Kyanite Blue
Tools & Calculators

FCA Operational Resilience Checklist: PS21/3 Compliance for UK Financial Firms

The FCA's PS21/3 operational resilience framework has been in full force since March 2025. FCA supervisors are actively assessing firms' resilience programmes — and the gaps they find follow a consistent pattern: important business services are defined too broadly, impact tolerances are set without evidence, scenario testing is undocumented, and self-assessments describe aspirations rather than actual capabilities. This checklist provides a structured path through the PS21/3 requirements, in the sequence the FCA expects firms to have completed them.

PS21/3 full compliance deadline was March 2025. FCA supervisory reviews are actively assessing operational resilience — gaps in IBS identification, impact tolerances, and testing are the most common findings.

Phase 1: Important Business Service Identification

Important business services are services whose disruption could cause intolerable harm to consumers, market integrity, or financial stability. The identification process:

  • Map all products and services delivered to consumers or counterparties
  • For each, assess: what harm would result from disruption of 1 hour, 4 hours, 24 hours, 72 hours?
  • Identify services where 72-hour disruption would cause intolerable harm — these are your important business services
  • Document the harm assessment with reference to specific client populations and market functions
  • Important business services must be defined at the level of the consumer outcome — not at the system or process level

Phase 2: Impact Tolerance Setting

For each important business service, set an impact tolerance that specifies the maximum tolerable disruption:

  • Express tolerances in time (maximum hours or days of unavailability) and quality (maximum degradation of service)
  • Base tolerances on the harm assessment — the tolerance should be set just below the point of intolerable harm
  • Tolerances must be challenging: a 72-hour tolerance for a service that has never been down for more than 30 minutes is not meaningful
  • Document the rationale for each tolerance — FCA supervisors will ask how you derived it
  • Review and update tolerances annually or following material changes to the business

Phase 3: Mapping and Scenario Testing

Firms must map the resources (people, technology, third parties) that deliver each important business service, then test their ability to remain within impact tolerances under severe but plausible disruption:

  • For each IBS, map: people, technology systems, third-party dependencies, premises, and data required to deliver it
  • Identify single points of failure within each mapping — components whose loss would breach your impact tolerance
  • Conduct at least one severe but plausible scenario test annually — documented tabletop exercise at minimum
  • Document what the test revealed about your ability to meet impact tolerances — including gaps identified
  • Track remediation of gaps identified in testing — the FCA expects gaps to be actively addressed, not just acknowledged

Phase 4: Self-Assessment Completion

The operational resilience self-assessment brings together your IBS identification, impact tolerance setting, and testing into a documented statement of your resilience position:

  • The self-assessment must be approved by the Board or equivalent governing body
  • It must describe each important business service, the impact tolerance set, current capability, identified vulnerabilities, and the remediation plan
  • Be honest: the FCA expects self-assessments to identify genuine gaps and credible plans to address them
  • The self-assessment is a living document — update it following material incidents, testing, or changes to your business
  • The SMCR Senior Manager accountable for operational resilience must be named and their accountability documented

Frequently Asked Questions

Do we need to submit our self-assessment to the FCA?

No — the self-assessment is not submitted to the FCA proactively. However, the FCA may request it during a supervisory visit or thematic review, and you must be able to produce it. The self-assessment should be treated as a document you would be comfortable sharing with an FCA supervisor — honest, evidenced, and reflecting your actual capabilities rather than aspirational controls.

Can we use our existing business continuity plan as our operational resilience documentation?

Your BCP is part of your resilience documentation but does not replace the PS21/3 requirements. PS21/3 requires additional elements: formal identification of important business services, explicitly set impact tolerances with documented rationale, and mapping of resources to each IBS. A BCP that predates PS21/3 is unlikely to contain these elements. You can, however, use your BCP as the foundation and supplement it with the PS21/3-specific elements.

How do we handle dependencies on third-party providers when setting impact tolerances?

Your impact tolerances are only credible if your third-party providers can deliver within them. For each third-party dependency in your IBS mapping, you need to confirm their recovery time objectives and compare them to your impact tolerance. Where a provider's RTO exceeds your impact tolerance, you need either: a fallback procedure that delivers the service without them within tolerance, or a renegotiated SLA with the provider, or a revised impact tolerance with documented rationale. This analysis is also required under FCA SS2/21 and DORA for material outsourcing arrangements.

Get expert support completing your PS21/3 programme

Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.

Get in touch

Ready to secure your iGaming operation?

MGA-licensed operators across Malta trust Kyanite Blue.

Book a call Browse all guides