The first panel discussion at the 2024 Building Societies Annual Conference focused on a live issue for building societies and credit unions – operational resilience. With all firms regulated by the Financial Conduct Authority (FCA) facing a March 2025 deadline to operate within impact tolerances for their important business services, Laura Moore from consultancy Protiviti and Dave Gardner from legal firm TLT shared their expertise on deploying operational resilience within organisations.

We asked Laura and Dave to talk through their top tops for building societies and credit unions getting to grips with the new requirements.

1. Are you seeing any trends / common practices across the building society sector around how operational resilience is being tackled?
 

Laura: Building societies are focusing on embedding resilience within their firms in line with key roles and responsibilities. Also advancing scenario testing is a key priority for identifying vulnerabilities ahead of the March 2025 deadline; ensuring all loss scenarios highlighted by the regulators are covered.

Dave: The FCA’s updates on operational resilience have highlighted some variability in the interpretation of their requirements, for example in defining the impact tolerances for their important business services. From Member feedback at Conference, some building societies are looking for guidance on how best to meet these new requirements. It’s likely that best practice and a degree of standardisation will develop over time, but every building society is unique and for the time being the focus should be on careful consideration and clear justification of your approach, rather than looking to follow a standard approach.

2.    What tips do you have for firms to really take operational resilience to the next level and embed it fully in their organisations?
 

Laura: Firms should be asking ‘How resilient are we?’ and ‘Are we resilience enough?’ as opposed to ‘Are we compliant with the regulations?’. Shifting focus in this way means firms will naturally look to foundational areas such as BCP/DR, Change Management, Third-Party Management, Cyber and others to consider resilience through an Important Business Service (IBS) lens. The right management information (MI) is also key to obtaining value-adding insight and enable more effective decision making, with firms maturing in this space as more MI becomes available.

Dave: Recent research by Continuity Central found that 87% of respondents from the Financial Services sector said regulatory compliance was their main motive for implementing operational resilience. I agree with Laura that this is the wrong place to focus. Though the process can be challenging, societies should look at this as an opportunity to mitigate the real and significant risks of disruption to their organisations and improve the quality and resilience services to members. This requires leadership from the top of the organisation to drive thorough testing, learning and continual review as organisations change and external threats evolve.

3.    Digital transformation is a burning platform for much of the sector - what principles of operational resilience should they be applying to working with new partners?
 

Laura: As the industry places more and more reliance on third parties (TP), it is essential that resilience is built into the traditional third-party risk management lifecycle. This includes considering ‘resilience by design’ when bringing on new TP or when there are changes to existing TP; conducting resilience due diligence assessments (initial and no-going); communicating IBS’s and impact tolerances, updating contractual obligations and strengthening SLAs to incorporate resilience requirements; developing a testing strategy that considers third parties; ensuring effective exit and contingency plans are in place; and enhancing reporting.

Dave: My practice at TLT is focussed on building successful collaborations between FS institutions and third party technology providers. The FCA’s Operational Resilience Rules require some specific provisions and protections to be included in third party contracts, but like the EBA and PRA Outsourcing Rules before them, many of those protections would be recognised by building societies (and providers!) as good contracting practice for prudent businesses contracting for critical services. The key is to ensure robust contracts are effectively managed, monitored and aligned to your overall operational resilience approach, for example by adopting a joined-up approach to reporting, testing, change management and communications.

4. What regulatory feedback have we seen coming from the FCA's thematic reviews on operational resilience and do we know what good looks like?
 

Laura: The FCA recently published their insights and observations for firms in the run up to 31 March 2025. Key messages include: ensuring supporting rationale for IBS determination, Impact Tolerance, Scenario Testing and Self-Assessments considers all FCA factors/minimum requirements; that testing also considers response plans, alongside recovery plans and plans are refreshed regularly alongside horizon scanning; reminding firms that, if a third-party supporting an IBS delivery fails to remain within impact tolerance, it is their responsibility; and the importance of embedding resilience.

Dave: The FCA’s observations on third-parties are interesting because they highlight the breadth of the exercise that firms must undertake to be able to comprehensively assess their vulnerabilities and operational risks. The FCA highlights the importance of actively managing and incorporating third parties into scenario testing. As we discussed in the Conference session, this needs to be more than a paper exercise – thorough testing can be helpful in uncovering gaps where contracts don’t align or communication plans don’t work as expected.

5.    What regulatory developments do you see coming down the tracks, especially in the wake of the EU's Digital Operational Resilience Act?
 

Laura: In the UK building societies will be awaiting the outcome of regulatory consultations on Critical Third-Parties. EU’s Digital Operational Resilience Act (DORA) is also creating opportunities for firms to focus on risks relating to Information and Communication Technologies (ICT) and apply good practices from this prescriptive regulation across wider business practices which focuses predominately on ICT risk management, incident management and reporting, digital operational resilience testing and third-party risk management. The ability to consider and leverage good practice is also true of other global regulations which are adopting a more prescriptive approach to resilience regulation.

Dave: Operational resilience is rightly at the top of the agenda for regulators globally, given the substantial and ever-changing risk landscape that features increasingly complex supply chains, sophisticated cybercrime, the rise of AI and economic and political instability. The FCA has recently closed its own consultation on Critical Third Parties, the outcome of which will be interesting for building societies given the concentration of specialist providers in the sector. DORA will have a real impact on building societies in the UK because of its extra-territorial reach and focus on big tech. More broadly, the EU’s AI Act represents a landmark in the effort to regulate AI and mitigate the risks it poses to individual organisations and business ecosystems. Closer to home, as presented at Conference, developments  in Open Banking also have the potential to disrupt the market for financial products. There is a lot to keep an eye on!

Find out more: Visit Protiviti and TLT LLP

This article was first published in the summer edition of Society Matters Magazine.