Guest blog: Are you operationally resilient enough?

With all firms regulated by the Financial Conduct Authority (FCA) facing a March 2025 deadline to operate within impact tolerances for their important business services, Laura Moore from consultancy Protiviti and Dave Gardner from legal firm TLT shared their expertise on deploying operational resilience within organisations.

The first panel discussion at the 2024 Building Societies Annual Conference focused on a live issue for building societies and credit unions – operational resilience. With all firms regulated by the Financial Conduct Authority (FCA) facing a March 2025 deadline to operate within impact tolerances for their important business services, Laura Moore from consultancy Protiviti and Dave Gardner from legal firm TLT shared their expertise on deploying operational resilience within organisations.

We asked Laura and Dave to talk through their top tops for building societies and credit unions getting to grips with the new requirements.

Dave Gardner, TLT LLP               Laura Moore, Protiviti

1. Are you seeing any trends / common practices across the building society sector around how operational resilience is being tackled?
 

Laura: Building societies are focusing on embedding resilience within their firms in line with key roles and responsibilities. Also advancing scenario testing is a key priority for identifying vulnerabilities ahead of the March 2025 deadline; ensuring all loss scenarios highlighted by the regulators are covered.

Dave: The FCA’s updates on operational resilience have highlighted some variability in the interpretation of their requirements, for example in defining the impact tolerances for their important business services. From Member feedback at Conference, some building societies are looking for guidance on how best to meet these new requirements. It’s likely that best practice and a degree of standardisation will develop over time, but every building society is unique and for the time being the focus should be on careful consideration and clear justification of your approach, rather than looking to follow a standard approach.

2.    What tips do you have for firms to really take operational resilience to the next level and embed it fully in their organisations?
 

Laura: Firms should be asking ‘How resilient are we?’ and ‘Are we resilience enough?’ as opposed to ‘Are we compliant with the regulations?’. Shifting focus in this way means firms will naturally look to foundational areas such as BCP/DR, Change Management, Third-Party Management, Cyber and others to consider resilience through an Important Business Service (IBS) lens. The right management information (MI) is also key to obtaining value-adding insight and enable more effective decision making, with firms maturing in this space as more MI becomes available.

Dave: Recent research by Continuity Central found that 87% of respondents from the Financial Services sector said regulatory compliance was their main motive for implementing operational resilience. I agree with Laura that this is the wrong place to focus. Though the process can be challenging, societies should look at this as an opportunity to mitigate the real and significant risks of disruption to their organisations and improve the quality and resilience services to members. This requires leadership from the top of the organisation to drive thorough testing, learning and continual review as organisations change and external threats evolve.

3.    Digital transformation is a burning platform for much of the sector - what principles of operational resilience should they be applying to working with new partners?
 

Laura: As the industry places more and more reliance on third parties (TP), it is essential that resilience is built into the traditional third-party risk management lifecycle. This includes considering ‘resilience by design’ when bringing on new TP or when there are changes to existing TP; conducting resilience due diligence assessments (initial and no-going); communicating IBS’s and impact tolerances, updating contractual obligations and strengthening SLAs to incorporate resilience requirements; developing a testing strategy that considers third parties; ensuring effective exit and contingency plans are in place; and enhancing reporting.

Dave: My practice at TLT is focussed on building successful collaborations between FS institutions and third party technology providers. The FCA’s Operational Resilience Rules require some specific provisions and protections to be included in third party contracts, but like the EBA and PRA Outsourcing Rules before them, many of those protections would be recognised by building societies (and providers!) as good contracting practice for prudent businesses contracting for critical services. The key is to ensure robust contracts are effectively managed, monitored and aligned to your overall operational resilience approach, for example by adopting a joined-up approach to reporting, testing, change management and communications.

4. What regulatory feedback have we seen coming from the FCA's thematic reviews on operational resilience and do we know what good looks like?
 

Laura: The FCA recently published their insights and observations for firms in the run up to 31 March 2025. Key messages include: ensuring supporting rationale for IBS determination, Impact Tolerance, Scenario Testing and Self-Assessments considers all FCA factors/minimum requirements; that testing also considers response plans, alongside recovery plans and plans are refreshed regularly alongside horizon scanning; reminding firms that, if a third-party supporting an IBS delivery fails to remain within impact tolerance, it is their responsibility; and the importance of embedding resilience.

Dave: The FCA’s observations on third-parties are interesting because they highlight the breadth of the exercise that firms must undertake to be able to comprehensively assess their vulnerabilities and operational risks. The FCA highlights the importance of actively managing and incorporating third parties into scenario testing. As we discussed in the Conference session, this needs to be more than a paper exercise – thorough testing can be helpful in uncovering gaps where contracts don’t align or communication plans don’t work as expected.

5.    What regulatory developments do you see coming down the tracks, especially in the wake of the EU's Digital Operational Resilience Act?
 

Laura: In the UK building societies will be awaiting the outcome of regulatory consultations on Critical Third-Parties. EU’s Digital Operational Resilience Act (DORA) is also creating opportunities for firms to focus on risks relating to Information and Communication Technologies (ICT) and apply good practices from this prescriptive regulation across wider business practices which focuses predominately on ICT risk management, incident management and reporting, digital operational resilience testing and third-party risk management. The ability to consider and leverage good practice is also true of other global regulations which are adopting a more prescriptive approach to resilience regulation.

Dave: Operational resilience is rightly at the top of the agenda for regulators globally, given the substantial and ever-changing risk landscape that features increasingly complex supply chains, sophisticated cybercrime, the rise of AI and economic and political instability. The FCA has recently closed its own consultation on Critical Third Parties, the outcome of which will be interesting for building societies given the concentration of specialist providers in the sector. DORA will have a real impact on building societies in the UK because of its extra-territorial reach and focus on big tech. More broadly, the EU’s AI Act represents a landmark in the effort to regulate AI and mitigate the risks it poses to individual organisations and business ecosystems. Closer to home, as presented at Conference, developments  in Open Banking also have the potential to disrupt the market for financial products. There is a lot to keep an eye on!

Find out more: Visit Protiviti and TLT LLP

This article was first published in the summer edition of Society Matters Magazine.
 

You may also be interested in...

BSA Card
  • BSA.IndustryResponse Industry Response
  • Prudential Regulation

BSA Responds to CP11/25 Retiring the Sourcebook

The BSA strongly supports the retirement of the Sourcebook

BSA Card
  • BSA.PressRelease Press Release
  • Mortgages & Housing

Bank Rate cut to 4.00%

While today’s rate cut is a step in the right direction, it won’t be enough on its own to prevent a generation from remaining renters.

BSA Card
  • BSA.Event Event
  • Prudential Regulation

Advanced treasury risk and balance sheet management

This course has been postponed. Please contact the events team if you're interested in attending a future course. We now offer three tiers of treas...

BSA Card
  • BSA.Event Event
  • Prudential Regulation

Treasury risk and balance sheet management

Due to popular demand, we now offer three tiers of treasury management training for BSA Members, Associates and Non-members. The courses will be repea...

BSA Card
  • BSA.Event Event
  • Prudential Regulation

An introduction to treasury management

Due to popular demand, we now offer three tiers of treasury management training for BSA Members, Associates and Non-members. The courses will be repea...

BSA Card
  • BSA.IndustryResponse Industry Response
  • Prudential Regulation

BSA responds to CP10/25

The BSA responds to the PRA's consultation CP10/25 on managing climate-related risks

BSA Card
  • BSA.Event Event
  • Prudential Regulation

Risk appetite training for credit unions

With increasing regulatory focus on the safety and soundness of Credit Unions, it is crucial that you understand the regulator’s risk appetite expecta...

BSA Card
  • BSA.Event Event
  • Mortgages & Housing

Annual meet-up for mortgage professionals

The 2025 Annual Mortgage Meet-up will be taking place in London on Thursday 25th September. Exploring some of the biggest issues shaping the futu...

BSA Card
  • BSA.PressRelease Press Release
  • Savings

Cash ISA Transfer Performance H1 2025

Collectively, the industry can report that 89 per cent of cash ISA transfers were completed within this timeframe between 1 January 2025 and 30 June 2025.

BSA Card
  • BSA.PressRelease Press Release
  • Mortgages & Housing

Generation Stuck: Majority of 25-44 year old renters thought they would own a home by now

New BSA research finds that a huge proportion of would-be first-time buyers have been unable to fulfil their dream of homeownership in the timeframe t...