31 March 2025 wasn't a planning milestone. It was the hard deadline by which every UK financial services firm must prove its critical business services can stay operational during severe but plausible disruptions. The FCA and PRA's Policy Statement PS21/3 gave firms a three-year runway. That runway closed in March 2025.
If your firm hasn't completed impact tolerances testing, mapped dependencies to the component level, and documented scenario-based evidence of resilience, you're not preparing for compliance — you're preparing for a difficult supervisory conversation. The regulators have been explicit: they expect firms to have moved beyond planning into demonstrable operational capability.
This isn't theoretical risk. The FCA's 2024 review of firms' self-assessments found widespread gaps in dependency mapping and scenario testing rigour. Boards that treated operational resilience as a tick-box exercise are now discovering the difference between having a framework and proving it works. This post sets out what PS21/3 requires in practice, where the common gaps remain, and how to close them.
What PS21/3 actually requires
The operational resilience framework under PS21/3 (published March 2021) requires firms to identify their important business services — those whose disruption could cause harm to consumers, market integrity, or the firm's own safety and soundness. For each service, firms must set impact tolerances: the maximum tolerable disruption before harm becomes unacceptable.
By 31 March 2025, firms must demonstrate they can remain within these impact tolerances during severe but plausible scenarios. This means:
- Complete mapping of resources supporting each important business service — people, technology, data, facilities, and third parties, at the component level
- Scenario testing that proves recovery within stated tolerances, not just plans that claim it
- Documented evidence of lessons learned and remediation actions from testing
- Board-level accountability with clear escalation paths and named responsible executives
The FCA's supervisory approach document SS1/21 makes clear that "remain within impact tolerances" means tested, evidenced capability — not aspirational statements in a policy document. A firm that cannot produce testing evidence that matches its stated tolerances is non-compliant, regardless of how thorough the policy is.
Why CISOs are on the hook
Operational resilience sits at the intersection of business continuity, third-party risk, and cybersecurity. For most financial services firms, technology failure is the most likely cause of severe disruption to important business services. That makes the CISO's domain central to compliance.
The FCA expects firms to have identified vulnerabilities in their operational resilience and either remediated them or have credible plans to do so. Cyber risk scenarios — ransomware affecting core systems, cloud provider outages, data integrity attacks — must feature in testing programmes. If your scenario library doesn't include cyber events, your testing is incomplete. The FCA's 2024 review specifically noted that cyber scenario testing remains the weakest area across the firms it assessed.
Third-party concentration risk is another CISO responsibility. The FCA has flagged concerns about firms' reliance on a small number of critical technology providers. If your important business services depend on a single cloud platform or a key fintech partner, you need documented evidence of how you'd maintain service if that provider failed. This goes beyond a contractual SLA — you need technical evidence of failover capability, data portability, and alternative provider onboarding timelines.
The incoming Cyber Security and Resilience Bill will further extend the CISO's responsibilities, introducing NIS-style incident reporting obligations for in-scope entities and managed service providers. Firms that have embedded operational resilience governance will find this transition smoother than those treating it as a standalone project.
Common failures the FCA is already flagging
The FCA's Dear CEO letters and supervisory findings have highlighted recurring weaknesses. Avoid these:
Vague impact tolerances. Stating "service will be restored within 24 hours" without defining what "restored" means operationally, or what degraded service is acceptable during recovery, won't satisfy supervisors. Impact tolerances must be specific, measurable, and tied to consumer harm thresholds. "Restored" means different things for a payment system than for a customer portal — define it per service.
Incomplete dependency mapping. Many firms mapped their technology estate but stopped at first-tier suppliers. The FCA expects visibility into sub-contractors and fourth parties where they support important business services. If your payments platform depends on a third party whose infrastructure runs on a specific cloud region, that's a dependency you must document and test.
Testing that doesn't stress the system. Tabletop exercises have value, but they're not sufficient. The regulators want evidence of live or near-live testing that validates actual recovery capability. If your last test was a workshop where participants discussed what they would do, you haven't met the standard. At minimum, firms should run one technical testing exercise per important business service per year.
Treating this as a one-off project. PS21/3 requires ongoing resilience capability, not a point-in-time compliance exercise. Firms must embed operational resilience into change management, supplier onboarding, and technology decisions. The March 2025 deadline was the beginning of sustained regulatory scrutiny, not the end.
What to prioritise now
If your programme has gaps, focus remediation efforts where supervisors will look first:
Evidence packs for each important business service. Compile testing results, dependency maps, impact tolerance definitions, and remediation logs into auditable documentation. If a supervisor asks for evidence tomorrow, you should be able to produce it within hours, not weeks. Each evidence pack should tell a coherent story: this is the service, these are its dependencies, this is how we tested it, this is what we found, this is what we fixed.
Board attestation. Ensure your board has formally reviewed and approved the operational resilience self-assessment. The FCA expects board-level ownership, not delegation to operational committees. The board must understand what the impact tolerances mean and what the consequences of breach would be for customers and the firm.
Remediation roadmaps for known gaps. If testing revealed vulnerabilities you haven't yet fixed, document a credible remediation plan with timelines and resource allocation. The FCA accepts that some remediation may extend beyond the initial deadline — but only if you've identified the gaps, assessed the risk, and committed to addressing them with named owners and dates.
Third-party assurance. For critical suppliers, confirm you have contractual rights to audit, documented exit strategies, and evidence of their own resilience testing. Generic supplier questionnaires won't demonstrate the depth of due diligence the FCA expects. Request and review your critical suppliers' own testing evidence.
Frequently asked questions about FCA operational resilience
Does PS21/3 apply to all FCA-regulated firms?
PS21/3 applies to all FCA-authorised firms, though the detailed requirements are proportionate to the firm's size and complexity. Smaller firms with fewer important business services have a lighter compliance burden, but the core obligations — identifying important business services, setting impact tolerances, testing, and board attestation — apply to all. The FCA has confirmed there is no size-based carve-out from the framework.
How often must we test operational resilience?
The FCA does not prescribe a specific testing frequency, but expects testing to be conducted at a frequency that provides reasonable assurance that impact tolerances can be met. Most firms run scenario tests annually, with more frequent testing for the most important business services. The FCA's 2024 review noted that firms testing less than annually struggled to provide convincing evidence of ongoing resilience.
What happens if we fail to meet an impact tolerance during testing?
A failure to meet an impact tolerance is not necessarily a regulatory breach — it becomes one only if the firm fails to identify the gap, remediate it, or document a credible remediation plan. The FCA expects transparency: firms that identify gaps during testing and address them are in a stronger position than those that avoid testing for fear of finding gaps.
How Pyralink supports FCA operational resilience compliance
Pyralink Innovation Ltd works with UK financial services firms to close operational resilience gaps before regulatory scrutiny exposes them. Led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), our team brings hands-on experience mapping technology dependencies, designing scenario tests, and preparing evidence packs that satisfy supervisory expectations.
Our CloudAuditX platform identifies cloud configuration risks and third-party dependencies across AWS, Azure, and GCP — the kind of infrastructure visibility PS21/3 requires but many firms lack. Our fractional vCISO service (from £497/month) provides senior security leadership to firms that need expertise without permanent headcount. We hold £5M professional indemnity insurance and work exclusively with clients who take compliance seriously.
If your operational resilience programme has gaps, the time to address them was before the deadline — but the next best time is now.