How to use this tool: Rate each requirement R Red (not in place), A Amber (partially in place), or G Green (fully in place). Requirements are drawn directly from FCA PS21/3 (SYSC 15A), PRA SS1/21, and the FCA's published supervisory observations.
PS21/3 Operational Resilience Gap Report
0Red — Not in place
0Amber — Partially in place
0Green — Fully compliant
Ready to close these gaps?
ERM Plus has pre-built PS21/3 requirements into a fully configured operational resilience framework — covering IBS mapping, impact tolerance monitoring, scenario testing workflows, and Board self-assessment templates. Get compliant fast.
1 — Important Business Services (IBS) SYSC 15A.2
0 / 8 rated
1.1 Identification
Identify all important business services using the FCA definition — services that if disrupted could cause intolerable harm to clients or pose a risk to soundness or market integrity
IBS register / identification methodology
Consider all relevant factors when identifying IBS — do not exclude a service based on a single criterion alone
Documented identification criteria and rationale
Determine IBS without reference to response or recovery capabilities — based solely on the harm that disruption would cause
IBS identification methodology document
Include services delivered by third parties on behalf of the firm within the IBS scope
IBS register including outsourced services
1.2 Ongoing review
Review IBS identification at least annually and following material changes to the business model, products, or services
Annual IBS review records
Ensure the governing body approves the IBS list and any changes to it
Board/ExCo approval records
Consider interactions and interdependencies between the firm's IBS and those of other firms including sub-contracting chains
Interdependency mapping documentation
Undertake horizon scanning to identify new and emerging risks that may affect the identification or delivery of IBS
Horizon scanning process / emerging risk log
2 — Impact Tolerances SYSC 15A.3
0 / 9 rated
2.1 Setting tolerances
Set an impact tolerance for each IBS — the maximum tolerable level of disruption before intolerable harm would occur
Impact tolerance statements per IBS
Express impact tolerances in terms of quantitative metrics — typically time-based (maximum duration) but may also include volume, value, or number of customers affected
Quantitative IT metrics per IBS
Set impact tolerances based on the harm disruption would cause to clients and/or the soundness of the firm — not on recovery capability
IT-setting methodology / rationale document
Ensure governing body approves all impact tolerances and any changes to them
Board approval records
2.2 Operating within tolerances
Demonstrate the firm can remain within impact tolerances for each IBS — with testing evidence showing tolerances can be met
Testing evidence / scenario test results
Make and have made all necessary investments to enable the firm to operate consistently within impact tolerances
Investment records / remediation completion evidence
Maintain responsibility for operating within impact tolerances even where IBS delivery is outsourced to a third party
Outsourcing agreements with IT obligations / oversight records
Review and update impact tolerances at least annually and following material change or disruption
Annual IT review records
Monitor actual performance of each IBS against its impact tolerance on an ongoing basis with appropriate MI
Operational MI / performance monitoring reports
3 — Mapping & Dependencies SYSC 15A.4
0 / 9 rated
3.1 Resource mapping
Map and document all people, processes, technology, facilities, and information needed to deliver each IBS
IBS resource maps / dependency documentation
Map all internal and external dependencies supporting each IBS — including technology systems, data, and infrastructure
Dependency maps per IBS
Include all third-party and supplier dependencies in mapping — including sub-contractors and cloud service providers
Third-party dependency register
Map interdependencies between different IBS — where the failure of one could affect the delivery of another
IBS interdependency matrix
3.2 Vulnerability identification
Identify vulnerabilities in the operational resilience of each IBS through the mapping and testing process
Vulnerability register / mapping outputs
Develop and maintain remediation plans for identified vulnerabilities — approved, funded, and appropriately governed
Funded remediation plans with governance sign-off
Track remediation plans to closure with evidence that vulnerabilities have been resolved through repeated scenario testing
Remediation tracker / closure evidence
Keep mapping up-to-date — review following material changes to resources, systems, third parties, or the business model
Mapping version control / change log
Map concentration risks — single points of failure in technology, people, or third parties that underpin multiple IBS
Concentration risk assessment
4 — Scenario Testing SYSC 15A.5
0 / 9 rated
4.1 Testing framework
Develop and maintain a testing plan that describes how the firm will test its ability to remain within impact tolerances for each IBS
Operational resilience testing plan
Conduct scenario testing using a range of severe but plausible scenarios aligned to key risks and vulnerabilities affecting each IBS
Scenario test records / results
Include cyber incidents, system failures, third-party failures, and people disruption scenarios in testing
Scenario library / test coverage evidence
Test at a level of sophistication commensurate with the nature, size, and complexity of the firm and its IBS
Testing methodology / proportionality rationale
4.2 Testing outcomes
Use testing results to identify vulnerabilities and drive remediation — incorporate lessons learned into the resilience framework
Lessons learned log / remediation actions
Conduct testing at appropriate frequency — at minimum annually — with increased frequency following material change or disruption
Testing schedule / frequency rationale
Scrutinise third-party resilience testing — verify it meets the firm's own operational resilience requirements, not just the supplier's standards
Third-party test assurance evidence
Ensure governing body receives testing results and approves the response to findings including remediation plans
Board/ExCo papers on testing outcomes
Re-test resolved vulnerabilities through repeated scenario testing before closing out on the remediation plan
Re-test evidence / closure records
5 — Governance & Self-Assessment SYSC 15A.6
0 / 9 rated
5.1 Governing body accountability
Ensure the governing body takes overall responsibility for operational resilience — directors must have demonstrable knowledge and experience
Board ToR / skills matrix / training records
Designate a senior individual (SMF) with responsibility for operational resilience and update Statement of Responsibilities accordingly
SMF designation / updated SoR
Embed operational resilience into the firm's culture, risk management, and business planning processes
Risk framework / strategy documents
5.2 Self-assessment
Produce a written self-assessment of the firm's operational resilience in line with FCA handbook guidance (SYSC 15A)
Completed self-assessment document
Self-assessment must include: IBS identified, impact tolerances set, mapping and testing completed, vulnerabilities found, remediation plans, and overall resilience strategy
Self-assessment covering all required elements
Have the self-assessment reviewed and approved by the governing body at least annually
Board approval of self-assessment
Retain the self-assessment and supporting evidence and be able to provide it to the FCA or PRA on request
Document retention policy / evidence archive
Maintain a consistent and iterative improvement approach — operational resilience is an ongoing obligation, not a one-time exercise
Continuous improvement programme / governance cadence
6 — Communications & Third Parties SYSC 15A.7 / 15A.8
0 / 8 rated
6.1 Communications planning
Maintain a communications plan for use in the event of a disruption to an IBS — covering internal and external stakeholders
Disruption communications plan
Ensure communications plan covers clients, regulators (FCA / PRA), counterparties, and other relevant stakeholders
Stakeholder communications matrix
Test communications arrangements as part of scenario testing — verify they work under stress conditions
Communications testing evidence
Report operational incidents affecting IBS to the FCA / PRA appropriately — including under PS26/2 once in force (March 2027)
Incident reporting procedure / Principle 11 process
6.2 Third-party and outsourcing management
Conduct due diligence on third parties that support IBS delivery — assess their operational resilience against the firm's impact tolerances
Third-party due diligence records
Include operational resilience and impact tolerance obligations in contracts with material third parties supporting IBS
Contracts with OR clauses
Actively and continuously manage third-party resilience risk — including through testing where appropriate, not just contractual reliance
Third-party OR monitoring evidence
Maintain exit plans for critical third parties — ensure the firm can substitute or internalise services if a supplier fails
Third-party exit plans / substitutability assessment