Entity Configuration & IBS Mapping
Configuration
Important Business Services (IBS) Register — Enter up to 6 IBS
An Important Business Service is a service you provide to external end users (consumers or other firms) where disruption would cause intolerable harm — to consumers, market integrity, or your safety and soundness. FCA PS21/3 §3.2 · PRA SS1/21 §2
Examples by firm type: Payments — retail payment processing, open banking API, FPS participation. Banking — current account servicing, mortgage origination. Investment — order execution, custody. Insurance — claims processing, policy administration.
| # | IBS Name | Customer Segment Served | Max Tolerable Disruption | Severity if Breached | Primary Dependency |
|---|
Maximum tolerable disruption (MTD) should be expressed as a time duration — the point at which you would cause intolerable harm if the service remained disrupted. FCA expects firms to test against this threshold.
Programme Maturity Self-Assessment — Rate Each Dimension (0–4)
Scale: 0 = Not in place · 1 = Planning / in progress · 2 = Partially implemented · 3 = Implemented · 4 = Implemented, tested & board-reviewed. Questions cover FCA PS21/3, PRA SS1/21, and FFIEC BCP requirements as applicable.
D1
Identification
FCA PS21/3 §3 · PRA SS1/21 §3 · FFIEC BCP §II.A (BIA)
All Important Business Services (IBS) are documented, defined, and approved by board or senior management committee
FCA PS21/3 §3.2–3.8 · PRA SS1/21 §2.1
People, processes, technology, facilities, and information (PPTI+F) dependencies are mapped for each IBS
FCA PS21/3 §3.9–3.14 · FFIEC BCP §II.A.2
Impact tolerances are set for each IBS with specific, time-based metrics (e.g., "no more than X hours disruption to Y service") and measurable outcome indicators
FCA PS21/3 §4.2–4.9 · PRA SS1/21 §3.3
For US FFIEC: Business Impact Analysis (BIA) is completed identifying critical business functions, RTOs, RPOs, and maximum tolerable downtime per function
FFIEC BCP §II.A.3–II.A.5 (BIA)
D2
Scenario Testing
FCA PS21/3 §5 · PRA SS1/21 §4 · FFIEC BCP §III
Scenario testing programme is in place — severe but plausible disruption scenarios are defined for each IBS against impact tolerance thresholds
FCA PS21/3 §5.2–5.8
At least one end-to-end scenario test per IBS has been completed within the last 12 months — testing whether the firm can remain within its impact tolerances
FCA PS21/3 §5.9–5.14 · FCA March 2025 deadline
Third-party / outsourcing dependencies are included in scenario testing scope — testing covers recovery when a critical third-party is unavailable
FCA PS21/3 §5.15–5.20 · FFIEC BCP §III.D
Scenario testing outcomes are formally documented and result in improvements to the resilience programme — not treated as a compliance exercise only
FCA PS21/3 §5.21–5.25 · PRA SS1/21 §4.5
D3
Lessons Learned & Continuous Improvement
FCA PS21/3 §6 · PRA SS1/21 §5
Post-incident review process captures operational resilience findings — disruptions affecting IBS are reviewed against impact tolerance metrics
FCA PS21/3 §6.2–6.5
Scenario test outcomes are used to update IBS mapping, dependency maps, and impact tolerance assessments — evidence of cycle of improvement
FCA PS21/3 §6.6–6.8 · PRA SS1/21 §5.2
Identified vulnerabilities, single points of failure, and dependencies creating tolerance breaches are tracked to formal remediation with ownership and timelines
FCA PS21/3 §6.9
Lessons learned — including from industry-wide events and FCA thematic reviews — are incorporated into the firm's own programme
FCA PS21/3 §6.10 · FCA Operational Resilience Review 2024
D4
Third-Party & Outsourcing Resilience
FCA PS21/3 §5.15 · SS2/21 (PRA outsourcing) · FFIEC BCP §III.D
Critical third-party and outsourcing dependencies are identified and mapped to each IBS — concentration risk (same-provider across multiple IBS) is assessed
FCA PS21/3 §5.15–5.18 · PRA SS2/21
Contractual resilience provisions are in place for critical outsourcing — SLAs cover RTO/RPO, audit rights, sub-outsourcing controls, and notification obligations on failure
PRA SS2/21 §9 · FCA SYSC 8 / SYSC 13
Third-party operational resilience is assessed via audit, attestation, or equivalent — supply chain resilience beyond the immediate third party considered
FCA PS21/3 §5.19 · FFIEC BCP §III.D.3
Exit strategies and substitutability assessments are completed for critical third parties — the firm could exit and switch provider within a timeframe consistent with its impact tolerances
PRA SS2/21 §12 · FCA PS21/3 §5.20
D5
Governance & Board Oversight
FCA PS21/3 §7 · PRA SS1/21 §6 · FFIEC BCP §IV
The board or a board-delegated committee owns the operational resilience programme — responsibility is clear and documented
FCA PS21/3 §7.2–7.5 · PRA SS1/21 §6.1
Regular MI is provided to the board and management committee on IBS performance against impact tolerances — including any tolerance breach events and remediation actions
FCA PS21/3 §7.6–7.9 · FFIEC BCP §IV.A
The operational resilience programme has a defined annual review cycle — IBS register, impact tolerances, and dependency maps are updated at least annually and on material change
FCA PS21/3 §7.10 · PRA SS1/21 §6.3
For dual-regulated firms: FCA PS21/3 (consumer / market focus) and PRA SS1/21 (safety and soundness / financial stability focus) programmes are aligned and not duplicative
PRA SS1/21 §6.4 · FCA-PRA joint supervisory letter 2022
🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.
Educational Use Only
This tool provides a self-assessment / educational framework for internal planning purposes only. It is not a regulatory audit, legal advice, or a substitute for a formal compliance review by a qualified advisor. Verify all interpretations against the official source text and applicable RTS/ITS/guidance published by the relevant authority.
Operational Resilience Assessment
Programme Maturity Score
IBS Register & Impact Tolerance Scorecard
Gap Analysis
Scenario Testing Agenda
DORA Cross-Reference