One year in: The FCA's Operational Resilience Report

Tomas Hellum, Partner and VP of Regulatory Strategy, Decision Focus
Mar 31, 2026

If you are responsible for operational resilience in a financial institution, this publication from the FCA is the most useful piece of regulatory guidance you will read this quarter. Not because it introduces new requirements, but because it shows you, in concrete terms, what supervisors actually look for when they assess whether your resilience programme works in practice. And for those of us working with DORA, the patterns are remarkably consistent.

The FCA has just published its first annual review of firms' operational resilience self-assessments, nearly a year after the March 2025 compliance deadline. The headline is broadly positive: firms have done the work. Mapping is in place, governance structures exist, and scenario testing is happening. But the good-practice observations sit alongside a set of gaps that feel very familiar to anyone who has reviewed resilience programmes up close.

Here is what stands out, and what it means for your programme.

Mapping has narrowed onto technology. Third parties remain underworked.

The FCA found that firms tend to document the IT systems supporting important business services while underweighting people, facilities, processes, and information as resources in scope. On top of that, third-party dependencies have not been assessed with sufficient rigour. There is, in the FCA's words, more work to do on identifying, assessing, and remediating third-party vulnerabilities.

This is a pattern we see repeatedly. Technology is visible and auditable. People dependencies, manual workarounds, and knowledge held in individuals are harder to map and easier to defer. Third-party resilience is harder still, because you are dependent on what your counterparts are willing to share and test. The result is a resilience picture that looks complete on paper but has blind spots where it matters most in an actual incident.

Scenario testing is designed to succeed. That is the wrong instinct.

Some firms state in their self-assessments that there is no scenario from which they could not recover, without producing evidence of having tested anything sufficiently severe to challenge that claim. This is the scenario testing equivalent of auditing your own homework.

The most resilient organisations deliberately try to break their own plans. They design scenarios they might fail, precisely because failure reveals what comfortable testing conceals.

Communications plans exist on paper. They have not been tested under pressure.

Strong firms show how their communications approach reduces harm during an incident, not just that a plan exists. Weaker examples show plans that have never been tested as part of an exercise, and no contingency for losing primary communication channels during the disruption itself.

Impact tolerances lack the differentiation supervisors expect.

The FCA singles out the lack of distinct tolerances for consumer harm versus market integrity. These are different things and they may require different responses during an incident. Collapsing them into a single threshold can give a misleading picture of actual exposure.

Why this matters beyond the UK

From my perspective at Decision Focus, these observations map closely onto what we see in DORA readiness assessments across Nordic financial institutions. The terminology differs but the substance does not. DORA's requirements around critical or important functions, ICT incident classification, and third-party resilience testing present firms with the same fundamental challenge: translating a compliance framework into operational practice that holds under real pressure.

The FCA is being explicit about what good looks like. That is useful. The task now is for financial institutions to close the gap between self-assessment that satisfies governance review and resilience that actually works when something goes wrong.

The full FCA publication is available here.

At Decision Focus, we work with regulated financial institutions across the UK and Nordics to build resilience programmes that stand up to supervisory scrutiny – and to real incidents. If the FCA's findings have raised questions about your own programme, we are happy to talk. Book a conversation here.

Learn more about our Operational Resilience module
Build resilience and deliver critical operations no matter what with a fully connected platform.
Learn more
Related articles
20 March 2025
How do you create Operational Resilience amidst chaos?
Read more
Line-Arrow-Right
15 September 2025
ProSight forms strategic partnership with Decision Focus to deliver RegTech solutions across North America
Read more
Line-Arrow-Right
20 February 2025
Why GRC needs a 360° perspective: Balancing vertical & horizontal visibility
Read more
Line-Arrow-Right
22 September 2025
Keensight Capital signs an agreement to acquire Decision Focus, a leading Governance, Risk & Compliance software developer
Read more
Line-Arrow-Right
Any questions?
Or just curious to see a demo
The Decision Focus team are here to answer your questions.
Book a demo
Contact us
Solutions
ERMOP ResTPRMISMSDORAECESOXAuditAIGRC Software
Platform
OverviewSecurityNo-codeIntegrations
Resources
ArticlesWhitepaperWebinarsEventsCase StudiesBrochuresGDPR
Contact
United Kingdom
Office CC3.19
Kennington Park, 1-3 Brixton Road
London, SW9 6DE
0204 578 2107
Denmark
Banevænget 13
3460 Birkerød
Enquires
[email protected]
© 2026 Decision Focus
United Kingdom