Stress-Tested for Reality: Beyond Paper Plans

Author: Priscilla Gaudoin - Head of Risk & Compliance - published May 2025

Topics: Resilience, Accountability, Governance, Culture

Regions and Regulators: UK, FCA, PRA, Bank of England

Operational resilience is business critical. The FCA’s blog Operational Resilience: Beyond Regulatory Raincoats, is a call to rethink risk, recovery and responsibility in the face of mounting geopolitical, technological and systemic stressors.

What's new?

While the UK’s operational resilience rules came into force in 2022, this blog marks a shift in how the regulator will now assess firms.

Figure 1: Four areas of supervisory assessment

Firms should note the following areas:

Focus on real-world results:

Firms should be able to demonstrate that their resilience frameworks work under realistic stress, not just theory. This requires collaboration across a firm and externally where third parties are involved.

Put planning first:

Incidents are inevitable, what matters is how firms prepare, respond, learn and communicate. Raising awareness across the business enables firm to respond better.

Clarity about required actions:

There is a clear emphasis on actionable recovery, challenging firms to prove that their response plans would actually work in a crisis.

Make cultural changes:

Operational resilience needs to be seen as a strategic and cultural pillar that should shape decision making within a firm. Firms’ resilience strategy needs to be communicated and understood. People do not just respond, but understand why, and consider how their actions might impact your clients.

Why is this crucial?

Firms are facing a volatile mixture of threats such as AI risks, digital infrastructure outages, supply chain disruption and geopolitical instability. Against this backdrop, operational resilience is emerging as a key competitive differentiator, not just a regulatory obligation. In practical terms, this means:

• Board accountability is paramount. Linked to the UK’s Senior Managers and Certification Regime (SM&CR), senior executives need to own resilience. It is not a role assigned to an individual. How are decisions made within the firms and are they aligned with the strategy?
• Supervisory oversight is focused upon targeted assessments and scenario testing to identify those firms whose resilience capabilities are superficial or siloed.
• Firms are expected to show that they have identified their important business services, mapped dependencies, and tested their ability to remain within impact tolerances. This requires ongoing oversight and understanding of weaknesses.   Looking out for alerts.

Identified weaknesses:

Many businesses still struggle with fragmented ownership of resilience, spread across IT, compliance and operations without strategic alignment. Improved strategic direction is required to ensure energy is focused in the right areas, with everyone collaborating towards the right goal.

Superficial scenario testing is another area highlighted by the regulator. Testing often lacks realism or meaningful board engagement. There is value to be had in the stress testing that fails as it enables firms to identify why, as well as how the firm should respond. Tests that are guaranteed to succeed do not help firms to prepare.

Legacy infrastructure is still evident in firms. Again, a repeated message is that firms need to assess third party software and solutions. Robust oversight will help to have a better idea of any weaknesses in their processes

Underestimating cyber and third party risk. This is another area where we have seen the UK supervisors being vocal. There is greater scrutiny of supply chains, especially the more complex chains with subcontractors. Firms are reminded of their responsibility to not only know with whom they are doing business, but to understand the risks that those suppliers pose to the regulated firm.

Take practical steps:

There is a simple message that firms should note: Start asking better questions internally.

Here are a few actions for consideration:

• Scenario-based board exercises: These exercises should include real operational impacts and decision-making under stress.
• Maturity assessments: The regulators continue to encourage firms to use maturity models to demonstrate their journey towards full compliance. When conducted it enables firms to gauge current capabilities vs regulatory expectations.
• Cultural audits: These audits should evaluate that risk and resilience are understood across teams.
• Engagement with third party providers: Firms need to ensure continuity and transparency under stress, including collaboration with third parties.

Clear Regulatory Messages:

The regulatory blog should not be ignored. There are some very clear messages that firms need to contemplate. Resilience should be viewed as a differentiator. The cost of a failed business impacting the markets goes beyond regulatory sanctions. This requires firms to view resilience holistically.

If your firm has not revisited its resilience strategy, it should do so now. The next incident is not a matter of IF, but WHEN.  Is your plan sufficient to weather the storm when it occurs?

How Ruleguard assists firms:

Technology has a key role to play in helping firms and regulators to embed operational resilience into the fabric of firms. Ruleguard can:

• Automate critical services, systems, processes and third party dependencies
• Offer dashboards that help firms to visualise interdependencies and identify resilience vulnerabilities
• Allow firms to model and stress-test impact tolerances and produce audit trails of remediation planning and decision-making
• Consolidate multiple data streams including risk metrics, incident logs, third party risk and resilience KPIs into unified board-ready reports
• Foster a resilience culture by monitoring staff engagement, tracking training completion and issue logging.

The above benefits provide faster, evidence-based recovery and credible responses to supervisory enquiries. Ruleguard also enables firms to demonstrate board oversight and senior manager accountability under SM&CR, and resilience frameworks.

The above points are crucial as the regulators are not looking for static policies. Supervisors want firms to:

• • Prove their recovery times are realistic
  • Demonstrate they have tested and updated their frameworks
  • Show that resilience is not confined to IT or compliance silos, but evidenced throughout an organisation.

If you’d like to learn more about our Operational Resilience Solution please contact us for further information on: Tel: 0800 408 3845 or hello@ruleguard.com.

Related Webinars, White Papers and Blogs

Ruleguard hosts regular events on various regulatory topics. You can watch our webinars on-demand at your convenience, or read our blogs, white papers, infographics, and tune in to our podcasts.

• Operational Resilience: Protect Investors & Enhance Compliance
• Navigating Disruption: Building Operational Resilience in Today's World
  

• Operational Resilience: Adapt, Respond & Recover

• Strengthen Your Operational Resilience in 2025 and Beyond
• The hidden struggles of Operational Resilience
• Your Resilience Road Map

• Operational Resilience: Don't forget cyber resilience
• Operational Resilience: Why is it important for insurers 
• Operational Resilience: Why setting international standards is crucial

Build uncomplicated operational resilience

Ruleguard’s Operational Resilience Software provides a comprehensive and intuitive platform designed to help financial services firms meet evolving regulatory demands and build robust resilience strategies.

Discover how Ruleguard's intuitive platform can simplify the intricacies of operational resilience.

Let's chat!

About the author

In a career spanning almost 30 years, Priscilla has worked as a consultant, CCO and MLRO providing regulatory oversight and advice to firms across the financial services industry. She is responsible for our thought leadership programme, writing regular articles and white papers, and hosting webinars on a variety of regulatory matters.

She is a Fellow of the International Compliance Association, a certified GRC practitioner, and a member of the Institute of Risk Management.

 

Contact Priscilla