FCA operational resilience: the SYSC 15A guide
UK firms don't follow DORA — you follow the FCA's own operational-resilience regime, set out in PS21/3 and the SYSC 15A rules, and it's been fully in force since 31 March 2025. The shape is simple even if the work isn't: know your important business services, decide how much disruption is tolerable, prove you can stay inside that, and write it down where your board has signed it off. Here's the practical version.
In one line: identify your important business services → set an impact tolerance for each → map and scenario-test against it → record it in a board-approved self-assessment the FCA can ask to see.
Who this applies to
The regime covers banks, building societies, insurers, and a wide range of FCA-regulated firms — including investment firms, payment and e-money firms and others. If you're FCA-authorised and provide services to end users, assume you're in scope and check the thresholds for your firm type.
The four moves
1. Identify your important business services
The services whose failure could cause intolerable harm to clients or threaten market integrity. Not internal processes — the outward-facing services clients actually rely on. Getting this list right is the foundation; everything else hangs off it.
2. Set impact tolerances
For each important business service, the maximum tolerable level of disruption — usually expressed as a time limit. This is a board-level judgement about harm, not an IT recovery target.
3. Map and test
Map the people, processes, technology, facilities and third parties each service depends on, then run severe-but-plausible scenarios to see whether you'd stay within tolerance. Where you wouldn't, that's a remediation action with a date.
4. Write the self-assessment
Pull it together into a self-assessment document — services, tolerances, mapping, scenarios, vulnerabilities and your remediation plan — and have your governing body approve it. Keep it current; the FCA can ask for it.
Run your FCA self-assessment — free
Start the free self-assessment →Don't forget UK MAR
If your firm trades or arranges deals, operational resilience isn't your only conduct obligation — UK MAR requires you to detect and report suspicious orders and transactions (STORs) too. It's the UK twin of the market-abuse rules crypto firms meet under MiCA. One regime rarely travels alone.
What "good" looks like for a smaller firm
- A short, honest list of important business services — not every process you run.
- Impact tolerances the board actually debated and owns.
- Evidence of at least one severe-but-plausible scenario test, with findings.
- A remediation plan with realistic dates.
- A self-assessment that's signed off and kept current — not a one-time PDF.
Common questions
What is FCA operational resilience?
The FCA regime (PS21/3, SYSC 15A) requiring firms to identify important business services, set impact tolerances, map and test against them, and keep a board-approved self-assessment. Fully in force since 31 March 2025.
What is an important business service?
A service to an external end user whose disruption could cause intolerable harm to clients or risk to market integrity. Identifying them is the foundation of the regime.
Does the self-assessment go to the FCA?
Not by default — but it must be board-approved, kept current, and producible on request. The FCA can ask to see it at any time.
General information, not legal advice. Confirm the current requirement against the FCA's rules (SYSC 15A), PS21/3 and any guidance applicable to your firm type before you rely on it.