Regulatory

Operational Resilience Policy

What lessons can be learned from the first round of scenario testing?

On 31 March, the PRA/FCA’s landmark Operational Resilience Policy will come into full force. This means all large UK financial institutions will be required to:

  • Identify their Important Business Services (IBSs).
  • Map the resources (people, property, third parties, data, technology) to each IBS.
  • Set associated impact tolerances for each IBS, identifying the point where disruption would cause intolerable harm to customers, the firm’s financial stability, or the wider market.
  • Begin testing their ability to stay within impact tolerances using severe but plausible scenarios.
  • Document methodologies, results, and next steps in their self-assessment.
  • Begin remediation of identified vulnerabilities to be completed by March 2025.
  • Start implementing their plan.

Firms are at various stages in their compliance journey and have taken different approaches to defining IBSs, mapping resources, setting impact tolerances, and conducting scenario testing.

Over the last year, Beyond Blue has worked closely with financial sector clients to develop and implement robust scenario testing programmes. This bulletin shares key lessons learned from that process.

Beyond Blue’s Two-Bucket Approach

Beyond Blue separates scenarios into two categories:

  1. IBS-Specific Scenarios – Designed to test whether individual IBSs can remain within impact tolerances. These scenarios are based on mapped resources critical to the availability and integrity of that IBS.
  2. IBS-Agnostic Scenarios – Developed by identifying critical assets that support multiple IBSs, focusing on business infrastructure, zero-day ransomware, and third-party dependencies.

IBS-specific testing helps identify scenarios where firms can stay within tolerances and where they cannot. IBS-agnostic testing highlights severe scenarios requiring the coordinated recovery of multiple IBSs. Using both approaches delivers stronger, more durable resilience.

LESSON 1: Scenario Testing is Only as Good as Your Resource Mapping

Accurate and reliable resource mapping is essential. Scenarios must be based on up-to-date and detailed information about essential resources, including upstream and downstream dependencies.

Resource mapping helps identify single points of failure and model impact. Understanding the “handshake” between IBSs and infrastructure is key when testing infrastructure scenarios. Inaccurate maps produce unreliable results, giving a false sense of resilience.

LESSON 2: Define “Critical” Consistently

Criticality means that if a resource becomes unavailable or its integrity is compromised, it will disrupt delivery of the IBS to one or more customers. This is a low threshold, and it must be applied consistently across the organisation.

Avoid reverting to volumetric or likelihood-based definitions, which can lead to overlooking scenarios that may cause unacceptable harm. Keep the interests of all clients and customers at the forefront.

LESSON 3: Testing Reveals Truly Critical IBSs and Informs Recovery Sequencing

While IBS-specific testing focuses on individual services, aggregated mapping can reveal concentration risks and interdependencies between IBSs.

Infrastructure scenarios (e.g., ransomware, major data corruption) can highlight which IBSs must be prioritised for recovery and the sequence for rebuilding infrastructure. This insight can guide architecture redesign, customer treatment planning, and substitution strategies during recovery.

LESSON 4: Shift from a Risk to a Resilience Mindset

A common cultural challenge is the tendency to take a risk-based approach — assuming existing preventative controls make severe scenarios unlikely. However, resilience requires planning for plausible low-probability events where multiple controls fail.

Before ransomware’s surge in 2015, many underestimated such threats. Preventive investment remains important, but firms must also invest in recovery capability. Balance a protective mindset with readiness to respond and recover.

Looking towards the next round

Post-March 2022, regulators will review each firm’s approach and share good practices in late 2022 or 2023. In the meantime, firms should focus on:

1. Moving Towards More IBS-Agnostic Process Mapping and Testing

With initial resource mapping and IBS-specific testing done, the next phase should focus on infrastructure and complex cyber/data integrity scenarios. While the number of tests may decrease, the depth of analysis will increase.

2. Ensuring Scenario Testing Delivers Value

Ask two questions for each scenario:

  • Will it provide a new perspective on potential failures and client impact?
  • Will it reveal new vulnerabilities or recovery requirements?

Coordinate with transformation programmes to avoid duplicate remediation work and to embed resilience thinking early.

3. Managing Tensions Between Resilience and Other Organisational Objectives

Resilience measures can conflict with optimisation or risk reduction efforts. For example, reducing the number of data centres may cut costs but create concentrated points of failure. Maintaining IBS delivery after an incident might require disabling certain controls, increasing risk. Such tensions should be addressed openly.

Final thoughts

The Operational Resilience Policy aims to shift focus from preventing incidents to operating through them. With rising cyber threats, the aftershocks of the pandemic, and geopolitical instability, resilience has never been more critical.

What lessons can be learned from the first round of scenario testing?

On 31 March, the PRA/FCA’s landmark Operational Resilience Policy will come into full force. This means all large UK financial institutions will be required to:

  • Identify their Important Business Services (IBSs).
  • Map the resources (people, property, third parties, data, technology) to each IBS.
  • Set associated impact tolerances for each IBS, identifying the point where disruption would cause intolerable harm to customers, the firm’s financial stability, or the wider market.
  • Begin testing their ability to stay within impact tolerances using severe but plausible scenarios.
  • Document methodologies, results, and next steps in their self-assessment.
  • Begin remediation of identified vulnerabilities to be completed by March 2025.
  • Start implementing their plan.

Firms are at various stages in their compliance journey and have taken different approaches to defining IBSs, mapping resources, setting impact tolerances, and conducting scenario testing.

Over the last year, Beyond Blue has worked closely with financial sector clients to develop and implement robust scenario testing programmes. This bulletin shares key lessons learned from that process.

Beyond Blue’s Two-Bucket Approach

Beyond Blue separates scenarios into two categories:

  1. IBS-Specific Scenarios – Designed to test whether individual IBSs can remain within impact tolerances. These scenarios are based on mapped resources critical to the availability and integrity of that IBS.
  2. IBS-Agnostic Scenarios – Developed by identifying critical assets that support multiple IBSs, focusing on business infrastructure, zero-day ransomware, and third-party dependencies.

IBS-specific testing helps identify scenarios where firms can stay within tolerances and where they cannot. IBS-agnostic testing highlights severe scenarios requiring the coordinated recovery of multiple IBSs. Using both approaches delivers stronger, more durable resilience.

Download our Insights Piece

Related Articles

READ ALL THOUGHT Insights

Want to speak to us?

If you would like to discuss a cyber or resilience problem with a member of the team, then please get in touch however you feel most comfortable. We would love to help you and your business prepare to bounce back stronger.

Get in touch

Consent

This website uses cookies

We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. Learn more

Allow All

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

Always active

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.