Operational Resilience Update – Vulnerabilities and Remediation

Under Operational Resilience, a firm’s mapping and scenario testing should identify vulnerabilities that may prevent them from remaining within impact tolerance for severe but plausible scenarios.

Firms should have significantly advanced remediation activities for these vulnerabilities to ensure compliance by 31 March 2025. Remediation plans must be approved, fully funded, and well-governed, with closure evidence provided through repeated scenario tests to verify resolution.

As mapping and testing matures, new vulnerabilities may be identified, requiring ongoing remediation. Regular reviews should prioritise vulnerabilities that most threaten each firm’s ability to remain within impact tolerance. Enhancing testing across severe but plausible scenarios is crucial for identifying new and additional vulnerabilities. This approach ensures continuous improvement in identifying and addressing potential risks, maintaining resilience, and safeguarding important business services. The message is clear that operational resilience is not a one-time exercise… it is an ongoing activity that evolves and matures to identify, plan for, and address future emergent risks and vulnerabilities, and firms will be expected to establish a business function to ensure that a firm remains resilient throughout its lifetime.