Operational resilience under PS21/3: the small thing most firms miss

FCA PS21/3 has been in force long enough that most regulated firms now have impact-tolerance statements, critical-business-services maps, and scenario-testing playbooks. What our work surfaces, repeatedly, is that the scenario testing tends to be confined to the firm’s own systems. The third-party dimension is comparatively under-tested.

Why this matters now

The recent supervisory commentary makes clear that severe-but-plausible scenarios should include third-party dependencies – particularly cloud, custodian, and core platform suppliers. The reasoning is uncontroversial: a critical business service that depends on a single SaaS provider has a single point of failure, regardless of how resilient the firm’s own infrastructure is.

For private wealth firms, the typical third-party stack is fairly tight – a custodian, a portfolio platform, a CRM, a comms provider. For mid-tier professional services, it is broader and less curated. In both cases, the resilience evidence is only as strong as the weakest dependency.

A practical pattern

Three steps that produce auditable evidence in four to six weeks:

• Inventory third-party dependencies against critical business services, not just vendors-in-general.
• Run a tabletop exercise against the loss of one key third party, with the executive team present and timed.
• Document the gaps: missing runbooks, untested workarounds, communication chains that depend on the failed system.

The output is the artefact regulators ask for. The by-product – the firm now actually knows what would happen – is more valuable, and harder to come by.