FCA Operational Resilience
The FCA's full compliance deadline has passed—firms must now demonstrate, not merely plan, their ability to remain within impact tolerances during disruption.
The Financial Conduct Authority's operational resilience framework (PS21/3) requires UK-regulated financial services firms to identify their important business services, set impact tolerances, and ensure they can continue to deliver those services within tolerance during severe but plausible disruption scenarios.
The full compliance deadline of 31 March 2025 has passed, meaning firms must now demonstrate, not merely plan, their operational resilience. This includes having tested their ability to remain within impact tolerances, having remediated any vulnerabilities identified, and having mapped the resources (people, processes, technology, facilities, information) that support each important business service.
For firms using Microsoft 365 as core infrastructure, StremarControl engineers and operates the Microsoft-native controls required for FCA operational resilience mandates—translating impact tolerance requirements into enforceable Microsoft-native controls over access management, data protection, incident response, and business continuity, with structured evidence produced through continuous monitoring rather than periodic assessment.
Why This Matters Now
FCA Operational Resilience is not a checkbox exercise - it fundamentally changes how UK financial services firms must think about their technology infrastructure. Firms must identify their Important Business Services, set impact tolerances for disruption, and demonstrate through scenario testing that they can remain within those tolerances. Microsoft 365, as the collaboration and identity backbone for most UK financial services firms, is a critical dependency for nearly every Important Business Service. The FCA expects firms to understand their dependency on M365, have tested failover procedures, and maintain evidence of continuous resilience - not just a recovery plan in a drawer.
Framework Metadata
Scope & Applicability
FCA Operational Resilience requirements apply to all firms authorised and regulated by the FCA and/or PRA. This includes banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced scope Senior Managers and Certification Regime (SM&CR) firms, and certain FCA solo-regulated firms. The requirements focus on Important Business Services - services whose disruption would cause intolerable harm to consumers, market integrity, or the firm's own safety and soundness. For M365-dependent firms, email communication, identity authentication, document management, and collaboration workflows are typically dependencies of multiple Important Business Services.
Core Obligations
Important Business Services
Identify and document all important business services - those whose disruption could cause intolerable harm to consumers, market integrity, or the firm's safety and soundness.
Impact Tolerances
Set impact tolerances for each important business service, the maximum tolerable level of disruption, expressed in clear metrics (time, volume, quality).
Resource Mapping
Map the people, processes, technology, facilities, and information that support each important business service. Identify single points of failure and concentration risks.
Scenario Testing
Conduct severe but plausible scenario testing to validate the ability to remain within impact tolerances during disruption events.
Self-Assessment
Complete and maintain a self-assessment documenting the firm's approach to operational resilience, including remediation plans for identified vulnerabilities.
Microsoft 365 Control Mapping
How each obligation maps to enforceable Microsoft 365 controls and the evidence they produce.
Technology Resource Mapping
Complete M365 service dependency map: Entra ID → Exchange → SharePoint → Teams → Defender. Conditional Access policy impact analysis per important business service.
Service dependency documentation, CA policy-to-service mapping, technology resource register.
Incident Response and Recovery
Sentinel precise incident response with bespoke financial services playbooks. Recovery procedures for Exchange, SharePoint, and Teams. Backup and restore testing on rigorous quarterly cadence.
Forensic incident response timeline reports, backup restore test results, validated recovery time metrics.
Access Continuity
Break-glass account procedures for emergency access. Conditional Access resilience policies (fallback authentication methods). PIM emergency activation procedures.
Break-glass account audit logs, CA resilience policy configuration, emergency PIM activation records.
Data Protection During Disruption
Purview retention policies ensuring data availability during disruption. Cross-region backup for critical mailboxes and SharePoint sites. Offline access policies for essential applications.
Retention policy status, cross-region replication configuration, offline access policy audit.
Implementation Timeline
Related Frameworks
DORA transforms ICT risk management from an IT concern into a board-level legal liability for every EU financial entity and its critical technology providers.
ISO 27001 certification is increasingly a procurement prerequisite. Without it, organisations face exclusion from enterprise supply chain shortlists and heightened scrutiny from insurers and regulators.
Post-Brexit divergence means UK organisations must now navigate two parallel GDPR regimes, with the ICO imposing fines up to GBP 17.5 million or 4% of global turnover.
Ready to get FCA-ready?
Start with a fixed-scope sprint. We assess your Microsoft 365 controls against FCA requirements, close gaps, and produce audit-ready evidence.