UK Operational Resilience (SS1/21) – End to end design and implementation

The Challenge

A specialist insurer operating in the global specialty market needed expert support in assessing readiness, mapping important business services and resources, establishing controls and governance, and implementing requirements under the UK Operational Resilience regulatory framework (PRA / FCA). The regulation required detailed analysis of the organisation’s services, resources, and assets, including third-party dependencies, alongside the creation of processes and tools for scenario testing, lessons learned, and reporting within a robust governance environment.

Key challenges (reflective of the wider market) included:

• Regulatory uncertainty: Early ambiguity around expectations, proportionality, and documentation standards.
• IBS definition difficulties: Over- or under-identification and multiple refinement cycles.
• Impact tolerance calibration: Limited historical data and potential confusion with traditional RTOs and risk appetite.
• Fragmented data: Disconnected mapping information across legacy systems, with no single source of truth linking services to resources.
• Third-party visibility gaps: Incomplete supply chain transparency and inconsistent risk controls.
• Scenario testing immaturity: Shift required from technology-focused recovery tests to end-to-end severe but plausible disruption scenarios.
• Governance and ownership ambiguity: Accountability and operating models for resilience were initially unclear.
• Organisation-wide awareness needs: Education required to enable effective oversight and challenge.
• Framework integration complexity: Alignment with existing standards and frameworks across multiple jurisdictions.

Our Approach

Working alongside the CIO (SMF24) and engaging a broad stakeholder group (Operations, Technology, TPM, Legal, 2LoD, etc.), we led the end-to-end design and implementation of the client’s Operational Resilience framework. Key activities included:

• Programme mobilisation & gap assessment: Interpreted regulatory requirements, assessed maturity against current capabilities, and defined a realistic, comprehensive implementation roadmap.
• IBS identification: Aligned definitions with regulatory expectations, assessed risk and impact.
• Impact tolerance definition: Established thresholds and mechanisms for board approval.
• End-to-end service mapping & dependency analysis: Developed a complete view of people, processes, technology, third parties, data, and facilities supporting IBS.

• Resiliency standards & risk assessment: Established mechanisms for identifying vulnerabilities and assessing risk.
• Scenario testing design & execution: Enabled severe but plausible disruption scenarios and assessed the organisation’s ability to remain within impact tolerances.
• Remediation processes: Identified, tracked, planned, and executed actions to strengthen resilience capabilities.
• Governance, documentation & reporting: Embedded board oversight through structured self-assessment reporting.

A critical success factor was embedding the refreshed framework into BAU operations. We achieved this by integrating resilience into risk management, change management, third-party management, incident management, and business continuity processes, ensuring resilience by design, and by establishing ongoing governance and operational capabilities to sustain the framework.

The Outcome

• Comprehensive Operational Resilience Framework with supporting capabilities
• Complete IBS and Resource Map
• Strengthened Third Party Risk Management Framework
• Scenario Testing library and methodology
• Structured Self-Assessment Report (methodology, governance, and reporting)