We do not exit when complexity enters. We stand by our clients through every regulatory shift, audit, and challenge. Unwavering support is the foundation of our firm.
We use cookies to ensure our website functions properly and to understand how you interact with our site. Privacy Policy
Operational Resilience: PRA PS21/3 & EU DORA Requirements | Boru Consulting | Boru Consulting
Risk Governance
What is Operational Resilience and Why Does it Matter?
UK PRA/FCA Policy Statement PS21/3 and EU DORA require firms to map critical business services, set impact tolerances for maximum tolerable disruption, and conduct annual scenario testing to ensure recovery within tolerance periods during systemic shocks.
3
By Ruairi Laughlin-Mccann
Key Takeaways
•UK PRA/FCA Policy Statement PS21/3 and EU DORA require firms to map critical business services and set impact tolerances
•Impact tolerance setting defines the maximum time a critical service can be disrupted before causing intolerable harm
•Annual scenario testing including cyber attacks, third-party failures, and pandemic events is mandatory for regulated firms
What is Operational Resilience?
Operational Resilience represents the evolution from traditional business continuity planning to a comprehensive framework ensuring firms can prevent, adapt, respond to, recover from, and learn from operational disruptions. UK regulators (PRA/FCA) and EU regulators (DORA) shifted focus from "Can you survive a shock?" to "How quickly can you recover critical services?" This distinction fundamentally changes board-level governance requirements.
What is Critical Service Mapping?
Critical service mapping identifies important business services, those that, if disrupted, would cause intolerable harm to consumers, market integrity, or financial stability. The mapping process requires identifying important business services based on regulatory criteria, mapping dependencies including people, processes, technology, third parties, and data, setting impact tolerances defining maximum tolerable disruption before intolerable harm occurs, designing resilience measures including redundancy, substitutability, and recovery procedures, and conducting scenario testing at least annually.
Impact tolerance setting answers: What is the maximum time a critical service can be disrupted before causing intolerable harm? For example, if a payroll provider in a secondary jurisdiction goes offline, is the tolerance 24 hours, 48 hours, or 72 hours? The answer determines required resilience investments.
What are the UK Regulatory Requirements?
UK Policy Statement PS21/3 (March 2021) establishes operational resilience requirements for banks, insurers, and designated investment firms. Requirements include identifying important business services, setting impact tolerances for each important business service, mapping dependencies and vulnerabilities, conducting scenario testing at least annually, self-assessment and board attestation of operational resilience framework, and public disclosure of operational resilience approach in annual reports.
The PRA and FCA expect firms to be able to remain within impact tolerances for important business services during severe but plausible scenarios, including cyber attacks, third-party failures, natural disasters, and pandemic events.
What is DORA and How Does it Apply?
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, establishes a comprehensive ICT risk management framework for EU financial entities. DORA requirements include ICT risk management framework with governance, risk assessment, and control measures, incident reporting to regulators within strict timelines (major incidents within 4 hours), digital operational resilience testing including threat-led penetration testing (TLPT), third-party ICT service provider oversight with contractual arrangements and exit strategies, and information sharing arrangements on cyber threats and vulnerabilities.
“Modern governance requires moving beyond financial auditing to operational resilience.”