FCA's operational resilience findings necessitate action on contracts

The findings from its review have implications for how firms manage their internal operational resilience arrangements, including their material supplier contracts.

By 31 March 2025, firms were required to have completed mapping and testing so as to remain within ‘impact tolerances’ set for each of their important business services. The FCA used that milestone to take stock, reviewing firms' annual operational resilience self-assessments and publishing its observations.

The headline message is broadly positive: the FCA has seen strong engagement and good progress across all areas of the operational resilience requirements. However, the FCA made clear that there is more work to do on identifying, assessing and remediating third-party vulnerabilities. It also said that mapping had been largely focused on technology used to support the delivery of important business services and needs to encompass the full range of third-party dependencies. A final key message was that firms should be testing scenarios that are both plausible but sufficiently severe to ensure strong resilience.

The context: a year of live disruptions

The FCA's publication referenced the real-world disruptions that have occurred since the transition period ended. It pointed to outages experienced by cloud service providers such as Amazon Web Services, Microsoft Azure and Cloudflare, as well as cyber-attacks on companies such as Jaguar Land Rover, Marks & Spencer, and the Co-op. 

The FCA described the examples as severe, but said firms should nevertheless consider them as plausible scenarios in their testing. For firms that rely on the same cloud infrastructure as other market participants, concentration risk is a live and pressing issue.

What the findings mean for third-party contracts

The FCA's publication identifies six thematic areas in its review: important business services and impact tolerances; mapping resources; scenario testing; vulnerability management; communications; and governance. Each has implications for supplier contract management.

Important business services and impact tolerances

The FCA welcomed the growing use of quantitative, non-time-based metrics like transaction volumes and financial thresholds, alongside traditional time-based measures. This combined approach provides a more nuanced and comprehensive view of how disruption scenarios impact firms, enabling better-informed assessments of operational resilience. Firms may wish to review their impact tolerances and service level arrangements in critical contracts to account for such measures if they do not already.

Mapping and due diligence

Firms must identify and document the people, processes, technology, facilities and information needed for delivering each of their important business services, including any relationships with third parties which could threaten their ability to remain within impact tolerance. The FCA’s findings show that there is still more for firms to do, with progress remaining uneven, and that less mature firms often focus narrowly on technology resilience rather than considering other key factors such as location and critical personnel. Firms should ensure that third party contracts contain adequate audit and information rights to allow mapping of external dependencies for critical contracts.

Scenario testing

Firms must develop and maintain testing plans that show they can remain within impact tolerances for each important business service through severe but plausible disruptions. The FCA noted that some firms were not testing scenarios that were severe enough and served only to prove a firms’ recoverability. Firms that have not already done so should consider whether their existing contracts include express rights to require supplier co-operation with resilience testing exercises or provide for the possibility of joint testing on a scenario selected by the firm.

Vulnerability management

The FCA expects self-assessments to clearly explain how vulnerabilities are identified through mapping and testing, which important business services they affect, and how firms intend to remediate any outstanding issues, with remediation activities tracked and closed. Notably, the FCA observed that some less mature firms reported no vulnerabilities at all, suggesting that their scenario testing may not have been sufficiently severe or comprehensive to identify potential weaknesses. Firms should therefore ensure they are accurately identifying vulnerabilities. Where a vulnerability is attributable to a third-party supplier, the contract must give the regulated firm the ability to require remediation within defined timescales – and allow the firm’s intervention where the supplier fails to act.

Communications during disruption

The FCA found limited evidence that communications strategies are tested as part of scenario exercises, or that firms have plans to mitigate the loss of their usual communication channels.  Supplier contracts should define the supplier's role in supporting the firm's communications strategy during a live incident, including incident notification timescales, the identity of named contacts, and obligations to provide timely, accurate situational updates. Firms will also want to ensure that they have a communications strategy in place with providers of key services and that this is included in continuity planning and testing.

Governance

A big theme in the paper was board accountability – boards must be responsible for embedding operational resilience in their firms’ strategy and planning. The FCA identified that weaker firms had unclear responsibility for monitoring remediation or other action plans, and little or no evidence of input from second or third line of defence in self-assessment. From a material contract perspective, this underscores the need to assign named accountability within supplier arrangements and to ensure that incidents and vulnerabilities are being discussed at the highest level of governance.

Reviewing key contracts

As part of their compliance regulated firms and their advisers should consider the following in respect of their material contracts:

• Review existing material outsourcing and supplier contracts against the FCA's six thematic areas, with a particular focus on audit rights, penetration testing, information obligations, incident notification, scenario testing cooperation, and exit planning. While these provisions are not new, and will typically have been negotiated following the introduction of the European Banking Authority and Prudential Regulation Authority outsourcing regimes, firms should ensure that they operate effectively in practice, supporting operational resilience without proving unduly restrictive;
• Assess supplier service level agreements against impact tolerances: service level commitments should reflect the firm's regulatory obligations, including both time-based and quantitative non-time-based metrics, rather than generic uptime targets;
• Consider cyber-specific provisions, such as immutable back-ups and data vaulting solutions;
• Review concentration risk, particularly where suppliers rely on major cloud providers;
• If not included already, negotiate contractual remediation rights for identified vulnerabilities, with tiered timeframes and step-in provisions, rather than relying on general contract management or general service level mechanisms;
• Review exit obligations that apply in a stressed scenario, including run-off support periods, data portability, and supplier co-operation and ensure that a workable plan is in place and is regularly tested.

While firms must ensure their contracts include the necessary rights to support operational resilience, the FCA is clear that this is only the starting point. Firms need to move decisively “beyond compliance” and embed resilience into the way they actually operate.

For critical third-party arrangements, this means treating operational resilience as a continuous, end‑to‑end discipline – built in from supplier selection and due diligence, carried through contract negotiation, and actively managed throughout the life of the relationship, including exit planning. Contract terms can support this approach, but they do not in themselves guarantee resilience, which ultimately depends on effective operational practices.

Co-written by Lucie Millington of Pinsent Masons.