Arch Insurance / Insurance / PRA SS1/21

From Scrutiny Notice to Regulator-ReadyHow FourthLine rebuilt a mid-tier insurer's operational resilience evidence in 10 weeks ahead of PRA supervision.

16 weeks from instruction.

The challenge

A London-based general insurer with 350 staff received notification of an upcoming PRA supervisory engagement with a specific focus on operational resilience. An internal review by the SMF24 surfaced a material problem: the firm had a well-built framework, but the evidence behind it had not been refreshed in over 18 months.  IBS mapping had not been updated following a 2023 organisational restructure. No scenario testing had been conducted since a single exercise two years prior. The board had received activity updates but had no position-based MI showing current impact tolerance status, vulnerability findings, or a traceable governance trail.
 
The PRA engagement was 10 weeks out. Three structural gaps needed to be closed before it. Mapping currency: IBS mapping reflected the firm's pre-2023 operating model. A delegated authority business integrated during 2023 had introduced people, systems and third-party relationships not mapped to any Important Business Service.  Scenario testing evidence: One exercise had been completed in early 2023 with no findings report, no formally tracked remediation, and no subsequent testing in the two years since.  Board governance trail: The board had approved the self-assessment in early 2024 and received nothing substantive since. There was no MI showing current tolerance status per IBS, no record of board challenge on identified vulnerabilities, and no evidence of investment decisions linked to resilience findings.

What FourthLine delivered

  • Refreshed IBS mapping: updated across all four Important Business Services, incorporating 11 new technology dependencies and three previously unregistered material outsourcing arrangements from the integrated delegated authority business 

  • Threats and vulnerabilities register: ranked assessment across people, process, technology, facilities and third-party resilience pillars 

  • Scenario test report (technology outage): full exercise covering policy administration system failure, tolerance position, and three immediate remediation actions 

  • Scenario test report (supplier exit): full exercise covering claims processor administration scenario, with exit feasibility assessed against SS2/21 and two contractual gaps escalated to legal and procurement 

  • Refreshed self-assessment: fully redrafted to SS1/21 chapter 8 standard, reflecting current mapping, validated impact tolerances, testing outcomes and remediation status; board-approved prior to PRA engagement 

  • Board operational resilience MI pack: position-based reporting showing current tolerance status per IBS, scenario outcomes, remediation tracker and investment recommendations; approved at dedicated board session 

The PRA supervisory engagement concluded without material findings. The supervisor noted the quality of the updated mapping and the substance of scenario testing evidence as indicators of a programme taken seriously at senior management level.


The board approved a self-assessment and MI pack that gave them a genuine, evidence-based view of the firm's resilience position for the first time. Three critical vulnerabilities were remediated within the programme timeline. The SMF24 could demonstrate active governance oversight with a traceable decision trail.


Beyond the supervisory engagement, the programme produced a structural shift in how the board engaged with operational resilience. Position-based MI replaced activity updates, and board members began asking substantively different questions: about specific vulnerability timelines, supplier exit readiness, and the investment case for outstanding remediation. That governance dynamic is precisely what SS1/21 is designed to produce.


FourthLine was retained on an Annual Resilience Retainer following programme completion, providing ongoing scenario testing, self-assessment refresh, and board MI support.

What sets FourthLine apart is that the person who sells the engagement is the person who delivers it. Senior expertise throughout, not just at the proposal stage. The quality of the evidence pack they produced would not have looked out of place coming from a Big Four firm, at a fraction of the cost. 

Arch Insurance
View Case Study

Start with a Diagnostic Assessment

A structured 4–6 week assessment of your Banking firm's operational resilience position against PRA and FCA requirements. Fixed fee: £15k–£25k. Board-ready gap report delivered within 6 weeks

Book a scoping call with Kieran