Beyond Business Continuity: Defining PRA Impact Tolerances That Pass Regulatory Audit

Most financial firms try to satisfy the PRA’s operational resilience framework by simply dusting off their old Business Continuity Plans (BCP). This is a mistake that leads to audit findings and regulatory scrutiny. While BCP is a foundational component of a firm's risk management, the PRA expects a shift in perspective that many compliance teams struggle to execute.

Regulatory authorities are no longer interested in hearing that your servers will be back online in four hours. They want to know at what point a disruption to your service causes "intolerable harm" to the market or your customers. If your resilience documentation focuses more on your internal IT infrastructure than on the actual delivery of services to the outside world, you are effectively preparing for a failed audit.

The Core Disconnect: BCP vs. Operational Resilience

The fundamental shift required by the PRA is moving from an inward-facing recovery mindset to an outward-facing resilience mindset. Traditional BCP focuses on system recovery. It looks at servers, office buildings, and Recovery Time Objectives (RTO). It asks: "How fast can we get our systems back?" In contrast, Operational Resilience looks at the continuous delivery of Important Business Services (IBS). It asks: "How long can the customer go without this service before the damage is permanent?"

In our experience, firms often fall into the trap of creating overly granular risk registers that satisfy internal IT auditors but fail the PRA’s "big picture" test. We previously observed a large broker-dealer facing a Section 166 (Skilled Person’s Report) because their risk framework was so granular that critical systemic risks remained undetected. They had thousands of line items for individual software patches but no clear view of how a total failure in trade execution would impact market integrity. For a deeper look at avoiding these interventions, see The Definitive Guide to Preventing an FCA Section 166 Review in 2026.

Operational resilience requires you to assume that failure will happen. BCP often operates on the hope of prevention. The PRA’s SS1/21 – Operational resilience: Impact tolerances for important business services makes it clear that impact tolerances must be set on the assumption that a disruption has occurred. You are not measuring the probability of the event; you are measuring the endurance of the service.

Identifying True Important Business Services

You cannot protect everything with the same level of intensity. The first step in building a framework that passes audit is stripping away internal processes to find true outward-facing services. If an internal payroll system fails for six hours, it is a problem for your staff, but it is unlikely to threaten the safety and soundness of the UK financial system. However, if your firm cannot process outbound payments for six hours, you have a breach of an Important Business Service.

We recommend using the "engage, execute, embed" methodology to identify these services. Instead of trying to map the entire organization at once, which often leads to team fatigue and internal resistance, start with a sample department. Map the customer journey from start to finish. Identify every touchpoint where the customer relies on you for a specific outcome.

Once you have mapped the journey, apply the PRA criteria: Does a disruption to this service pose a risk to the firm’s safety and soundness? Could it threaten financial stability? Does it cause significant consumer detriment? If the answer is yes, it is an IBS. This methodology prevents the "granularity trap" by focusing only on the services that truly matter to the regulator and the market. Scaling this approach across the firm ensures that your resilience resources are directed where they provide the most protection.

Setting Quantitative Impact Tolerances

Setting an impact tolerance requires more than a vague statement like "we aim to restore services quickly." The PRA requires concrete, measurable metrics. Per SS1/21, every IBS must have a time-based metric. However, time alone is rarely enough to demonstrate a sophisticated understanding of risk.

You should move toward multi-dimensional tolerances. This includes the volume of disrupted transactions and the maximum tolerable loss of data integrity. For example, a firm might set an impact tolerance for its retail banking portal at "no more than two hours of downtime, affecting no more than 5% of the total daily transaction volume, with zero loss of data after the last verified backup."

These tolerances must also link directly to Consumer Duty outcomes. If an impact tolerance is breached, you are likely creating a situation of consumer harm. A failure to provide access to funds for a vulnerable customer is not just an operational failure; it is a regulatory breach of the Duty. For firms navigating these overlapping requirements, the 2026 Consumer Duty Guide for Fintechs: Moving to Continuous Monitoring and AI Compliance provides a framework for monitoring how operational failures translate into consumer detriment. Tools like the Compliance Risk Register with Heat Mapping help visualize these breaches before they become systemic failures.

Scenario Testing: The Severe but Plausible Standard

The PRA expects firms to test their resilience against "severe but plausible" scenarios. This is where many firms stumble during audits because their scenarios are either too mild to be useful or so extreme they are no longer plausible. A mild scenario like a 30-minute internet outage at a single office is not a test of resilience. Conversely, a meteor hitting the data center is not a useful planning tool.

In 2026, regulators are heavily scrutinizing three specific types of scenarios. First is the total collapse of a critical third-party vendor. As noted in current DORA audit priorities, supervisors are moving from policy review to active inspection of ICT third-party risk management. You must demonstrate that your service can continue even if your primary cloud provider or payment processor goes dark.

Second is a sustained ransomware attack where data is encrypted but also potentially exfiltrated and corrupted. The test here isn't just about restoring the system; it is about verifying the integrity of the data once it is restored. Third is the simultaneous failure of multiple related services due to a shared resource. This "concentration risk" is a high-priority area for the PRA. When running these tests, you must evidence that you can remain within your defined impact tolerance even when the situation is at its worst. If your testing shows that a vendor failure would push you past your two-hour tolerance, you have identified a vulnerability that requires immediate remediation.

Execution and Embedding: Fixing the Vulnerabilities

Diagnosis is only useful if it leads to a cure. When a scenario test shows that an impact tolerance is likely to be breached, the firm must develop a remediation plan. The PRA expects these plans to be integrated into your wider governance and risk management frameworks. It is not enough to acknowledge the gap; you must show the investment and the timeline for closing it.

Remediation often involves diversifying third-party providers, investing in automated failover systems, or redesigning manual workarounds for critical processes. This work does not mean starting from scratch. Many of the required structures already exist within the Compliance Consultant Digital Product Library. For instance, our Operational Resilience Toolkit provides templates specifically designed to map these tolerances and monitor them in real-time.

Embedding resilience means making it a board-level conversation. The impact tolerances you set should be the primary data points used to justify technology budgets and infrastructure changes. Instead of asking for a budget to "upgrade servers," you are asking for a budget to "ensure we remain within our two-hour impact tolerance for trade execution." This framing shifts compliance from a cost center to a strategic partner that protects the firm’s license to operate. Firms using our Silver or Gold retainer tiers receive these toolkits and advisory hours as part of their package, ensuring they have the expertise to translate test results into actionable board reports.