Operational Resilience 2026: What UK Boards Must Prove to Regulators Now

The FCA and PRA’s March 2025 operational resilience deadline was not a finish line — it was the start of a harder phase. UK boards in regulated financial services must now demonstrate, with contemporaneous and independently verifiable evidence, that they are staying within their impact tolerances every day. Frameworks are no longer enough.

Why Is Operational Resilience Still a Board Priority in 2026?

The FCA and Prudential Regulation Authority established their operational resilience regime in 2021, requiring firms to identify important business services, set impact tolerances, and map dependencies across people, processes, technology and third parties. The March 2025 deadline required firms to have completed this mapping and to have demonstrated — through scenario testing — that they could remain within tolerances during a severe disruption.

What has changed in 2026 is the supervisory lens. Regulators are no longer asking whether a resilience framework exists. They are asking whether the evidence underpinning that framework would survive direct scrutiny: Is it current? Is it independently verifiable? Can it be traced to specific obligations under PRA SS1/21 and the FCA’s equivalent rules? According to analysis from operational risk consultancies, the supervisory question in 2026 is not one of structure but of substance.

For boards, this means operational resilience cannot remain delegated to a compliance team. It requires active oversight, regular review, and a credible line of sight from governance to the firm’s most critical services.

Executive Action

• Request a board-level summary of the firm’s current important business service mapping and confirm it has been updated since March 2025.
• Ensure the board formally approves and has minuted its review of the firm’s operational resilience self-assessment — regulators are checking for governing body sign-off.
• Ask management whether scenario testing is empirical and evidence-based, or still relying on judgment alone.

What Are the PRA and FCA Actually Examining in Supervisory Reviews?

Supervisory engagement in 2026 has sharpened considerably. For firms under PRA oversight — banks, insurers and major investment firms — examiners are probing whether resilience evidence is contemporaneous, not prepared retrospectively for a review. They are looking for scenario testing that reflects severe but plausible disruptions grounded in the firm’s specific risk profile, not generic industry scenarios borrowed from a template.

Research from operational resilience practitioners suggests that firms which relied heavily on documentation produced in the months before March 2025 are now facing challenge where that evidence cannot be refreshed on demand. The PRA’s supervisory standard under SS1/21 requires ongoing maintenance, not a one-time exercise. According to Fourth Line’s 2026 analysis of PRA insurance supervision, examiners are specifically probing whether evidence is independently verifiable — meaning it cannot simply be the firm asserting compliance to itself.

For FCA-regulated firms, the emphasis is similar: the regulator is examining whether important business services have been correctly scoped, whether impact tolerances are genuinely meaningful, and whether third-party dependencies — particularly technology providers and outsourced services — are fully mapped and subject to credible testing.

Executive Action

• Commission an independent review of your firm’s operational resilience evidence — internal teams may be too close to their own frameworks to identify gaps a regulator would surface.
• Review your third-party and outsourcing register: are critical technology providers fully included in important business service mapping and scenario testing?
• Confirm that board minutes reflect substantive resilience discussion, not just agenda items — regulators review minutes as part of supervisory engagement.

What Do the New Operational Incident and Third-Party Reporting Rules Mean for Boards?

On 18 March 2026, the FCA, PRA and Bank of England published final policy statements — PS7/26 — introducing new mandatory reporting requirements for operational incidents and material third-party arrangements. While the rules come into force on 18 March 2027, firms must begin preparing governance structures now.

The incident reporting regime requires firms to submit a report as soon as reasonably practicable after determining that an operational incident has met the regulatory threshold — with the expectation that this will typically happen within 24 hours of that determination. This is a material shift. It places significant pressure on internal escalation processes: a firm that does not have a clear, tested pathway from incident detection to regulatory notification will struggle to comply.

Third-party reporting is equally significant. Firms with material arrangements with technology providers — cloud platforms, data processors, core banking systems — will need to maintain and report on those arrangements in a format the regulators can examine. According to Addleshaw Goddard’s 2026 briefing on the rules, this creates new obligations around vendor oversight that many boards have historically left to procurement or IT.

For executives and NEDs, the implication is clear: operational incidents are no longer just operational problems. They are regulatory reporting events, and the board is responsible for the governance of how the firm responds.

Executive Action

• Initiate a gap analysis against PS7/26 now, ahead of the March 2027 effective date — firms that wait until late 2026 will have insufficient time to redesign escalation processes.
• Review the firm’s material third-party register and determine whether current vendor management processes meet the new reporting standard.
• Ensure the board has a crisis escalation protocol that explicitly covers regulatory notification timelines for operational incidents.

How Should the Board Structure Its Ongoing Resilience Oversight?

The FCA and PRA have been consistent in one expectation: resilience must be governed from the top down. The governing body — whether a main board or a board risk committee — must formally approve the firm’s self-assessment of important business services and impact tolerances, and must review this regularly. This is not a task that can be delegated entirely to an executive committee or a chief operating officer.

Boards that have not yet established a formal resilience oversight cadence should do so now. This means at minimum a twice-yearly board-level review of the operational resilience self-assessment, a standing agenda item on material incidents and near-misses, and direct board engagement with the outputs of scenario testing — not just a summary slide from management.

For firms with FTSE-listed status or significant financial services footprints, the reputational dimension amplifies the governance obligation. Public naming by the FCA of active investigations — now possible under expanded regulatory powers — means that operational failures with board-level governance gaps carry disclosure risk as well as supervisory risk. Use INFORMD’s executive assessment tools to evaluate your current governance posture, or explore our board-ready templates for resilience oversight frameworks.

Executive Action

• Establish a formal board or board risk committee schedule for operational resilience review — document it in the committee’s terms of reference.
• Require management to present scenario testing outputs directly to the board, including what was tested, what failed, and what remediation was taken.
• Review whether your firm’s risk appetite statement explicitly addresses operational resilience and impact tolerances — and whether it is current.

What Must Regulated Firms Do Before March 2027?

The window between now and March 2027 is tighter than it looks. Firms need to design and implement new incident escalation pathways, build third-party reporting processes that meet PS7/26 standards, update their operational resilience frameworks to reflect any changes in the business since March 2025, and train their boards to engage with resilience evidence meaningfully rather than by exception.

Regulators have signalled that they will be reviewing preparedness ahead of the March 2027 deadline. Firms that are only beginning this work in late 2026 will face supervisory pressure during a period of active FCA and PRA engagement. According to Leaman Crellin’s 2026 regulatory priorities analysis, operational resilience remains among the top three FCA supervisory themes for the year, alongside consumer duty and financial crime. That means supervisory capacity is genuinely directed here.

Executives and board members who want a structured view of their firm’s readiness can access INFORMD’s executive briefing library for further governance and compliance intelligence, or explore our free assessment tools to benchmark current practice.

Executive Action

• Build a March 2027 readiness programme now, with a board-approved project plan and named executive sponsor — this is not a business-as-usual compliance task.
• Engage external legal and operational risk advisers to sense-check your gap analysis against PS7/26 before committing to a remediation plan.
• Confirm with your compliance function that the firm’s important business service list has been reviewed and updated to reflect any technology, outsourcing or structural changes since 2025.

---

INFORMD provides intelligence briefings, tools and frameworks for senior business leaders across technology, finance, strategy and compliance. Based in Milton Keynes, UK, we help executives stay informed and act with confidence. Explore our full briefing library or access our free assessment tools.

Stay ahead. Subscribe to INFORMD’s weekly executive briefing at informd.co.uk.

FAQ: What is the FCA and PRA operational resilience deadline for 2026?

The original implementation deadline was 31 March 2025, by which point firms were required to have demonstrated they could remain within impact tolerances during a severe disruption. In 2026, there is no new compliance deadline — but regulators have intensified supervisory scrutiny, examining whether firms can substantiate their resilience claims with contemporaneous, independently verifiable evidence. A further implementation date of 18 March 2027 applies to new operational incident and third-party reporting obligations under PS7/26.

FAQ: What is PS7/26 and how does it affect boards?

PS7/26 is the joint policy statement published in March 2026 by the FCA, PRA and Bank of England finalising rules on operational incident reporting and material third-party arrangement reporting. It requires regulated firms to notify regulators within 24 hours of determining an operational incident has met the reporting threshold, and to maintain structured reporting on material third-party arrangements. Boards must ensure governance processes are in place to support these obligations ahead of the March 2027 effective date.

FAQ: Which firms are in scope for UK operational resilience rules?

The FCA and PRA operational resilience rules apply to banks, building societies, PRA-designated investment firms, insurers, and a range of FCA-regulated firms including asset managers, payment institutions and e-money institutions. The scope is broad and covers the majority of significant financial services entities operating in the UK. Firms uncertain about their scope should seek legal advice — regulatory expectations have expanded since the rules were first introduced in 2021.

FAQ: What does ‘important business service’ mean under FCA/PRA rules?

An important business service is a service a firm provides to external customers or to the financial markets whose disruption would cause intolerable harm to consumers or market integrity. Firms must identify these services, map the people, processes, technology, facilities and information they rely on, and set impact tolerances — the maximum level of disruption that can be tolerated. Boards are required to approve the firm’s list of important business services and its associated impact tolerances.