SYSC15A and the credibility gap: Why are resilience plans falling short under scrutiny?

In operational resilience, there's a difference between having a plan and being ready to prove it.

On paper, many UK firms look compliant. Under scrutiny, the evidence doesn’t hold. That’s the credibility gap.

PS21/3 - now embedded as SYSC 15A in the FCA Handbook - has raised the bar. As of March 31st this year, firms must now be operating their important business services within impact tolerances. The planning stage is well and truly over, and the focus now is outcomes and evidence. 

The problem? What firms think is ‘good enough’ often isn’t.

What falling short looks like in the real world

• TSB’s £48.65m penalty (FCA + PRA) remains the clearest signal. Weak operational risk management and outsourcing governance turned a migration failure into a prolonged outage that locked customers out and failed resilience expectations. The message: outsourcing arrangements that look fine on paper can collapse in practice if governance and testing aren’t real.

• FCA supervisory observations (updated for the end of the transition period) highlight recurring gaps, including shallow mapping that stops at tier‑one suppliers, limited scenario testing, and weak board‑level challenge on impact tolerances. The key takeaway? Many firms can describe resilience; far fewer can evidence it.

• Third‑party exposure is front and centre. After the global CrowdStrike incident, the FCA warned UK firms to prepare for CrowdStrike‑type disruptions and noted that unregulated third‑party problems were the leading cause of operational incidents reported in 2022–2023—precisely the weak flank SYSC 15A expects you to control.

• Regulatory scope is widening, not loosening. The joint Critical Third Parties (CTP) regime from the BoE/PRA/FCA adds direct oversight of systemically important suppliers. But it does not transfer accountability from firms; you still have to show you can stay within tolerance if a CTP fails. 

Why the credibility gap persists

The credibility gap isn’t usually about effort. Most firms have resilience programmes in place. The problem is that the work is too often scattered, manual, and inconsistent.

IT owns the systems. Procurement manages the contracts. Risk writes the policies. Business continuity keeps the recovery playbooks. Testing outputs live in one shared drive, dependency maps in another, and impact tolerances in a spreadsheet last updated three months ago.

Then the FCA asks for a single, connected picture, and suddenly the story and the evidence no longer match. The regulator’s own guidance calls this out and asks firms to use its observations to close gaps before reviews.

It’s not just a silo problem. It’s a version control problem. A “final_v7.xlsx” problem. A manual process problem that turns a straightforward request into a multi-week scramble.

PS21/3 was designed to break that cycle. The FCA expects a joined-up view that links every IBS to its people, processes, technology, facilities, and suppliers - and shows exactly how each will perform under stress.

The reality: many firms can explain their resilience strategy in theory, but can’t produce a single, current, verifiable picture in practice. And when the FCA tests, that’s when the credibility gap is exposed.

What the FCA expects to see now

The FCA doesn’t want a policy statement or a glossy slide deck. It wants a firm that can keep its important business services running within impact tolerances during a severe-but-plausible disruption - whether that disruption starts in your systems or in a supplier’s. And it wants you to be able to produce that proof on demand.

The regulator’s own framework is clear: identify your important business services, map all people, processes, technology, facilities and information that support them, run robust scenario testing, maintain an up-to-date self-assessment, and ensure the governing body is actively engaged in oversight.

Closing the credibility gap

The firms that pass scrutiny don’t rely on luck or quick fixes. They treat resilience as a living, connected discipline. They maintain a current, end-to-end map of every important business service - including third- and fourth-party dependencies. They test impact tolerances against the kinds of multi-layered failures the FCA is actually seeing in the market: supplier outages, cascading software updates, simultaneous failures in unrelated systems. And they make sure evidence is accurate, consistent, and board-approved before the regulator comes knocking.

Bridging the credibility gap means leaving static, siloed plans behind and building a single, trusted view of resilience that is:

• Comprehensive - mapping that goes beyond tier-one suppliers to capture sub-contractors, data feeds, and hidden dependencies.

• Proven - tolerances tested under real-world conditions, not optimistic best-case scenarios.

• Accessible - evidence that is centralised, version-controlled, and instantly retrievable.

Handled well, this shifts compliance from a defensive chore to a strategic advantage. A firm with an auditable, regulator-ready posture isn’t just prepared for an FCA visit; it’s better positioned to reassure clients, build investor confidence, and respond decisively in a crisis.

From paper to proof — the simplest way

Drova’s Operational Resilience solution was built to eliminate the complexity that causes the credibility gap. In one connected system, you can:

• Map every important business service and all its dependencies, down to fourth-party level.

• Set and track realistic impact tolerances linked directly to your suppliers’ capabilities.

• Manage and record severe-but-plausible scenario tests, with results translated into board-ready insights.

• Maintain evidence aligned to FCA expectations, ready to surface instantly in a supervisory review.

PS21/3 demands more than a plan. It demands proof. Drova makes it simple to move from ‘we’re ready’ to ‘here’s the evidence’.

Try Drova today on a 14-day free trial and see exactly what FCA-ready resilience looks like in practice.