The most common cause of operational resilience programme regression in mid-tier financial services firms is not supervisory pressure, not a change in regulatory requirements, and not a failure of intent. It is the departure of the person who built it.
When a Head of Operational Resilience leaves, takes a new role internally, or is redeployed to cover a vacancy elsewhere in the business, the knowledge that sits with that individual does not transfer automatically. The IBS mapping logic, the scenario testing design rationale, the supplier exit plan assumptions, the informal understanding of why specific tolerance levels were set: these exist in the person, not in the documents. The documents exist because the person existed. When the person leaves, the documents remain, but the programme's ability to maintain itself, develop credibly, and respond intelligently to regulatory developments does not.
The same dynamic applies when the SMF24 changes. A new SMF24 inherits accountability for a programme they did not build, did not design, and may not fully understand. They receive the gap register, the self-assessment, and the board reports. They do not receive the judgement about which gaps are genuinely critical and which are minor, what the supervisory posture of the regulator toward this firm looks like, or what the next 12 months of regulatory development implies for the programme's priorities.
This article describes why leadership change is the primary structural risk to programme continuity, what happens to evidence quality in the months after a key departure, and what embedded expertise means as a structural solution to a structural problem.
Why Programme Knowledge Does Not Live in Documents
Operational resilience programmes generate significant documentation. IBS registers, impact tolerance statements, dependency maps, scenario testing records, self-assessments, board MI packs, gap registers: a mature programme at a mid-tier firm will have dozens of artefacts. On the day of a key departure, every one of those documents still exists.
What does not survive the departure is the interpretive layer that makes the documentation useful.
The IBS register identifies which services are in scope. It does not record why the services were selected at that level of granularity rather than at a broader or narrower level, why one service that was considered was excluded, or what the rationale was for the impact tolerance set for each service. That rationale exists in the memory of the person who built it.
The scenario testing records document what was tested and what was found. They do not record the judgements made during test design about which scenarios were selected and why, which dependencies were prioritised for stress, and what the team learned about the firm's resilience architecture in the process of designing the test. Those judgements inform how the next test should be designed. When the person who made them leaves, the next test is designed by someone who is starting again.
The gap register lists open items and their status. It does not record the informal understanding of which items are genuinely dangerous and which are theoretical risks that have been on the register for two years because no one has prioritised them, or why the remediation timeline for a particular item has slipped twice without triggering concern. That understanding guides prioritisation. Without it, a new owner will either treat all items equally, which is inefficient, or make prioritisation judgements from scratch, which is slow and likely to miss the things that matter.
This knowledge loss is not a failure of documentation standards. It is a structural feature of how expertise-intensive programmes work. The people who build them carry knowledge that cannot be fully codified, and the programmes depend on that knowledge to function at the level their regulatory obligations require.
The Regulatory Obligation Does Not Pause for Transition
Under PRA SS1/21 and FCA SYSC 15A, operational resilience obligations are standing annual requirements. The scenario testing cycle does not pause because a Head of Operational Resilience has just departed. The quarterly board MI pack is due whether or not the person who wrote the last three is still in post. The IBS mapping maintenance review is required regardless of who is currently responsible for it.
The gap between a key departure and an effective handover is typically measured in months. Recruitment takes time. Onboarding takes more. A new Head of Operational Resilience with no prior context for the programme will spend the first quarter understanding what exists, the second quarter understanding why it exists, and the third quarter beginning to form their own judgements about what needs to change. Only in the fourth quarter do they begin adding value that exceeds the cost of their transition.
During that period, the programme is functionally unstaffed at the level of expertise required to maintain it. The scenario testing that falls due in month three is designed by someone who does not yet understand the firm's dependency architecture well enough to design a scenario that genuinely stresses it. The board MI pack that falls due in month two is produced by a team that does not have a senior practitioner to interpret the programme's current position against the regulatory standard. The gap register that should be progressing is stalled because no one has the authority or the knowledge to make the prioritisation decisions that keep it moving.
The regulatory clock does not pause for any of this. The PRA and FCA do not accept leadership transition as a reason for programme drift. If a thematic review or a supervisory engagement falls during this period, the firm's exposed position is not a consequence of bad intent. It is a consequence of a structural vulnerability that was not managed.
Three Scenarios Where Leadership Change Creates Acute Exposure
A new SMF24 appointment seeking a baseline. When an SMF24 changes, the incoming senior manager takes on personal regulatory accountability for a programme they did not build. The risk is not that they are incompetent. It is that they are accountable from day one for a position they do not yet understand. The most urgent need for a new SMF24 is an independent, honest account of where the programme actually stands: not the outgoing SMF24's final assessment, not the internal team's current update, but an external view applied by practitioners who did not build the framework and who can tell the new SMF24 what the programme's genuine current regulatory exposure is. Without that independent baseline, the new SMF24 begins their accountability period relying on the assessments of the team whose work they are accountable for overseeing.
A Head of Operational Resilience departure mid-cycle. A departure that falls in Q2, when the annual scenario testing programme is in design phase and the self-assessment refresh is approaching, creates immediate practical risk. If the person who would have designed the test has left, the test either does not happen, happens late, or happens at an inadequate quality level delivered by resource that is not sufficiently familiar with the firm's dependency architecture. In a year when the PRA or FCA has confirmed supervisory engagement, this is the scenario that creates maximum exposure.
An M and A event or group restructuring. Post-transaction integration frequently involves the departure of the resilience lead from one or both entities, combined with a period of operating model change that makes the existing IBS mapping, impact tolerance statements, and supplier exit plans factually inaccurate. The firm carries regulatory obligations during the integration period that its programme is no longer correctly calibrated to meet.
What Embedded Expertise Provides That Documentation Does Not
The structural solution to programme knowledge dependency is not better documentation. It is the presence of an experienced practitioner who carries methodology, regulatory knowledge, and delivery capability independently of any individual within the firm's internal team.
FourthLine's Embedded Resilience Practitioner model places a named senior associate within the client's programme on a fixed monthly basis, working two to three days per week, under the client's direction, with FourthLine's methodology and quality assurance throughout. The associate is not a contractor and not a temporary placement. They are a FourthLine associate delivering a managed service: IR35 sits entirely with FourthLine, the client receives a single monthly invoice, and the engagement is governed by a FourthLine Statement of Work.
The associate arrives equipped with FourthLine's full methodology toolkit: IBS mapping frameworks, scenario design libraries, BIA workbooks, board reporting standards, and regulatory traceability templates. They do not need to be oriented to the technical requirements of the programme; they need to be oriented to the firm's specific context. That orientation takes one week, not one quarter.
Across seven defined workstreams, the associate delivers the activities that a senior internal Head of Operational Resilience would deliver: IBS maintenance, scenario testing design and facilitation, quarterly board MI production, TPRM programme support, regulatory horizon scanning, and supervisory preparation. Where a departure has created a gap, the associate fills it from the week of mobilisation. Where a new SMF24 needs an independent programme baseline, the associate provides it before taking up the ongoing workstream.
The model is not designed to replace internal resource permanently. It is designed to provide continuity of expertise and methodology during the periods when internal capacity is insufficient, and to build internal capability alongside delivery so that when the firm does recruit a permanent Head of Operational Resilience, that person joins a programme that is current, maintained, and understood.
The Commercial Comparison
The Embedded Resilience Practitioner is priced from £10,000 per month on a fixed monthly contract with no minimum term. That compares to the following alternatives.
An interim contractor at day rates for an experienced operational resilience specialist will typically cost between £700 and £1,100 per day. At two to three days per week, the monthly cost is between £5,600 and £13,200 at these rates, before agency margins, before IR35 exposure if the firm is a medium or large employer, and before the risk that the contractor brings no established methodology and no quality oversight.
A permanent senior hire at Head of Operational Resilience level will typically be remunerated between £90,000 and £130,000 per annum, before employer national insurance, pension contributions, benefits, and the recruitment cost. The total employment cost is between £110,000 and £160,000 per annum. The hire takes three to six months to recruit and a further three to six months to reach full effectiveness.
The Annual Resilience Retainer, at £60,000 to £90,000 per annum, is the right solution for firms that want FourthLine to own and manage the full workplan within a defined annual deliverable schedule. The Embedded Practitioner, at from £120,000 per annum at two to three days per week, is the right solution for firms that want embedded day-to-day capacity with client-directed scope and regular physical presence in the team. The right choice between the two depends on how much operational control the firm wants to retain and whether embedded presence is a priority.
The Resilience Programme That Survives
A resilience programme that survives leadership change is not one that has been documented more comprehensively. It is one that carries its methodology and regulatory intelligence in a structure that does not depend entirely on any single individual within the firm.
For mid-tier firms that have experienced or are anticipating a leadership change in their resilience function, the most effective immediate action is to ensure that the knowledge required to maintain the programme does not depart with the individual. Whether that means commissioning a Diagnostic Assessment to create an honest independent baseline before a departure, or mobilising an Embedded Practitioner to provide continuity of expertise from the point of transition, the structural risk of programme knowledge dependency is manageable if it is addressed before the departure creates the gap rather than after.
FourthLine has delivered resilience programmes that have survived leadership change, M and A integration, and SMF24 transitions across insurance, banking, and investment management clients. The starting point is a scoping conversation to understand the firm's specific situation and recommend the right configuration: Diagnostic Assessment, Annual Resilience Retainer, or Embedded Practitioner.