important business services. Set an impact tolerance for each, expressed as the maximum tolerable disruption. Map the resources supporting each service. Test your ability to remain within tolerance under severe but plausible scenarios.
The March 2025 deadline is the point by which firms must have performed the mapping and testing necessary to remain within impact tolerances. It is not a "we will get there" date. It is a "we are there" date.
Identifying Important Business Services Properly
An important business service is one whose disruption could cause intolerable harm to consumers or pose a risk to market integrity. That definition does the work. Many firms get this wrong by listing internal functions — payroll, HR systems, internal reporting — as important business services. They are not. They are supporting activities.
The test is external. Who suffers when this service stops? A retail customer who cannot access funds. A counterparty unable to settle. A market participant deprived of pricing. If the harm is internal inconvenience, it is not an important business service under PS21/3.
Keep the list tight. Our consultants have seen firms with over forty named important business services — unmanageable, and a sign that the firm has confused services with systems. Most mid-sized firms land between five and fifteen. Larger banks may have more, but each one should survive scrutiny against the harm test.
Setting Impact Tolerances That Hold Up
An impact tolerance is the maximum tolerable duration or extent of disruption. It must be specific, measurable, and defensible. "As soon as possible" is not a tolerance. "Within four hours of disruption commencing" is.
The number must be grounded. The FCA expects to see evidence — customer harm analysis, market impact assessment, regulatory consequence modelling — supporting the figure. If your impact tolerance for payment processing is 24 hours, be ready to explain why 25 hours would cause intolerable harm but 24 would not.
Two practical points. First, set tolerances at the service level, not the system level. A payment service may depend on five systems; the tolerance applies to the customer outcome, not any single component. Second, the tolerance is the outer limit. Internal recovery objectives should be tighter.
The Mapping Work — Where Most Firms Are Behind
Impact tolerances mapping is the obligation that separates compliant firms from the rest. For each important business service, you need to identify and document every resource it depends on:
- People — named roles, key person dependencies, succession arrangements
- Processes — the workflow from initiation to customer outcome
- Technology — applications, infrastructure, network paths, data stores
- Third parties — outsourcers, cloud providers, market infrastructure, telephony
- Facilities and data — premises, data flows, data classifications
The mapping must be detailed enough to identify single points of failure. If a service depends on one engineer, one data centre, or one third party with no fallback, that is a vulnerability that must be remediated or accepted at board level.
Then you test. Severe but plausible scenarios — ransomware encrypting your core platform, a critical third party failing for 72 hours, simultaneous loss of a data centre and a key supplier. Tabletop exercises are a starting point, not the endpoint. The FCA expects evidence of live testing where feasible.
Common Mistakes We See in the Final Six Months
Three patterns repeat across firms approaching the deadline. First, treating mapping as a one-off document. It is not. Maps must be kept current — every material change to systems, suppliers or processes triggers a refresh. Second, under-testing third-party dependencies. Most firms test their own recovery but assume providers will perform. The FCA expects you to verify, not assume. Third, weak board engagement. Self-assessments signed off without genuine board challenge will not survive supervisory scrutiny.
One more: confusing operational resilience with business continuity. BCP is about restoring operations. Operational resilience is about not breaching customer-facing tolerances in the first place. The mindset is different.
How Pyralink Helps
Pyralink Innovation Ltd works with FCA-regulated firms on operational resilience programmes from mapping through testing and board reporting. Led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), our team brings hands-on experience implementing PS21/3-aligned controls in production environments — not theoretical advice.
Our fractional vCISO service (from £497/month) gives firms senior security and resilience leadership without a full-time hire. CloudAuditX, our multi-cloud auditing platform, surfaces the technology dependencies and configuration risks that should feed directly into your mapping evidence. We also support ISO 27001 alignment, third-party risk assessment, and severe-but-plausible scenario testing. Pyralink carries £5M professional indemnity insurance.
If the March 2025 deadline is closer than your mapping is complete, talk to us this quarter.