Operational Resilience Is Not a Technology Problem. It Is a Governance Problem.
The FCA expects operational resilience governance as a board mandate.
Fund managers built technology resilience. The gap is where enforcement lands.
Table of Contents
The FCA’s operational resilience regime does one thing exceptionally well: it forces firms to admit what business actually matters. When you map important business services, set impact tolerances, and commit to staying within them during severe disruption, you are making board-level strategy decisions, not IT architecture decisions. Yet three years into mandatory compliance, most fund managers still treat operational resilience governance as a technology project that IT executes while legal and compliance coordinate the paperwork.
The FCA does not see it this way. And that distinction is the fault line where enforcement will concentrate.
The Governance Design That Fund Managers Missed
The FCA’s PS21/3 framework, in force since March 2022 and now in full compliance enforcement, contains an explicit governance architecture. SYSC 15A requires firms to identify important business services, set impact tolerances measured in pounds or customer count, and map people, processes, technology, and facilities against each service. But the deeper requirement sits in SYSC 8.1.1R on outsourcing: if a third-party provider fails to remain within your impact tolerance, the failure is your responsibility.
That is not a technology statement. It is a governance statement.
Board engagement is not optional scaffolding around operational resilience governance. The FCA’s May 2024 observations noted that “limited evidence of the testing of response plans” existed across the industry, with firms relying primarily on recovery rather than response. The supervisory expectation is clear: your governing body must approve and regularly review your self-assessment. This means actual scrutiny, scenario review, and challenge, not sign-off on a template.
As I examined in my analysis of how SM&CR accountability maps to fund management structures, senior management responsibility in UK financial services is never merely ceremonial. Operational resilience governance is the same. When an impact tolerance breach occurs, the question the FCA asks is not “Did IT respond fast enough?” It is “Why did the board not know this breach was possible?”
The CrowdStrike Lesson: Governance Separated Compliant Firms from Broken Ones
The CrowdStrike outage on 19 July 2024 disabled 8.5 million systems globally and offered an unexpected stress test of operational resilience governance across UK finance. The FCA’s analysis afterwards revealed which firms had actually built operational resilience governance and which had built technology checklists.
Firms that remained compliant with PS21/3 were able to identify consumer and market impacts quickly and prioritise their important business services in real time. They had done the governance work: they knew what mattered, they had tested who decides what during a crisis, and they had pre-aligned senior management and boards on the tolerance thresholds. When the technology failed, the governance held.
Firms that had treated operational resilience governance as an IT tickbox project scrambled. They had no pre-agreed impact tolerance. They had no clear escalation to the board. They had no mapped decision rights for when to activate response plans. The technology resilience measures they had built were disconnected from any governance framework that would activate them.
The FCA’s blog statement was direct: “You can spot these firms by how their senior executives and their boards engage with resilience, not as a regulatory checkbox but as a strategic priority.”
The Enforcement Precedent: TSB and the Governance Failure That Cost 48m
The TSB Bank enforcement action in December 2022 provides the mechanical depth that shows how the FCA translates governance failures into fines. The FCA imposed £29.75m and the PRA imposed £18.9m for a total of £48.65m. The charge was not that systems failed; the charge was that the governance of the project was structurally inadequate.
A 5.2 million customer base was affected. The technical failure that triggered the probe was real. But the fine magnitude and language flowed directly from a governance finding: senior management and board engagement was inadequate during a critical systems migration. The decision-making structure was unclear. The escalation paths between IT and governance were weak. The board did not regularly review the risk posture in real time.
This is the operational resilience governance failure template that fund managers should fear. It is not “your disaster recovery system did not work.” It is “your board did not know, in sufficient detail and in sufficient time, that your disaster recovery system might not work.”
The Third-Party Multiplier: Why Operational Resilience Governance Is Now Outsourcing Governance
The FCA and PRA’s Critical Third Parties framework (PS16/24/PS24/16, November 2024) fused operational resilience governance with third-party governance. This was not accidental. Most fund managers depend on third parties for critical services. Payment processors, custody systems, fund administration platforms, and cloud infrastructure sit outside the firm but inside the impact tolerance.
SYSC 8.1.1R makes this explicit: if your critical third party fails to remain within your impact tolerance, that failure is your responsibility. Your board must govern this relationship, not your procurement team. You must know, in advance, what impact that third party can withstand. You must have tested whether they can stay within your tolerance during the disruptions you have identified.
The FCA’s December 2024 consultation on operational incident and third-party reporting (CP24/28) reinforces this. The reporting requirement itself is mechanical. The governance requirement is structural: your board must know which third parties matter, what their failure tolerance is, and whether your firm can absorb or mitigate that impact.
Fund managers who have outsourced the operational resilience governance decision as well as the operational resilience technology are now exposed. The FCA’s enforcement logic treats this as a delegation failure, not a service failure.
The Strategic Reframe: Operational Resilience Governance as Board Mandate
The distinction between technology resilience and operational resilience governance is not semantic. It divides compliant firms from enforcement targets.
Technology resilience is what IT builds: failover systems, backup infrastructure, redundancy, recovery protocols. These are necessary. They are not sufficient.
Operational resilience governance is what the board decides: which business services are critical, what disruption the firm can absorb without harming customers or market function, who decides when impact tolerance has been breached, how the firm will respond, and how the board will assure itself that the firm will actually stay within tolerance during severe disruption.
The FCA spots compliant firms not by inspecting their data centres but by watching how senior executives and boards engage with resilience decisions. Not as regulatory checkboxes. As strategic priorities. This means regular board discussion, scenario testing, impact tolerance challenge, third-party escalation, and documented decision-making.
Fund managers who have delegated all of this to IT have built a substantial governance gap. The technology may work. The governance may fail. And when it fails, the FCA’s enforcement language will not focus on the RTO or the RPO. It will focus on whether the board knew it was vulnerable.
This is where the next enforcement cluster will land.
This article is provided for general informational purposes only and doesn’t constitute legal, investment, or regulatory advice.
Date: 15 December 2025
Written by: Asad Bukhory