Operational Resilience Evidence: What Boards Must Be Able to Prove in 48 Hours

The FCA and PRA's operational resilience framework has been in force since March 2022, with the deadline for demonstrating that firms can remain within their impact tolerances having passed in March 2025. For regulated firms that have been through this process, the question is no longer whether they have a framework. The question regulators are now asking is whether the framework works — and whether the board can evidence that it does, at short notice, under real conditions.

The forty-eight hour standard is not a formal regulatory requirement expressed in those terms. It is the practical reality of how regulators engage with firms following a major operational disruption. When a significant incident occurs — a sustained system outage, a cyber attack affecting service delivery, a third-party failure that cascades through critical processes — the regulator's first response is typically a supervisory letter or call within hours, requesting an initial assessment of the situation. Within forty-eight hours, they expect to understand what happened, which important business services were affected, whether the firm remained within its impact tolerances, what the customer impact was, and what the board was told and when.

Organisations that can answer those questions clearly, with evidence, within forty-eight hours are demonstrating the governance standard the regime was designed to produce. Those that cannot are revealing that their resilience framework exists on paper rather than in operational reality. The difference between the two positions, in terms of regulatory consequence, is material.

The evidence gap most boards have not closed

The operational resilience framework requires firms to map their important business services, set impact tolerances for each, identify the resources required to deliver them, and test that they can remain within those tolerances during a severe but plausible disruption. Most firms in scope have completed this mapping exercise and have documented impact tolerances. Significantly fewer have genuinely tested their ability to remain within those tolerances, rather than conducting exercises that confirm their planning assumptions rather than challenging them.

The evidence gap that emerges under the forty-eight hour test typically takes one of three forms. The first is measurement gap: the firm does not have a real-time mechanism for assessing whether it is within its impact tolerances during an incident. Impact tolerances exist as planning parameters but have not been operationalised into the monitoring and reporting infrastructure that would allow the organisation — and the board — to know, in near-real time, whether a disruption is within tolerance.

The second form is the cascade gap. Firms have typically mapped their important business services with reasonable accuracy, but have not fully modelled the dependencies between services and between underlying resources. A disruption that appears to affect one service in isolation may, under real conditions, cascade through shared technology, shared data, shared third parties, or shared people in ways that exceed the impact tolerance for services that were not initially affected. Exercises that test services in isolation systematically underestimate this risk.

The third form is the governance evidence gap. Even where the operational response works well, the board may be unable to demonstrate its engagement with the resilience programme because the minutes, decision logs, and oversight evidence that would establish this record are inadequate. Regulators assessing the governance response to an incident will ask what the board knew and when, what it directed, and how it satisfied itself that the firm's resilience position was adequate. If those answers cannot be evidenced from the board record, the governance standard has not been met regardless of the operational outcome.

Closing the gap: what boards should direct

Boards that want to close the evidence gap should direct their executive teams to address three specific areas. The first is real-time tolerance monitoring: the operational dashboards and escalation triggers that allow the organisation to know during a disruption whether it is within its impact tolerances, and to escalate to the board if it is not. This infrastructure should be built and tested before it is needed.

The second area is scenario testing that genuinely stresses the framework rather than confirming it. The most valuable tests are those that surface the cascade dependencies, the governance decision points, and the communication failures that theoretical exercises miss. A test that reveals a problem — a dependency that was not mapped, a decision pathway that does not work under pressure, a board notification that was slower than required — is a test that has done its job. A test that confirms all assumptions is a test that has produced false assurance.

The third area is the board's own governance record. Boards should review their minutes from the past twelve months and ask whether a regulator reading them would conclude that the board actively governed the operational resilience programme. Did the board review testing results? Did it challenge the impact tolerances set for critical services? Did it direct remediation when testing revealed gaps? Did it satisfy itself that the organisation's most important business services were properly resourced? If the answer to any of these questions is not clearly evidenced in the record, the governance work is not complete regardless of what the underlying documents say.

Ali Zeb is an Executive Cyber Security Advisor, Non-Executive Director, and former advisory member at the FCA, NCSC, and Lloyds of London Market Cyber Risk Committee. He advises regulated firms on operational resilience governance, evidence frameworks, and building board positions that will withstand regulatory scrutiny.