Operational Resilience Risk Management: Implementing PRA Supervisory Statement SS1/21 with ISO 22301 Business Continuity Controls

What does PRA SS1/21 require for operational resilience?

PRA Supervisory Statement SS1/21 mandates UK banks, building societies, and PRA-designated investment firms implement comprehensive operational resilience frameworks by March 31, 2025. The regulation requires firms to identify important business services, set impact tolerances for service disruption, conduct scenario testing, and maintain detailed response and recovery plans.

Unlike traditional business continuity approaches focused on facility-level disruptions, SS1/21 demands end-to-end service resilience across people, processes, technology, facilities, and third parties. Firms must demonstrate ability to remain within impact tolerances during severe but plausible disruption scenarios, including cyber attacks, technology failures, and supply chain interruptions.

Key requirements include mapping critical business services to supporting resources, establishing quantitative impact tolerance thresholds, conducting regular scenario testing with board oversight, and maintaining dynamic response capabilities that adapt to evolving threat landscapes.

How does ISO 22301 business continuity management support SS1/21 compliance?

ISO 22301 provides a systematic approach to business continuity management that directly aligns with SS1/21 operational resilience requirements. The standard's plan-do-check-act methodology supports the regulatory expectation for continuous improvement and adaptation to changing risk environments.

ISO 22301's business impact analysis requirements mirror SS1/21's important business service identification process, while the standard's risk assessment and treatment procedures support impact tolerance development. The framework's emphasis on testing, exercising, and continuous improvement directly addresses regulatory expectations for scenario testing and response capability validation.

Key Alignment Areas:

• Business impact analysis methodology for identifying critical services and dependencies
• Risk assessment processes for evaluating disruption scenarios and likelihood
• Continuity strategy development aligned with impact tolerance requirements
• Testing and exercise programs that demonstrate resilience capabilities
• Management system approach ensuring board-level oversight and accountability
• Continuous monitoring and improvement processes for adapting to emerging threats

What constitutes an important business service under SS1/21?

Important business services represent activities that, if disrupted, could cause intolerable harm to customers, market integrity, or financial stability. The PRA expects firms to identify these services through systematic analysis of customer dependencies, market functions, and systemic importance rather than internal organizational perspectives.

Services typically classified as important include retail and commercial banking operations, payment processing, lending and credit facilities, trading and market making, custody and settlement services, and critical infrastructure supporting these activities. However, determination depends on firm-specific factors including customer base, market position, and interconnectedness with other financial institutions.

The identification process should consider both direct service provision to external customers and internal services that support important external functions. For example, IT infrastructure, risk management systems, and regulatory reporting capabilities may qualify as important services due to their critical supporting role.

How should firms establish impact tolerances for important business services?

Impact tolerances represent maximum acceptable levels of disruption to important business services, expressed in quantifiable metrics such as downtime duration, transaction volume reduction, or customer impact thresholds. These tolerances must reflect genuine harm points rather than aspirational targets or historical performance levels.

Development requires collaboration between business lines, risk management, technology teams, and senior management to ensure realistic assessment of disruption impacts and recovery capabilities. Consider multiple disruption scenarios including partial degradation, complete outages, and cascading failures across interdependent services.

Impact Tolerance Development Process:

1. Map service dependencies across people, processes, technology, facilities, and third parties
2. Analyze customer and market consequences of various disruption scenarios and durations
3. Assess regulatory and legal implications of service unavailability or degradation
4. Evaluate recovery capabilities including alternative delivery channels and workaround procedures
5. Quantify tolerance metrics using measurable criteria such as maximum downtime, minimum service levels, or customer impact thresholds
6. Validate tolerances through testing to ensure achievability and appropriateness
7. Establish monitoring and alerting to track real-time performance against tolerance levels

What scenario testing approaches best demonstrate operational resilience?

SS1/21 requires regular scenario testing to validate that firms can remain within impact tolerances during severe but plausible disruptions. Effective testing programs combine multiple methodologies including desktop exercises, simulation testing, and live environment validation to comprehensively assess resilience capabilities.

Scenario selection should reflect firm-specific risk profiles while addressing common threat categories such as cyber attacks, technology failures, third-party outages, facility unavailability, and key person dependencies. The PRA expects scenarios to be severe enough to stress-test resilience arrangements while remaining plausible based on historical experience and emerging threats.

Testing must validate end-to-end service delivery including customer-facing processes, supporting technology systems, and third-party dependencies. Results should demonstrate not only technical recovery capabilities but also coordination effectiveness, communication protocols, and decision-making processes under stress conditions.

How can firms integrate SS1/21 compliance with existing risk management frameworks?

Operational resilience requirements complement rather than replace existing risk management approaches, creating opportunities for integrated implementation that enhances overall risk capabilities. ISO 31000 risk management principles provide excellent foundation for this integration by establishing consistent risk identification, assessment, and treatment processes across operational resilience and other risk domains.

Integration with COSO ERM frameworks supports board-level governance requirements while ensuring operational resilience considerations inform strategic decision-making and capital allocation processes. The COSO components of governance and culture, strategy and objective-setting, performance monitoring, and information communication align directly with SS1/21 expectations for senior management oversight and continuous improvement.

Integration Implementation Steps:

1. Align operational resilience taxonomy with existing risk categorization and reporting structures
2. Incorporate impact tolerance monitoring into regular risk reporting and management information
3. Integrate scenario testing results with stress testing and capital planning processes
4. Establish cross-functional governance ensuring operational resilience oversight within existing risk committee structures
5. Develop unified metrics and KPIs that demonstrate both regulatory compliance and broader risk management effectiveness
6. Create shared documentation standards that support multiple regulatory requirements and internal risk management needs

This integrated approach reduces compliance overhead while strengthening enterprise-wide risk capabilities, particularly valuable for firms managing multiple regulatory requirements across operational risk, cyber security, and business continuity domains. The result is more robust operational resilience that supports both regulatory compliance and competitive advantage through superior service reliability and customer confidence.