Operational resilience of the financial sector

We make sure banks and firms that offer financial services in the UK can overcome disruptions

Overview

We work to make sure the financial sector in the UK is resilient to any operational disruptions. Financial firms and Financial Market Infrastructures (FMIs) must have robust plans in place to deliver important business services, no matter the disruption. This includes man-made threats such as physical and cyber attacks, IT system outages and third-party supplier failure. It also includes natural hazards such as fire, flood, severe weather and pandemic. By ‘operational resilience’, we mean the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover from, and learn from operational disruptions. 

The sector includes banks, building societies, insurers and FMIs. The Bank of England and our Prudential Regulation Authority (PRA) carry out this work with the UK's two other financial authorities: HM Treasury and the Financial Conduct Authority (FCA). If you work for a firm or an FMI and need more information, please contact your supervisory team.

Our objectives

We address risks to operational resilience from the interconnectedness of the financial system and the complex and dynamic environment in which firms operate. Disruptions can affect firms’ safety and soundness, undermine policyholder protection, and, in some cases, affect financial stability. Our approach to operational resilience is based on the assumption that, from time to time, disruptions will occur which will prevent firms from operating as usual and see them unable to provide their services for a period. Our objective is to improve the resilience of both firms and the wider financial sector to operational disruptions.

External links

Prudential and Resolution Policy Index related links

Toolkit outcomes

Build firms' operational resilience - Firms build their resilience such that when severe but plausible disruption occurs, it does not impact financial stability, safety and soundness and (for insurers) policyholder protection. Firms must ensure high standards of IT and cyber resilience, including risks due to third party dependencies.

Build systemic operational resilience - Firms and the Bank work together to ensure the sector is resilient to systemic operational risks, such that when they crystalise, they do not impact the financial stability of the UK. Third parties must be sufficiently resilient to support this outcome. It is important that firms are able to contribute to sector-wide incident response and are able to learn and evolve when failures occur.

Manage operational risks - Firms manage operational risks to limit the likelihood and impact of losses as a result of operational risks. They set aside capital such that crystallisation of risks is unlikely to impact firm safety and soundness.

Operational Resilience outcomes are enabled by the following toolkits:

Firm level

System level

Collective action and incident response
Sector exercising
Third party oversight
Cyber Operational Resilience Stress Test
FPC Impact tolerances

Glossary

Firm level toolkit

Operational resilience policy

Our Financial Policy Committee (FPC) looks at the resilience of the system as a whole. Our Prudential Regulation Committee (PRC) and Financial Market Infrastructure Committee (FMIC) focus on the operational resilience of the firms and FMIs we regulate.

In summary, we ask firms to:

  • identify important business services – boards and senior management must identify and prioritise services that, if disrupted, would impact our objectives and the public interest;
  • set impact tolerances – firms must say to what extent they would be able to continue important business services after severe but plausible disruptions; and
  • ensure they can remain within impact tolerances – firms must map their important business services and test their capacity to continue them to the agreed extent; where firms identify vulnerabilities that might stop them from remaining within impact tolerances, these should be addressed.

The Operational resilience policy SS1/21 refers to the ability of firms, their groups, and the financial sector as a whole to prevent, adapt to, respond to, recover from, and learn from operational disruptions. The PRA assumes such operational disruptions are inevitable, requiring firms to manage periods of service interruption effectively. 

SS1/21 requires firms to prepare a written operational resilience self-assessment of compliance with the policy. The aim of self-assessment is to document a firms’ resilience journey, identifying risks that could prevent them from delivering their important business services within impact tolerances in severe but plausible scenarios. The self-assessments help the firms’ Board and senior management make informed investment decisions to address resilience gaps. Our role is to review these self-assessments and evaluate firms' progress in implementing the policy, e.g. by gaining insight into their vulnerabilities, remediation strategies, and investment timelines.

We assess the status of a firm’s implementation of Operational Resilience policy SS1/21. This includes reviewing:

  • the important business services, impact tolerances and additional metrics
  • details as to scenario testing, results and assurance obtained that the firm can remain within impact tolerances in severe but plausible scenarios
  • firms’ identification of risks, threats, and vulnerabilities through mapping, testing and live incidents
  • response and recovery actions, remediation plans and timelines

Firms’ self-assessments allow us to identify good practices at an individual firm level while also facilitating thematic comparisons, helping us build a clearer picture of the wider systemic operational resilience picture across the industry.

Incident management and reporting

The PRA is currently proposing to establish a framework for timely, accurate and consistent reporting of certain operational incidents, and notification and reporting of material third-party arrangements. The proposals set out clear and robust requirements and expectations for regulatory reporting which aim to support the operational resilience of the UK financial sector and enhance the PRA’s understanding of sector threats and vulnerabilities. 

These proposals will allow the PRA to collect data which would be used to monitor and respond to potential risks arising from operational incidents and firms’ increasing reliance on third parties in an effective but proportionate manner and advance the PRA’s objectives of firm safety and soundness, and policyholder protection.

Third party management

The PRA’s current policy on how PRA-regulated financial services firms (banks and insurers) should manage their outsourcing and third-party risk managements is set out primarily in Supervisory Statement (SS) 2/21 ‘Outsourcing and third party risk management, which was published in March 2021. The Bank of England has a near-identical set of policies for financial market infrastructure firms, such as clearing houses and payment systems (The Bank of England’s policy on outsourcing and third party risk management for Financial Market Infrastructures (FMIs)).

These policies: 

  • complement the PRA’s policy on operational resilience; 
  • modernise the PRA’s expectations to take into account of firms’ growing reliance on new technologies; 
  • facilitate greater resilience and adoption of the cloud and other new technologies; and 
  • promote consistency with international regulatory standards. 

SS2/21 covers the entire lifecycle of an outsourcing and third party arrangement i.e.: 

  • due diligence; 
  • contractual phase; 
  • ongoing monitoring of the service provider; 
  • data security (particularly relevant in a cloud context); and 
  • business continuity, contingency planning and exit strategies. 

Our approach to monitoring compliance with those expectations is by full or partial reviews of firms’ third-party risk management (“TPRM”) frameworks, assessment of firms’ periodic material outsourcing notifications (“MONs”), [and monitoring themes from our outsourcing register leveraging information from individual firm’s returns].

Our assessments can target how a firm’s TPRM complies across all sections of SS2/21, or we can undertake a deep dive into specific elements to form a view eg governance and oversight, data management, or contingency and exit planning.

We periodically evaluate the effectiveness of our policies (including SS2/21) and may update them in due course to reflect developments in industry practice, changes to the risk landscape, etc. In December the Regulators jointly issued the following Consulting Paper on Operational Incident and Outsourcing and Third Party Reporting.

Operational risk framework

Our role is to assess whether a firms Operational Risk Management Framework enables them to effectively identify, assess, monitor, report and manage material operational risks to which it is or might be exposed, in line with Board approved business strategy and risk appetite. The objective of our work is to evidence the timely identification of firms' material operational risk set, that the risk set is complete, accurate, and relevant by:

  • Reviews of the Risk & Control Self Assessment (RCSA) process, the risk, control and causal taxonomies, the relevance, timeliness, accuracy, and the completeness of MI reporting to key risk and management committees; and
  • The effectiveness of key risk indicators in proactive risk appetite/tolerance monitoring.

We are further responsible for assessing whether firms hold sufficient capital to mitigate the impact when operational risks crystallise. 

  • This supports the Internal Capital Adequacy Assessment Rules which require us to assess whether firms’ own funds and internal capital is adequate to cover the level of the risks to which it is or might be exposed and is reflective of the firm’s operational risk profile.

ICT & Cyber resilience

Operational disruption to important business services could impact financial stability, threaten the safety and soundness of individual firms and FMIs, and cause harm to consumers and other market participants in the financial system. In this context, firms and FMIs should assess their cyber risk and build adequate resilience capabilities to prepare for, and respond to, cyber events and incidents that could cause operational disruption. To maintain the cyber resilience of the financial sector and to support our supervisory oversight, we have developed cyber assessment tools. They include CBEST, STAR-FS and CQUEST.

CBEST

CBEST provides a framework for regulators to work with firms using a simulated cyberattack. This allows firms to explore how to disrupt an attack on the people, processes and technology of cyber security controls. We base the simulated attacks used on present cyber threats. These include the approach a threat actor may take to attack a firm and how they might exploit a its online information.

The aim of CBEST is to:

  • test a firm's defences
  • assess its threat intelligence capability
  • assess its ability to detect and respond to a range of external attackers as well as people on the inside 

Firms use the assessment to plan how they can strengthen their resilience.

An accredited service provider carries out the simulation. It acts within legal, ethical and moral constraints. It aims to get through a firm's defences using the cyber kill chain. They also assess if the confidentiality, integrity or availability of systems and processes that deliver a firm's important business services can be compromised.

CBEST Thematic review

The annual CBEST thematic is intended to inform the sector on the findings and lessons learned from our CBEST programme, which assesses the cyber resilience of key financial institutions through security testing performed in ‘live’ corporate environments.

STAR-FS

STAR-FS (Simulated Targeted Attack and Response assessments for Financial Services) is part of the PRA and FCA supervisory toolkit, to assess the cyber resilience of firms' important business services. This assessment enables regulators and firms to better understand vulnerabilities and take remedial actions, thereby improving their resilience and, by extension, the wider financial system. 

It promotes a threat-led penetration testing approach that mimics the actions of cyber threat actors' intent on compromising an organisation's important business services as well as the technology assets and people supporting them.

An implementation guide and supporting templates are available. If your firm is interested in conducting a STAR-FS assessment please contact your supervisor. STAR-FS aims to provide:

  • an outcome-based assessment of financial institutions' protection, detection and response technical capabilities against cyber-attacks;
  • an approach, conducted through a firm-led delivery model, that can identify cyber resilience vulnerabilities within systems, people and processes;
  • reduced regulatory and firm effort relative to other supervisory technical assessments such as CBEST;
  • levels of independent technical assurance beyond those ordinarily included in firms' own penetration testing programmes; and
  • a testing approach accessible by a larger number of financial institutions to experience and learn from.

CQUEST

CQUEST forms part of the Bank and PRA/FCA's supervisory toolkit to gauge the cyber risk and resilience capabilities of the sector. CQUEST can also be used by other firm(s) as a self-assessment tool to consider their own cyber risk and resilience maturity. The CQUEST questionnaire (below) comprises 50 questions with multiple-choice answers across six domains: Governance and Leadership, Identify, Protect, Detect, Respond and Recover.

To achieve a reliable outcome, an organisation should identify and direct a competent party with appropriate knowledge and experience of the business and cyber capabilities in the firm(s) to complete the CQUEST questionnaire. When CQUEST is used to inform regulatory activities, supervisors might provide additional guidance and/or they could request evidence or clarifying information in response to a firm or FMI's answers.

The latest version of CQUEST builds upon the previous questionnaire, and encompasses lessons learned from good practice frameworks and feedback from supervisors and firms. The PRA and FCA continue to review the performance of its supervisory tools to achieve its statutory objectives and for the sector's benefit. Specific instructions on how to complete the questionnaire is provided in the CQUEST cover sheet.

CBEST Logo

System level toolkit

Collective action and incident response

The Cross Market Operational Resilience Group (CMORG) leads sector-wide collective action on operational resilience. The group is made up of about 25 members, firms across retail, wholesale, FMIs, insurance, the financial authorities and the National Cyber Security Centre. Its co-chairs are senior executives of the PRA and UK Finance. 

CMORG has three core objectives:

  1. Identify risks to the resilience of the financial sector.
  2. Develop solutions to improve the operational resilience of the sector.
  3. Share knowledge

CMORG-endorsed capabilities (including good practice guidance, response frameworks and contingency tools) have been developed collectively by industry to support the operational resilience of the UK's financial sector. The financial authorities support the development of these capabilities and collective efforts to improve sector resilience. However, their use is optional and they do not constitute regulatory rules or supervisory expectations. As such, they may not necessarily represent formal endorsement by the authorities.

Specialist subgroups support CMORG. They design, manage and deliver operational resilience improvements for the sector. The work of these groups is voluntary. Their chairs meet regularly to discuss CMORG's activities and identify areas for more collaboration. A Project Management Office (PMO) also supports CMORG. It is jointly resourced by us and UK Finance. 

The Financial Services Cyber Collaboration Centre (FSCCC)  is a CMORG-led partnership. It aims to help identify, investigate and co-ordinate the response to incidents that may have consequences for the financial sector. It analyses and distributes information to produce timely outputs for the sector's benefit. 

Incident response

What happens if there is a disruption in the financial sector? 

Individual firms should contact their usual business or supervisory contacts at the Bank or the FCA. The sector's response is facilitated by the Sector Response Framework (SRF). It sets out how organisations across the sector and government are connected. It also explains how they may respond to incidents individually and together when the impact becomes broader than a single firm or FMI and requires co-ordination, information-sharing or collective action.

Its purpose is to: 

  • allow firms, FMIs and the sector to make collective, timely, informed decisions in response to incidents
  • provide a reference to good practice, contingency tools and plans, which may be invoked as part of a sector response
  • include decision makers and subject matter experts
  • be organised on a modular basis, so that components of the SRF can respond
  • be recognised by the financial authorities as the principle structure by which the sector will respond to incidents
  • support collaborative engagement between the sector and the UK's financial authorities (see below)
  • be able to engage with frameworks in other jurisdictions, if required

The UK's three financial authorities are the Bank (including the PRA), the FCA and the Treasury. If disruptions have the potential to impact the whole sector, these authorities act together. The Authorities Response Framework (ARF) co-ordinates their response. 

The Sector Response Framework is available from CMORG.

 

Sector exercising

The Bank works collectively with the sector to coordinate and deliver a range of exercises to strengthen the operational resilience of the UK financial system. 

The most prominent of these is SIMEX—a biannual, market-wide simulation conducted through a public-private partnership between industry participants and financial authorities. SIMEX performs a unique role in bringing the sector together to address the most challenging and complex risks that individual firms cannot manage alone. 

These sector-wide exercises are based on our collective approach to resilience, working together with industry to identify emerging risks and build new capabilities to enhance the system’s overall resilience.

Third party oversight

The Bank of England (Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) (collectively ‘the regulators’) are the authorities responsible for regulating and overseeing critical third parties (CTPs) to the UK financial sector.

Regulated firms and financial market infrastructure providers (FMIs) are increasingly dependent on certain third parties for the delivery of functions and services that are essential to the stability of, or confidence in, the UK financial system. In some cases third parties can become so critical that no single firm can adequately monitor or manage the systemic risks a third party poses.

The oversight of CTPs aims to reduce the risk of systemic disruption by setting outcomes-focused requirements on CTPs' operational risk management and resilience capabilities. 

The CTP regime complements the existing requirements and expectations for firms on SS1/21 operational resilience and SS2/21outsourcing and third party risk management policy linked above. Together with the other elements of this toolkit these measures seek to strengthen the sector’s resilience to systemic operational risks. This ensures that when such risks crystalise, they do not threaten the stability of the UK financial system.

 

Cyber and operational resilience stress test (CORST)

The Cyber and Operational Resilience Stress Test (formerly the Cyber Stress Test 'CST') is a key part of the Bank’s toolkit on macroprudential operational resilience. The outcomes of cyber and operational resilience stress testing inform the FPC’s monitoring of sector operational resilience and its articulation of its tolerance for disruption to vital services. The objectives of testing are to:

  • Provide insight into sector vulnerabilities and the financial stability impacts and residual risk of severe but plausible operational disruption to vital services. 
  • Explore firm and sector capabilities to respond to, and recover from operational disruption, and to mitigate financial stability impacts.
  • Share lessons to support firms in maturing their approach to operational resilience and financial stability, including firms’ role as systemic risk managers.

Firms are invited to participate in CORST on a voluntary basis, and they self-identify lessons and remediation actions. Actions that require cross-firm cooperation are often progressed through established collective action forums or voluntary groups.

The test aims, over time to explore all systemically important firms and provide insight into not just the impacts of disruption to the services they provide, but also the impacts to their customer firms and from their third parties. Participation may be direct, indirect through co-operation with a direct participant, or through engagement at cross-firm workshops.

The CST24 thematic letter, which provides thematic findings from the 2024 test, also provides resources to support firms’ role in mitigating potential financial stability impacts of disruption to their services.  

 

FPC Impact tolerance for financial stability

The FPC updated its impact tolerance for payments and settlements following CST22. This was published in the March 2023 FPC Record.

  • The FPC expected the financial system to have the capability to complete critical payments by the end of the value date in severe but plausible scenarios; timely recovery of service delivery was the first best way firms could prevent adverse material economic impacts. 
  • In such instances where restoring services would be harmful for financial stability, or impossible, alternative mitigating actions might be appropriate. Firms should therefore plan, prepare and test for such situations and invest so that their response could effectively mitigate any impact on financial stability until service delivery was restored.
  • An example of mitigation may be providing an overdraft to a retail Banking customer, so that they may still be able to make purchases, despite a disruption to the payment systems which may have prevented the normal ‘payment’ being completed.

In the Financial Stability in Focus (FSIF), the FPC noted it would regularly review the operational resilience policy toolkit – with regard to new threats, changes in technology and changes in how the financial system provides vital services – and will explore ways to continue to build system-wide resilience to operational disruption. 

In addition to the tools mentioned above, the FPC does this for example through assessing potential system-wide gaps in, or risks to, operational resilience which are not adequately covered by firm-level or microprudential policies and considering whether to set impact tolerances for additional vital services beyond payments.

The committee has published its macroprudential approach to operational resilience in FSIF and sets out its priorities twice a year in its Financial Stability Report.

Back to top

This page was last updated 09 July 2025