FCA Report: Most Firms Still Failing Resilience Tests

Professional team reviewing operational governance documents in a modern boardroom

By Jonathan Justus | jonnynow.com | 2 May 2026

More than a year after the UK's Financial Conduct Authority made operational resilience mandatory for regulated firms, its March 2026 review found widespread gaps in how organisations identify vulnerabilities, test continuity, and communicate under stress — raising uncomfortable questions for boards well beyond the financial sector.

On 27 March 2026, the FCA published Operational Resilience: Insights and Observations One Year On, a report based on its review of firms' annual self-assessments. The findings were pointed. Across critical areas — mapping, scenario testing, and communications planning — a significant proportion of firms fell short of the standard the regulator had set. The publication landed at a moment when the global governance, risk and compliance market was valued at USD 52.58 billion and growing at a compound annual rate of 15.9 per cent, according to Grand View Research, underscoring how much organisations worldwide are investing in getting this right.

The stakes are not merely regulatory. Research cited by business continuity specialists consistently shows that up to 80 per cent of organisations without effective continuity arrangements fail within 18 months of a major operational disruption. Governance is not a compliance exercise; it is a survival discipline.

Key Statistic

Up to 80% of businesses without effective continuity arrangements fail within 18 months of a major disruption.

Source: Business continuity sector research, cited by Symbiant (2026)

The Mapping Blind Spot

The FCA's review found that many firms had narrowly mapped only the technology supporting their important business services, overlooking equally critical factors: people, processes, facilities, information flows, and third-party dependencies. The regulator described this as a significant gap, noting that third-party vulnerability identification and remediation remained underdeveloped in a large share of submissions.

For operational leaders outside financial services, the lesson is transferable. An organisation that maps only its IT stack has understood, at best, half its resilience picture. The human layer — who holds critical knowledge, who manages a key supplier relationship, who can authorise a continuity decision at 2 a.m. — often determines whether a disruption becomes a manageable incident or a business-ending event.

Scenario Testing: Confidence Without Evidence

One of the more striking observations in the FCA's report concerned scenario testing. Some firms, the regulator noted, had stated there was no scenario from which they could not recover — yet provided no evidence of having tested that claim against sufficiently severe disruptions. The FCA labelled this a concern, not a reassurance.

Effective scenario testing requires deliberate adversarial thinking: assuming key systems are unavailable, assuming key personnel are unreachable, and assuming that normal communication channels have failed simultaneously. Organisations that test only the scenarios they expect to survive are rehearsing optimism, not resilience.

Communications: The Overlooked Pillar

The FCA also highlighted a recurring weakness in communications planning. In a number of firms, there was limited evidence that communications strategies were tested within scenario exercises, or that plans existed to maintain stakeholder contact if primary channels failed. During a real disruption, the inability to communicate a coordinated response can itself amplify the damage — eroding customer trust, destabilising supplier relationships, and alarming regulators.

Leading organisations are now incorporating communications cascades — pre-agreed protocols for internal escalation, customer notification, and regulatory disclosure — directly into their resilience frameworks. These are not afterthoughts; they are integral to the governance structure.

From Compliance to Corporate Strategy

The broader shift the FCA report reflects is one already visible across sectors: operational resilience is migrating from the compliance function to the boardroom agenda. Over 70 per cent of large organisations now maintain formal resilience programmes, according to Piranha Risk's 2026 analysis — yet many still struggle to translate written policy into demonstrable performance under real stress conditions.

The organisations that are closing this gap treat governance not as a set of documents to be audited, but as a set of behaviours to be rehearsed. Policies are only as strong as the people who know them and the processes that embed them into daily operations. Annual reviews are necessary; quarterly stress-tests are better; a culture that continuously surfaces vulnerabilities is best.

🎬 Watch: Seth Godin — This Is Broken

Seth Godin on how systems and processes break down — and what it takes to redesign them for reliability. A sharp lens for operational leaders rethinking their governance frameworks.

Elevana Programme

Build Governance That Performs Under Pressure

The Elevana Operations & Governance programme equips professionals with the frameworks, tools, and advisory skills to build resilience that holds when it matters most — not just on paper. For consultants who advise organisations on governance and risk, the PRO Consultant programme delivers a structured methodology for credible, board-level practice.

Explore Operations & Governance → PRO Consultant Programme →

A governance framework that has never been tested is not a framework — it is a hypothesis. The organisations that survive disruption are those that stress-tested their resilience before the disruption chose to test it for them.