What the Ongoing Phase Means for Your Firm


Date: 13 July 2026

Featured Image

The deadline has been and gone. On 31 March 2025, the transitional period under the FCA’s operational resilience rules (PS21/3) and the PRA’s Supervisory Statement SS1/21 came to an end. By that date, in-scope firms were expected to have identified their important business services, set impact tolerances, completed mapping and scenario testing, and be able to remain within those tolerances through severe but plausible disruption.

So the work is done, right?

Not quite. The end of the transition period was not the finish line. It was the starting gun for what the regulators call the ongoing operational phase. And a year and more into that phase, the FCA has made two things very clear: It is actively reading firms’ self-assessments, and it is not always liking what it finds. In this article, we look at what the ongoing phase actually requires, what the FCA’s 2026 findings tell us, and what’s coming next.

A Quick Recap: What PS21/3 and SS1/21 Require

The UK operational resilience regime, established by FCA Policy Statement PS21/3 (“Building operational resilience”) and PRA Supervisory Statement SS1/21, is built on a handful of deceptively simple requirements. In-scope firms must:

  • Identify important business services (IBS): The services whose disruption could cause intolerable harm to clients or threaten market integrity, viewed from the consumer’s perspective, not the firm’s.
  • Set impact tolerances: The maximum tolerable level of disruption for each important business service.
  • Map dependencies: The people, processes, technology, facilities, information and third parties each service relies on.
  • Test against severe but plausible scenarios: Proving the firm can remain within its impact tolerances when things go badly wrong.
  • Maintain a self-assessment: A living document, reviewed at least annually and after material change, that the board owns and the regulator expects to be able to read.

The rules came into force on 31 March 2022. The three-year transition ended on 31 March 2025. From that point, firms moved from building their resilience programme to running it.

The Ongoing Phase: From Plan to Proof

The single biggest shift in the ongoing phase is this: the regulator no longer wants to see a plan — it wants to see a functioning programme with evidence behind it.

In practice, the ongoing phase means:

  • Mapping, testing and self-assessment must be kept current. A self-assessment last touched in March 2025 is already a red flag. Material changes — a new platform, a migration, an acquisition, a significant new third party — should trigger an update.
  • Scenario testing must keep maturing. The FCA has repeatedly signalled that testing should evolve from judgement-based discussion towards more empirical, evidenced testing, and should extend to the third parties that underpin important business services.
  • Vulnerabilities must be remediated, not just recorded. Remediation plans are expected to be approved, funded and governed — and closure evidenced through re-testing, not assertion.
  • The board must own it. Boards are expected to review and approve the self-assessment, and to be able to demonstrate that they have genuinely engaged with it.

Resilience, in other words, is no longer a project. It’s a discipline — and one the regulator is now inspecting.

What the FCA Found One Year On (March 2026)

In March 2026, roughly a year after the transition period closed, the FCA published its observations from reviewing firms’ annual operational resilience self-assessments — a mix of good practice and pointed criticism.

Where firms are doing well:

  • Strong engagement with the regime overall, with clear methodologies and rationale for defining important business services and setting impact tolerances at the better-prepared firms.
  • Genuine investment in resilience capability, with many firms treating the rules as a prompt to rethink risk rather than a box-ticking exercise.

Where firms are falling short:

  • Incomplete third-party and dependency mapping: Firms that understand their direct suppliers but not their suppliers’ suppliers, leaving concentration risk invisible.
  • Scenario testing that isn’t severe enough: Comfortable scenarios that firms know they can pass, rather than the severe-but-plausible disruptions the rules demand.
  • Stale self-assessments: Documents that contain all the required sections but lack substantive content, or that haven’t been meaningfully updated since the deadline.
  • Impact tolerances stated without justification: Numbers on a page with no evidenced rationale behind them.

The FCA has also pointed to recent real-world events as exactly the kind of scenarios firms should be testing against: major cloud-provider outages affecting the sector, and high-profile cyber attacks on household-name organisations in other industries. These aren’t theoretical tail risks any more. They’re last year’s news — and next year’s test.

The uncomfortable question for every board: If the FCA read your self-assessment tomorrow, would it read as evidence of a living programme — or as a compliance artefact frozen in March 2025?

What’s Coming Next: Incident and Third-Party Reporting from March 2027

The regime is not standing still. In March 2026, the FCA, PRA and Bank of England published final rules creating a single, unified framework for operational incident reporting and material third-party reporting (FCA PS26/2 with guidance FG26/3 and FG26/4; PRA PS7/26 and SS1/26). The new rules apply from 18 March 2027 — and the regulators have been explicit that the twelve-month runway is for preparing, not waiting.

In summary, the new regime will:

  • Define an “operational incident” with common FCA/PRA thresholds, and require an initial report as soon as practicable — generally within 24 hours of determining a threshold is met. Notably, an incident doesn’t need to affect an important business service to be reportable.
  • Introduce standard and enhanced reporting tiers, with larger and more complex firms providing intermediate updates and a comprehensive final report after resolution.
  • Require firms to notify the regulator of new or significantly changed material third-party arrangements — a definition that goes wider than traditional outsourcing.
  • Require an annual register of material third-party arrangements, submitted to the FCA.

This lands on top of the critical third parties regime (PS16/24), which addresses concentration risk at sector level, and — for firms with EU operations, group entities or ICT services to EU financial entities — the EU’s Digital Operational Resilience Act (DORA), which has applied since January 2025.

The direction of travel is unmistakable: regulators want continuous, evidenced visibility of how resilient firms actually are, with third-party dependency and concentration risk squarely in the spotlight.

What Firms Should Do Now

If the ongoing phase has a to-do list, it looks like this:

  1. Refresh the self-assessment — properly. Not a date change on the cover. Re-examine important business services, impact tolerances and their justification in light of the past year.
  2. Pressure-test your scenario testing. Would your scenarios survive the FCA’s “severe but plausible” test? Have you tested against a major cloud outage or a third-party ransomware event — the scenarios the regulator is now explicitly pointing at?
  3. Map the dependencies you’d rather not look at. Concentration on single platforms, single suppliers and shared services is now a supervisory priority across PS21/3, PS16/24 and the incoming third-party reporting regime. Find these dependencies before the regulator asks about them — or before they fail.
  4. Get ahead of March 2027. Audit which third-party arrangements would count as “material” under the new rules, and test whether your incident processes could determine reportability and produce a defensible report within 24 hours, under pressure.
  5. Measure your resilience — don’t assume it. Documentation proves you have a programme on paper. Only assessment proves the capability behind it.

From Compliance Evidence to Genuine Resilience

Here’s the trap in the ongoing phase: it’s entirely possible to maintain a compliant-looking self-assessment while your actual resilience quietly degrades — platforms age, dependencies accumulate, key people leave, and testing drifts towards the comfortable.

That’s why the most resilient firms treat measurement, not documentation, as the heartbeat of the ongoing phase.

If you’ve run cyber tabletop exercises, you’ve tested how your people respond on the day. The next step is measuring the underlying resilience beneath that response — and translating it into terms your board can act on. 

That’s precisely what our Operational Resilience Assessment is built for: a single facilitated session with your operational and board-level owners that produces a board-ready view of how resilient your critical services really are. They are scored on a five-level maturity model, mapped to your growth objectives, signposted against FCA/PRA expectations (and EU DORA where relevant), and delivered with a prioritised 12-month roadmap that drops straight into your risk register and your next self-assessment.

For the detailed technical picture behind the same findings, the evidence your IT teams need to remediate, its companion, the Technical Resilience Assessment, engages the people who build, run and recover your critical systems.

In the ongoing phase, the firms that thrive won’t be the ones with the thickest self-assessment. They’ll be the ones who can show, with evidence, that they measured their resilience, invested where it mattered, and matured — year after year.

Book a Scoping Call with us today to help us understand your exact needs. One short conversation, one measured baseline, one defensible story for your board and your regulator.

FCA Operational Resilience: Frequently Asked Questions 

1. Did the FCA operational resilience deadline pass in March 2025?

Yes. The three-year transitional period under FCA PS21/3 and PRA SS1/21 ended on 31 March 2025. By that date, in-scope firms had to have identified their important business services, set impact tolerances, completed mapping and scenario testing, and be able to remain within tolerances through severe but plausible disruption. The end of transition was not the finish line — it marked the start of the ongoing operational phase, in which the regulator expects a functioning, evidenced programme rather than a plan.

2. What is the “ongoing phase” of operational resilience?

The ongoing phase is the period after 31 March 2025 in which firms must run their resilience programme, not just build it. Mapping, testing and the self-assessment must be kept current; scenario testing must keep maturing towards more empirical, evidenced approaches; vulnerabilities must be remediated and closure evidenced through re-testing; and the board must own and genuinely engage with the self-assessment. In short, the regulator now wants proof of resilience, not documentation of intent.

3. What did the FCA find when it reviewed firms’ self-assessments in 2026?

In March 2026 — about a year after transition closed — the FCA published observations from reviewing firms’ annual self-assessments. On the positive side, it saw strong engagement, clear methodologies for defining important business services, and genuine investment in resilience. Its main criticisms were incomplete third-party and dependency mapping, scenario testing that wasn’t severe enough, stale self-assessments with sections but little substance, and impact tolerances stated without evidenced justification. The FCA pointed to recent cloud-provider outages and high-profile cyber attacks as exactly the kind of scenarios firms should be testing against.

4. What is changing with incident and third-party reporting from March 2027?

In March 2026 the FCA, PRA and Bank of England published final rules for a unified operational incident and material third-party reporting framework (FCA PS26/2 with FG26/3 and FG26/4; PRA PS7/26 and SS1/26), applying from 18 March 2027. The rules define an “operational incident” with common thresholds and require an initial report as soon as practicable — generally within 24 hours of determining a threshold is met, even where no important business service is affected. There are standard and enhanced reporting tiers, a requirement to notify new or significantly changed material third-party arrangements, and an annual register of material third-party arrangements submitted to the FCA.

5. Does an incident have to affect an important business service to be reportable?

No. Under the incoming PS26/2 framework, an operational incident can be reportable even if it does not affect an important business service, provided it meets the common FCA/PRA thresholds. This is a notable widening of scope, and firms should test whether their incident processes can determine reportability and produce a defensible report within 24 hours under pressure.

6. How does DORA relate to the UK operational resilience regime?

The EU’s Digital Operational Resilience Act (DORA) has applied since January 2025 and is relevant to firms with EU operations, group entities, or those providing ICT services to EU financial entities. It sits alongside the UK regime (PS21/3, the critical third parties regime PS16/24, and the incoming PS26/2 reporting rules). Dual-exposed firms need to reconcile both frameworks rather than treat them in isolation.

7. What should firms do now in the ongoing phase?

Refresh the self-assessment substantively rather than changing the cover date; pressure-test scenarios against severe-but-plausible events like a major cloud outage or third-party ransomware; map concentration and dependency risk before the regulator asks; audit which third-party arrangements would count as “material” under the March 2027 rules; and measure resilience rather than assume it. Documentation proves you have a programme on paper, only assessment proves the capability behind it.





Source link

Leave a Reply

Subscribe to Our Newsletter

Get our latest articles delivered straight to your inbox. No spam, we promise.

Recent Reviews


Microsoft Excel handles temporal data effectively if you know which formulas to use. The problem is that Excel includes over 20 date and time functions, but most people only ever need a small core set to build powerful, self-updating workflows. These essential date functions turn messy timelines into automated systems you can actually rely on.

All examples in this guide use an Excel table (Ctrl+T) named ProjectTracker (pictured below). To follow along, download a free copy of the Excel workbook containing this table. After you click the link, you’ll find the download button in the top-right corner of your screen.

A structured Excel tracking table containing project tasks, start dates, and due dates.

Excel views your calendar as a massive string of numbers

The secret logic behind spreadsheet dates

Excel stores dates as serial numbers—starting at January 1, 1900—and displays them using date formats. For example, June 1, 2026 is stored internally as 46174. This allows you to perform arithmetic on dates, such as adding 7 to move forward one week.

Excel intentionally treats 1900 as a leap year for compatibility with older spreadsheet systems. This is not historically accurate, but it rarely affects modern workflows unless you’re working with very old date ranges.

Keep your timelines moving with real-time tracking

Creating a live project countdown with TODAY

If you currently update a “Today” cell manually each morning to keep deadlines accurate, Excel can replace that workflow with a dynamic function that always returns the current date.

To create a live countdown that updates automatically as time passes, add a new column with the following name, formula, and formatting:

Column Name

Days Remaining

Formula

=[@[Due Date]]-TODAY()

Number Format

General

When you press Enter, Excel may automatically format the result as a date instead of a number. That’s why you must select the table column and set the format to General in the Number group of the Home tab.

Each task displays the number of days remaining until its due date, with negative values indicating tasks that are already overdue.

The next time you open the workbook, the calculations will refresh and automatically update based on the new day.

Isolate specific time frames by breaking dates into pieces

Structuring reports with MONTH, YEAR, and WEEKDAY

When working with project schedules, full date values like 2026-07-24 are often too detailed for analysis. You may need to group tasks by month, summarize yearly progress, or identify scheduling issues like weekend start dates.

To extract the month, delete the Days Remaining column, then add a new one with these parameters:

Column Name

Month Due

Formula

=MONTH([@[Due Date]])

Number Format

General

Each task returns a numeric month value, such as 6 for June or 7 for July, making it easier to filter and group tasks by month.

To isolate the year for reporting across longer timelines, simply replace MONTH in the formula above with YEAR:

Column Name

Year Due

Formula

=YEAR([@[Due Date]])

Number Format

General

The numeric year component is successfully calculated for every row in the tracking table in Excel.

To identify scheduling issues, such as tasks that begin on weekends, you need a different approach because weekdays are not stored as simple calendar parts like month or year. Instead, Excel assigns each weekday a numeric position based on a selected system.

Here’s what to do in a new column:

Column Name

Weekday Due

Formula

=WEEKDAY([@[Start Date]], 2)

Number Format

General

With the 2 argument, Excel treats Monday as day 1 and Sunday as day 7. Without this argument, Excel uses its default system where Sunday is treated as day 1 and Saturday as day 7.

Each task now returns a number from 1 to 7, where values 6 and 7 correspond to Saturday and Sunday, making weekend starts easy to identify.

The numeric weekday component is successfully calculated for every row in the tracking table in Excel.

OS

Windows, macOS, iPhone, iPad, Android

Free trial

1 month

Microsoft 365 includes access to Office apps like Word, Excel, and PowerPoint on up to five devices, 1 TB of OneDrive storage, and more.


Calculate exact working durations without the weekend clutter

Using NETWORKDAYS to measure real work time

Calendar-based durations often overstate actual work time. A task running from Friday to Monday appears to take four days, even though only two are working days.

So, to calculate true working days between project milestones, add this column:

Column Name

Working Days

Formula

=NETWORKDAYS([@[Start Date]], [@[Due Date]])

Number Format

General

Excel returns the total number of working days between the start and due dates, counting both endpoints when they fall on working days.

To include holidays, create a separate range containing vacation dates (for example, starting in cell F2). Then, select the first Working Days formula cell, and extend the formula to:

=NETWORKDAYS([@[Start Date]], [@[Due Date]], $F$2:$F$5)

Using absolute references ($) ensures the holiday range does not shift when the formula is filled down the table.

When you press Enter, you’ll see that the calculation now excludes both weekends and holidays.

If your workweek is non-standard, use NETWORKDAYS.INTL to define custom weekend rules.

Map future deadlines and end-of-month cutoffs

Using WORKDAY and EOMONTH for automated scheduling

Beyond tracking existing timelines, Excel can generate future dates based on rules such as working durations and billing cycles.

To calculate a projected completion date based on working days, remove the Due Date column, then add these two columns.

Column 1:

Column Name

Expected Duration

Values

Manually enter the number of working days.

Number Format

General

Column 2:

Column Name

Projected Finish

Formula

=WORKDAY([@[Start Date]], [@[Expected Duration]])

Number Format

Date

Excel returns a date representing the expected completion based on the specified number of working days. It automatically skips weekends and returns the next valid working date.

To calculate billing cutoffs that always land on month-end, use this workflow:

Column Name

Billing Cutoff

Formula

=EOMONTH([@[Start Date]], 0)

Number Format

Date

Excel returns the last day of the month for each task, making billing cycles consistent.

Planning ahead with month-based review dates

Shifting dates across months with EDATE

Not all scheduling problems are about counting days. In real project work, you often work in monthly cycles—such as scheduled reviews, audits, or check-ins that repeat at predictable intervals.

For example, if a project phase starts on a given date, and you need to schedule a formal review three months later, Excel has a built-in function designed exactly for this. EDATE shifts a date by a specified number of months while preserving the day of the month when possible.

Here’s how to use it:

Column Name

Review Date

Formula

=EDATE([@[Start Date]], 3)

Number Format

Date

This moves the start date forward by three full months. For example, if the start date is June 1, 2026, Excel returns September 1, 2026.

You can also move backward in time when planning earlier review checkpoints, such as retrospective checks or pre-launch assessments. In those cases, you use a negative value:

=EDATE([@[Start Date]], -2)

Unlike day-based subtraction, EDATE respects calendar structure, making it more reliable than manually shifting dates.


Take control of your spreadsheet timelines

Ignoring Excel’s built-in date tools often leads to hours of manual updates and fragile spreadsheets. By understanding how Excel stores dates and using functions designed to work with them, you can build schedules that update themselves and forecast future milestones automatically. Once you’ve mastered tracking time with formulas, the next step is visualizing it—turn your data into a dynamic timeline that updates as your project evolves.



Source link