PRA’s Operational Resilience Roadmap: Looking Ahead to the March 2025 Compliance Deadline

With the initial deadline of March 2022 in the rearview mirror, many firms are asking “what’s next” as they continue to build operational resilience programs in alignment with the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) published policy documents on operational resilience policy that applies to regulated organizations in the UK or firms providing services to the UK market.

As we look toward the full compliance deadline of March 2025, many firms are anxious to understand what other organizations are doing, what feedback is being provided from the FCA and PRA, and what they should be doing now to progress toward the next deadline.

Recently, David Bailey – who is the Executive Director, UK Deposit Takers Supervision, and responsible for PRA’s supervision of the UK’s banks, building societies, and credit unions – made a speech surrounding his initial observations and a few challenges organizations are facing. I wanted to take this opportunity to share some of the highlights from this speech as well as highlight some of the trends we’re seeing from our clients and customers.


For those that may not be well-versed in operational resilience or the finer points of regulation in the United Kingdom, let’s take a moment to level-set. As outlined by the FCA and PRA, there are a couple key checkpoints.

1. Defining Important Business Services (IBS) and Impact Tolerances were the first major milestones with initial compliance dates of March 31, 2022.

I won’t provide a lengthy explanation of those because some of the initial feedback will be the focus of this article. Let’s also look at what’s on the horizon:

2. Performing mapping and then stress testing an organization’s ability to remain within impact tolerances is the next major milestone with compliance dates set for March 31, 2025.

Mapping seeks to help an organization understand how an IBS is ultimately delivered to end-customers and markets, as well as understand all the required resources to deliver the IBS. Stress testing is just that, designing various exercising and testing strategies that can help prove that an organization can maintain operations within set impact tolerances.

Get The Getting Started with Operational Resilience Guide



Now I want to summarize a few key themes that are highlighted in this recent speech, as well as themes that we are seeing from our customers.

Topic 1: There’s significant variance in terms of how organizations are identifying and setting their IBSs and there really isn’t a “right” answer

The PRA uses an example from payment services and highlights the different ways organizations have defined a business service. These can range from the general, such as “Providing payment services,” to the specific “Provide payment services via the Faster Payments network.” The reality here is that there is no true answer, only an appropriate answer for your organization. Let’s look at some of the checks you can perform:

  • An IBS should be defined in a way that aligns to the value that is delivered
    Or in other words, how you define the outputs from a service informs the level of granularity required. If the output is simply “Process a money transfer,” it may be ok to keep it at a high-level. Be careful though, guidance does state that we shouldn’t bundle disparate outcomes.
  • End-to-end mapping will inform how an IBS is defined
    A huge part of operational resilience is understanding all the resource pillars necessary to deliver a service. If the processes and resources to deliver one part of an IBS is similar for different methods and there are only marginal differences, that may help the case in having the IBS be at a higher-level. For example, a firm processing payments may process both debit and credit payments; however, transactions for both payment types may use the same infrastructure, resources, and network providers. It may be ok to have one IBS in this example.
  • Plausible scenario development and stress testing can also help validate your IBS list
    Additionally, once you have an IBS identified, set an impact tolerance, and performed some level of mapping, applying severe yet plausible scenarios and using those scenarios as an input to developing your testing approach can also serve as a check and balance. As long as an IBS is susceptible to similar scenarios and the testing approach would be the same, it may also make the case to have the IBS defined at a higher-level.

The considerations above can help you determine if your IBS are set at the right level. And if you need assistance defining your organization’s important business services, download our Getting Started with Operational Resilience Guide or Book a Meeting with our team to discuss possibly leveraging a Frame Meeting to determine your important business services.

Topic 2: Setting Impact Tolerances is Difficult

One of the key challenges we’ve been hearing from clients (and is echoed in the statement from David Bailey) is that organizations are struggling with figuring out how to set impact tolerances. Different data points are likely to yield different conclusions and organizations seem to be preferencing certain types of impact over others. Let’s examine a few trends and sticking points below.

  • Firms are doing pretty well with evaluating customer and market impacts but struggle when considering safety & soundness and broader financial stability
    The recent speech highlighted that most firms have performed analysis for customer and market impact but analysis of other domains is lacking. There is some conflicting guidance at face-value which I am certain has played into how firms are assessing these areas. We keep hearing that impact tolerance is driven by external effects and firms should be less concerned with internal impact. Safety & soundness of a firm is seemingly measuring internal impact. The reality is that we want to look at this area to the extent that disruption creates catastrophic impact or knock-on effects that would eventually affect customers, markets, and financial stability. It isn’t just a driver of purely internal impacts.
  • Looking at all the different impact domains is yielding different results
    With the different high-level categories and domains (customer, market, safety & soundness, and financial stability), clients and participants are seeing different results. Generally, customer and market impacts are occurring fairly early, but safety & soundness impacts are occurring later. This makes total sense, given that we are worried about impacts to safety & soundness at the point they could create external issues. With these differences, it makes setting impact tolerances more of an art than a science and firms will need to employ some level of qualitative analysis to sort through disparate findings. However, there are expectations to be able to justify your decisions, so it remains a balancing act.
  • Most firms seem to be looking at days or weeks for impact tolerance
    If we look at RTOs in the business continuity discipline, we often think in terms of minutes, hours, or days; especially when we look at IT recovery. However, when we look at impact tolerances, we are seeing timeframes in terms of days, weeks, and beyond. This also makes logical sense, given that IBS are a combination of activities, processes, and resources; all of which are likely to have their own RTOs which, in aggregate, would need to be recovered in alignment with an impact tolerance. The word of caution here is to make sure that your stakeholders understand that there is a difference between RTO and impact tolerance and this difference can help you avoid timeframes that are too aggressive.

If you’re stuck and need a little help, download our Impact Tolerance Builder. It’s designed to help you effectively navigate this effort by offering a five-step framework to define impact tolerances and prepare to stress test them.

Next Up

As we see feedback and trends emerging, it will be important to understand how these will influence mapping and testing activities. While the next major checkpoint and full compliance deadline is March 31, 2025, I urge firms to start mapping and testing activities now to validate their IBS and help further confirm impact tolerances. Many are working to race to the finish line, but the reality is that all core activities, including setting IBS, establishing impact tolerances, conducting mapping, and stress testing, should be informing each other. There will likely be hiccups and changes along the way but acknowledging these realities can help your organization focus on what really matters and help identify the single points of failure, hidden cracks, and vulnerabilities that really need to be remediated.

Need Help?

If you find yourself stuck on your operational resilience journey, Castellan is here to help. Book a Meeting with our team and let’s discuss how to best achieve your resilience goals. In addition, check out our library of operational resilience resources.



Get The Getting Started with Operational Resilience Guide


Michael Bratton

Director of Consulting

Michael Bratton is Director of Consulting for Castellan. Michael has consulted with a diverse range of clients spanning numerous industry verticals and sizes. He specializes in translating business and organizational requirements into recovery strategies and response frameworks that help organizations effectively respond to disruptions. Michael has worked with numerous organizations to implement new programs, but also has a long-standing base of clients where he continues to serve as an active and trusted advisor.

Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.