FCA Operational Resilience Impact Tolerances: Frequently Asked Questions
The FCA and PRA's operational resilience framework (PS21/3) requires every regulated firm to identify its important business services, set impact tolerances for disruption, and demonstrate it can remain within those tolerances during severe but plausible disruption scenarios. The March 2025 deadline for full compliance has passed — but many firms still have significant gaps in their impact tolerance documentation, scenario testing, and self-assessment. This FAQ addresses the most common practical questions.
PS21/3 full compliance deadline was March 2025. The FCA has confirmed it will assess impact tolerance setting and testing as part of ongoing supervision — gaps will be found.
Understanding Impact Tolerances
Impact tolerances are the FCA's mechanism for ensuring firms define the maximum disruption they could tolerate before harm to clients, market integrity, or financial stability becomes unacceptable:
- An impact tolerance must specify the maximum tolerable duration of disruption to an important business service — expressed as a time period
- It must also specify the maximum tolerable level of degradation — not just unavailability but poor performance or partial delivery
- Impact tolerances should be set based on the harm that would result from disruption — client harm, market harm, and systemic harm are all relevant
- Tolerances must be challenging but achievable — set too loosely (72-hour tolerance for a 10-minute outage) and they are not meaningful; set too tightly and the firm cannot credibly demonstrate it can meet them
- The FCA expects firms to test their ability to meet their impact tolerances — not just to document them
Frequently Asked Questions
How many important business services should a typical IFA or wealth manager identify?
There is no fixed number — the FCA expects firms to identify all services whose disruption would cause intolerable harm. For a typical IFA or wealth manager, important business services typically include: client financial advice delivery (the core regulated activity); client communication (email, portal, telephone — disruption prevents urgent client contact); client money management (CASS-regulated activities); and regulatory reporting (FCA, HMRC, etc.). Smaller firms may identify two to four important business services; larger, more complex firms may identify ten or more.
What is a "severe but plausible" disruption scenario?
The FCA and PRA have published illustrative scenarios: (1) ransomware attack on core systems causing extended outage; (2) loss of a key data centre or cloud region; (3) compromise or failure of a critical third-party provider; (4) major cyber attack coinciding with market stress; (5) loss of key personnel managing critical systems. "Severe but plausible" means scenarios that are genuinely challenging — not minor incidents — but are realistic possibilities, not science fiction. Firms should draw on FCA guidance, NCSC threat intelligence, and their own operational risk experience to define relevant scenarios.
What does testing look like in practice for a small firm?
For a small firm (5-20 people), testing does not require expensive external consultants or complex simulations. A documented tabletop exercise — where the principal and relevant staff work through a scenario (e.g., "ransomware has encrypted our back-office system and our email is down — what do we do?") — satisfies the testing requirement if it is documented. The documentation should record: who attended, what scenario was tested, what the exercise revealed, and what actions have been taken to address identified gaps. This exercise, conducted annually and documented, is the foundation of a defensible PS21/3 testing programme.
We have not completed our self-assessment. What should we do now?
Start immediately. The FCA's supervisory focus on operational resilience will intensify following the March 2025 deadline. A self-assessment does not need to be a large document — it needs to be accurate and evidence-based. Begin with important business service identification, set provisional impact tolerances based on a reasonable analysis of client harm, document your current capabilities and known gaps, and plan your remediation. An honest self-assessment that identifies gaps and a credible remediation plan is more valuable to the FCA than a polished document that does not reflect reality.
How do third-party providers affect our impact tolerances?
Your ability to meet your impact tolerances depends substantially on the recovery times of your critical third-party providers. If your back-office system provider has a recovery time objective (RTO) of 48 hours, you cannot credibly set a 24-hour impact tolerance for the business service that depends on it — unless you have a documented fallback that delivers that service independently. This dependency mapping is a core element of the impact tolerance exercise and directly informs your third-party risk management programme under FCA SS2/21 and DORA.
Get support completing your PS21/3 impact tolerance assessment
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.