UK Operational Resilience Framework: Overview, Scope & Reporting Requirements

Overview

What is the UK Operational Resilience Framework

The UK Operational Resilience Framework is a set of regulatory expectations and rules designed to ensure that UK-regulated financial services firms are able to prevent, adapt to, respond to, recover from, and learn from operational disruptions that could impact consumers, markets, or the financial system. Operational resilience focuses on a firm’s ability to continue delivering critical services despite severe but plausible disruptions in technology, people, processes, or third-party dependencies.

The framework is jointly developed and supervised by the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA), and the Bank of England (BoE). It became fully enforceable for in-scope firms, with key implementation deadlines culminating on 31 March 2025.

Legal Context

Regulatory Authority

The operational resilience regime in the UK is overseen primarily by:

  • Financial Conduct Authority (FCA) — responsible for conduct and market integrity requirements.

  • Prudential Regulation Authority (PRA) — responsible for prudential aspects and expectations for key firms.

  • Bank of England (BoE) — contributes policy context and systemic oversight, especially for critical infrastructure and financial market infrastructure.

Key source policies include the FCA’s Policy Statement PS21/3 – Building Operational Resilience and the PRA’s Supervisory Statement SS1/21 – Operational resilience: Impact tolerances for important business services.

Applicability

Who Does the UK Operational Resilience Framework Apply To?

The UK Operational Resilience Framework applies to a broad range of financial services firms authorised by UK regulators, including:

  • Banks and building societies

  • PRA-designated investment firms

  • Insurers

  • Recognised investment exchanges

  • Firms authorised under the Payment Services Regulations and Electronic Money Regulations

These firms must embed resilience into their governance, risk management systems, and reporting structures.

Obligations

Core Obligations Under the UK Operational Resilience Framework

Under the UK framework, firms are required to:

  • Identify Important Business Services — services whose disruption could cause intolerable harm to clients or the wider UK financial system.

  • Set Impact Tolerances — maximum acceptable disruption thresholds for each important service.

  • Map Resources — document people, processes, technology, data, and third parties supporting those services.

  • Scenario Testing — regularly test severe but plausible operational disruptions to verify resilience.

  • Governance & Self-Assessment — embed accountability at board and senior management levels with regular self-assessment.

Reporting

Reporting & Data Requirements Under the UK Operational Resilience Framework

Regulators are increasingly focused on consistent operational incident reporting and third-party reporting to support oversight of systemic risks and third-party dependencies. Proposals under consultation seek to establish robust standards for incident definitions, reporting thresholds, and information flows to the regulators.

While the core framework to date has focused on capability and self-assessment, future supervisory expectations may include more formal reporting metrics tied to incidents and external dependencies.

Reporting

Operational Challenges in UK Operational Resilience

Firms commonly face challenges such as:

  • Defining and contextualising Important Business Services across complex product and operational structures.

  • Setting appropriate Impact Tolerances that balance risks and business realities.

  • Mapping extensive resource dependencies, especially across third-party service providers.

  • Designing and executing realistic scenario tests that yield actionable insights.

These challenges make operational resilience a continuous and evolving discipline rather than a “one-off” compliance task.

REGREP Solution

How REGREP Supports UK Operational Resilience

REGREP supports the technical and data infrastructure required to operationalise aspects of the UK Operational Resilience Framework through:

  • Centralised data capture and mapping of service-related information

  • Audit-ready documentation of resource and dependency mapping

  • Structured output supporting self-assessments and regulatory engagements

  • Integration with internal risk and incident management systems

REGREP’s platform provides infrastructure to support firms’ operational resilience objectives. It does not replace internal governance, risk ownership, or regulator judgement.

Supervisory Authorities Referenced

Links are provided for reference purposes only. REGREP is not affiliated with or endorsed by any regulatory authority.

Related REGREP Resources

Interested in operational resilience data readiness or resilience reporting?

Learn how REGREP supports structured data, mapping, and reporting to help fulfil UK operational resilience expectations.