Operational resilience has become a top priority
This year, there’s a clear shifting from a reactive approach, dealing with the fallout, to a proactive one, trying to detect and prevent.
At the heart of this shift is our growing reliance on Critical Third Parties (CTPs), external providers whose failure could rock the system. With so many critical services now handled by a handful of major providers, managing CTP risk isn’t just a vendor management task; it’s a systemic concern.
Let’s unpack the regulatory changes, demystify CTP risk, show how resilience can become a competitive edge, and provide a simple roadmap for success. The goal is to prove that operational resilience isn’t a regulatory chore but foundational to protecting trust, driving innovation, and securing our place in the market.
The Regulatory Tsunami: A New Game
The UK’s push for operational resilience is a coordinated effort by the BoE, PRA, and FCA. They’ve set clear expectations: by March 31, 2022, firms had to identify their Important Business Services (IBS) and set impact tolerances for how much disruption they could handle. Not just arbitrary numbers; they’re based on the end-to-end delivery of a service, including during peak activity. The big deadline? March 31, 2025, by which firms must prove through mapping and testing that they can indeed stay within those tolerances.
This isn’t about creating a new department; it’s about connecting resilience into your existing systems, like business continuity, crisis management, and cyber security, to detect and prevent disruptions before it takes root.
A major new development is the CTP regime, which officially came into effect on January 1, 2025. The Financial Services and Markets Act 2023 gives the government the power to designate CTPs, bringing them under direct regulatory oversight by the Bank of England, PRA, and FCA. These regulators now have the power to create rules, gather information, and take enforcement action against CTPs. CTPs must now meet eight Operational Risk and Resilience Requirements, covering everything from governance to incident management and even how they would terminate a service. CTPs also have to do their own self-assessments and test their ability to continue providing services even in tough situations.
The Anatomy of Third-Party Risk
Our heavy reliance on third parties, especially for critical services, introduces complex, systemic risks that go way beyond a typical vendor management checklist.
One of the biggest issues is concentration risk. Many of us rely on a small number of major providers for services like cloud computing. If one of them has a major problem, it could hit multiple firms all at once, creating a systemic domino effect.
Cyber risk remains a huge and urgent threat. Third party issues are a leading cause of incidents reported to the FCA, so regulators are now explicitly requiring CTPs to have robust cyber capabilities.
Then there’s the broader issue of service failure, from tech glitches to natural disasters.
Your resilience framework must be able to anticipate and recover from these events, which means having clear communication channels with your partners and regulators.
We can’t forget supply chain (Nth-party) risk either. CTPs rely on their own web of subcontractors, and you need a clear view of that chain to manage potential disruptions.
The CTP regime now requires them to manage risks from their own essential providers.
And finally, exit risk is a critical concern. If a CTP can no longer provide a service, you need to be able to smoothly transition to a new provider or bring the service back in-house.
This requires a planned exit strategy, something the CTP regime is now explicitly addressing.
Managing these risks is tough, especially with fragmented data and traditional risk teams sometimes lacking the right skills. Getting meaningful, consolidated insights to senior management is the real challenge.
It’s easy to see operational resilience as just another cost of doing business / a regulatory burden. But that’s a mistake. A robust framework is a huge source of strategic value and competitive advantage.
- Resilience builds trust Customers expect our services to just work. Your ability to keep things on the road & running smoothly, even during a crisis, reinforces your reputation and earns customer confidence.
- A commercial differentiator Firms that can show they can withstand and recover from incidents have a tangible market advantage. This leads to more investor confidence and a stronger competitive position. Regulators even expect firms to aim higher than just basic compliance.
- Resilience drives innovation and efficiency The same investments you make to enhance resilience, like modernising IT or data analytics, can also streamline operations and unlock new opportunities. AI, for example, can automate compliance tasks, freeing up your teams and reducing costs.
- End to end service delivery By using Important Business Services as your guide, you can prioritise investments and break down those frustrating organisational silos. It’s about seeing resilience as an outcome, not a function.
Blueprint for Action
For senior leaders, effective operational resilience and CTP management isn’t easy to delegate. It requires a clear, actionable plan driven by executive leadership.
Strategic Governance and Oversight
The board is responsible for setting the overall strategy and risk appetite. More firms are creating dedicated committees to keep this agenda front and centre, moving from a product view to a customer centric one
Enhancing Skills and Proactive Communication
The right skills are in short supply, gaps exist. Invest in upskilling and look outside for new talent and fresh perspectives. Be clear and , consistent with internal and external communication with vendors and regulators, especially during and after a disruption.
Accountability via SMCR
The Senior Managers and Certification Regime (SMCR) is critical here. It assigns individual accountability, like to the Chief Operations Senior Managers Function (SMF24). But accountability can’t stop there and should be a collective responsibility across the firm
Data Driven Reporting
Your MI needs to be more than just compliance metrics with threshold appetite parameters. It should provide real, forward looking insights into the state of resilience to inform strategic decisions and investments
A Resilient Risk Culture
The PRA notes that culture is foundational to resilience. Senior leaders must set the tone, encouraging transparency and empowering teams to speak up about issues without fear. This embeds resilience as a fundamental part of your business and drives a great culture.
Rigorous and Collaborative Testing
Regular testing, including scenario stress testing, is a must. The new CTP regime requires CTPs to conduct joint incident exercises with their clients, which is a great step toward finding and fixing issues together.
Bottom Line
Operational resilience and the risks posed by Critical Third Parties are no longer side issues, they’re central to financial stability and a key determinant of a firm’s success. The regulatory landscape has matured to explicitly address these systemic risks, demanding a change in approach.
For senior leaders, the move from just compliance towards watertight resilience is a continuous journey. It requires a strategic pivot, integrating resilience into our core business strategies, building a proactive risk culture, and ensuring we have the right governance and accountability in place.
By doing this, we not only protect ourselves from inevitable disruptions but also unlock new opportunities, drive efficiencies, and build lasting trust with our customers and the broader market.
We help Financial Service firms activate these principles, carry out risk and control assessments, and drive effective risk management. Interested in evolving your approach to risk management?
