FCA Operational Resilience: Step-by-Step Guide to PS21/3 Self-Assessment
By March 2025, every FCA and PRA-regulated firm must have completed its PS21/3 self-assessment — documenting its important business services, the impact tolerances it has set for each, the testing it has conducted, and the vulnerabilities it has identified and is addressing. For firms that have treated this as a future problem, the deadline has arrived. This guide provides the practical steps to complete a compliant self-assessment — drawing on the FCA and PRA's published policy, supervisory statements, and the common failure modes identified in early supervisory reviews.
FCA PS21/3 full compliance deadline: March 2025. Firms that cannot evidence a completed self-assessment face supervisory action.
Step 1: Identifying Your Important Business Services
An important business service (IBS) is one that, if disrupted, would cause harm to consumers or market integrity. For most financial firms, the IBS list includes services provided to external clients — not internal operations. Typical IBS for financial services firms:
- Wealth managers and IFAs: Client onboarding, financial advice delivery, client portfolio access, investment execution
- Mortgage brokers: Mortgage application processing, client communication and document exchange
- Insurance brokers: Policy placement, claims notification processing, client account access
- Payment processors: Payment initiation, settlement processing, fraud monitoring
- Fund managers: NAV calculation and publication, investor dealing, custody reconciliation
Step 2: Setting Impact Tolerances
An impact tolerance is the maximum tolerable level and duration of disruption to an important business service — expressed in specific, measurable terms. The FCA expects tolerances to be:
- Specific: Not "we will restore as quickly as possible" but "client portfolio access cannot be unavailable for more than 4 hours at any time"
- Outcome-focused: The tolerance is set by the harm disruption would cause to clients, not by technical system recovery time targets
- Justified: The rationale for the chosen tolerance must be documented — why 4 hours and not 8? What client harm does that threshold prevent?
- Approved by the board: The impact tolerances must be approved by or on behalf of the firm's governing body — a named Senior Manager must own them
Step 3: Mapping Technology Dependencies
Once important business services and impact tolerances are set, firms must map the complete dependency chain for each service — every system, process, team, and third party that must function for the service to remain within tolerance. This is the stage where Hadrian's attack surface management is most valuable: it provides an objective, continuously updated map of your external technology dependencies that supplements the internal system architecture analysis. The dependency map reveals both the technology components that need resilience investment and the third-party relationships that require SS2/21 management.
Step 4: Testing and the Self-Assessment Document
PS21/3 requires firms to test their ability to remain within impact tolerances using severe but plausible scenarios. Testing can take three forms: tabletop exercises (structured discussion of how the firm would respond to a defined scenario), technical simulations (actually failover or restore systems in a non-production environment), or live operational tests (planned disruption in a controlled manner). The self-assessment document must record: the IBS identified, the tolerance set, the testing conducted and outcomes, vulnerabilities identified, and the remediation plan and progress. This document is the primary evidence the FCA will request in a supervisory review.
Frequently Asked Questions
Does PS21/3 apply to small financial firms?
PS21/3 directly applies to PRA-regulated firms (banks, insurers) and FCA-regulated firms above certain thresholds. However, the FCA's operational resilience supervisory approach applies more broadly — the FCA expects all regulated firms to have considered their operational resilience and to have proportionate controls. Smaller firms may have a shorter IBS list and simpler tolerance-setting exercise, but the framework still applies.
What are severe but plausible scenarios for a wealth manager or IFA?
The FCA and PRA have published illustrative scenarios: ransomware attack on core systems (48–72 hour outage), loss of a data centre or cloud region, compromise of a critical third-party provider, major cyber attack coinciding with high market volatility, and loss of key personnel managing critical systems. For wealth managers and IFAs, the most relevant scenarios involve loss of access to the portfolio management system, financial planning tools, or client communication channels.
How do we document the self-assessment if we are a small firm without a compliance team?
The self-assessment does not need to be a large document — it needs to be accurate, honest, and evidence-based. A two-page document that correctly identifies three important business services, sets credible impact tolerances with rationale, describes a tabletop exercise conducted, and lists two vulnerabilities being addressed is more valuable to the FCA than a 40-page document that describes aspirational controls. Kyanite Blue provides a self-assessment template as part of its implementation support.
Get support completing your PS21/3 self-assessment
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.