What is Operational Resilience and Why Does it Matter?
UK PRA/FCA Policy Statement PS21/3 and EU DORA require firms to map critical business services, set impact tolerances for maximum tolerable disruption, and conduct annual scenario testing to ensure recovery within tolerance periods during systemic shocks.
Key Takeaways
- •UK PRA/FCA Policy Statement PS21/3 and EU DORA require firms to map critical business services and set impact tolerances
- •Impact tolerance setting defines the maximum time a critical service can be disrupted before causing intolerable harm
- •Annual scenario testing including cyber attacks, third-party failures, and pandemic events is mandatory for regulated firms
What is Operational Resilience?
Operational Resilience represents the evolution from traditional business continuity planning to a comprehensive framework ensuring firms can prevent, adapt, respond to, recover from, and learn from operational disruptions. UK regulators (PRA/FCA) and EU regulators (DORA) shifted focus from "Can you survive a shock?" to "How quickly can you recover critical services?" This distinction fundamentally changes board-level governance requirements.
What is Critical Service Mapping?
Critical service mapping identifies important business services, those that, if disrupted, would cause intolerable harm to consumers, market integrity, or financial stability. The mapping process requires identifying important business services based on regulatory criteria, mapping dependencies including people, processes, technology, third parties, and data, setting impact tolerances defining maximum tolerable disruption before intolerable harm occurs, designing resilience measures including redundancy, substitutability, and recovery procedures, and conducting scenario testing at least annually.
Impact tolerance setting answers: What is the maximum time a critical service can be disrupted before causing intolerable harm? For example, if a payroll provider in a secondary jurisdiction goes offline, is the tolerance 24 hours, 48 hours, or 72 hours? The answer determines required resilience investments.
What are the UK Regulatory Requirements?
UK Policy Statement PS21/3 (March 2021) establishes operational resilience requirements for banks, insurers, and designated investment firms. Requirements include identifying important business services, setting impact tolerances for each important business service, mapping dependencies and vulnerabilities, conducting scenario testing at least annually, self-assessment and board attestation of operational resilience framework, and public disclosure of operational resilience approach in annual reports.
The PRA and FCA expect firms to be able to remain within impact tolerances for important business services during severe but plausible scenarios, including cyber attacks, third-party failures, natural disasters, and pandemic events.
What is DORA and How Does it Apply?
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, establishes a comprehensive ICT risk management framework for EU financial entities. DORA requirements include ICT risk management framework with governance, risk assessment, and control measures, incident reporting to regulators within strict timelines (major incidents within 4 hours), digital operational resilience testing including threat-led penetration testing (TLPT), third-party ICT service provider oversight with contractual arrangements and exit strategies, and information sharing arrangements on cyber threats and vulnerabilities.
Related Topics
Related Intelligence
A UAE trade licence does not open a bank account
The trade licence is issued in days; the bank account is a separate underwriting decision that a large share of new companies fail. A flexi-desk with no registered tenancy, an undocumented source of funds, a vague activity, or an opaque ownership chain is what turns a Dubai account application into a rejection.
Read AnalysisA UAE company’s tax debt can reach its directors on liquidation
Abandoning or liquidating a distressed UAE company does not sever the tax liability. De-registration requires every return filed and every dirham of tax and penalty paid, the wind-up is itself a taxable event, and personal exposure can reach a director through tax evasion and company law.
Read Analysis