The March 2025 PRA and FCA operational resilience deadline passed. For most mid-tier insurers, it was treated as the end of a significant build phase. Frameworks were completed, self-assessments were board-approved, and internal teams were stood down from the intensity of implementation.
What is now becoming clear is that the deadline was not an endpoint. It was the beginning of a different and considerably more demanding phase: active supervisory examination of whether the resilience evidence insurers hold would survive direct scrutiny from the PRA.
The supervisory question in 2026 is not whether a framework exists. It is whether the evidence behind that framework is contemporaneous, independently verifiable, and traceable to the specific obligations under PRA SS1/21. That is a substantially higher bar than documentation compliance, and the gap between where most mid-tier insurers currently sit and where the PRA expects them to be is the defining regulatory risk in the sector this year.
What the PRA Is Specifically Testing For
The PRA's supervisory approach for dual-regulated insurers in the current cycle is focused on four areas in particular. Understanding precisely what is being examined matters, because the preparatory work differs significantly depending on which element is under scrutiny.
Evidence quality behind impact tolerances. Setting impact tolerances to PRA SS1/21 Chapter 5 was required by March 2025. What the PRA is now probing is whether those tolerances have been validated: whether the firm has run scenario testing that specifically tests recovery within the stated tolerance, under conditions that are genuinely severe, and whether the output of that testing was documented to a standard that would support supervisory examination. A tolerance statement that has not been tested is not evidence of resilience. It is a documented aspiration, and supervisors are making that distinction explicitly.
IBS mapping depth and currency. PRA supervisors are examining whether Important Business Service mapping traces the full dependency chain per service, across all five resilience pillars: people, processes, technology, facilities, and third-party relationships. The question is not whether an IBS register exists but whether it reflects the firm's operating model as it currently stands, including any technology change, outsourcing arrangement, or organisational restructuring since original mapping was completed. Stale mapping creates a gap between the firm's stated resilience position and its actual one, and that gap is precisely what supervisory engagement is designed to surface.
Scenario testing design and evidence standards. Under PRA SS1/21 Chapter 7, annual scenario testing must be designed against scenarios that are severe but plausible for the specific firm. The evidencing standard requires: the scenario rationale, the methodology, the test execution record, the findings in full, the impact tolerance outcome (met or not met, per IBS), the lessons learned, and the remediation actions with named owners and completion dates. Scenario testing that describes the exercise process without producing a complete evidence trail does not meet this standard, regardless of how substantive the exercise itself was.
Self-assessment completeness and board engagement. PRA SS1/21 Chapter 8 requires a written self-assessment that reflects the firm's current resilience position and has been approved by the board. The PRA is examining both the document's substance and the governance process behind it: whether the board genuinely engaged with the content, whether material findings are honestly reflected, and whether there is a documented record of board challenge and approval. A self-assessment that is produced for compliance purposes rather than for genuine board oversight is unlikely to satisfy a supervisor who asks to see the board discussion that preceded approval
Why Insurance Firms Face Particular Challenges in This Phase
The supervisory environment is the same for all PRA-regulated firms. The specific challenges facing mid-tier insurers are not.
The insurance sector carries a set of operational dependencies that create above-average complexity in both IBS mapping and supplier exit planning. Claims handling platforms, policy administration systems, reinsurance settlement processes, and third-party loss adjusters are frequently the most operationally critical dependencies for insurers, and they are also the most difficult to map accurately at the dependency level, maintain as operating models evolve, and test under stressed exit conditions.
For Lloyd's market participants, the complexity is compounded. Syndicates and coverholders operating within the Lloyd's framework face operational resilience obligations under both the PRA and FCA regulatory frameworks and Lloyd's Corporation's own requirements. The interaction between those obligations is not always straightforward, and firms that have addressed PRA and FCA requirements without considering how Lloyd's standards apply to their specific structure may have a gap they are not aware of.
The third area of particular exposure for insurers is the relationship between PRA SS1/21 and PRA SS2/21, which governs ICT and technology resilience. For insurers with significant technology dependencies supporting their Important Business Services, the ICT resilience obligations under SS2/21 create a parallel evidence requirement that sits alongside the operational resilience evidence standard under SS1/21. Firms that have addressed one without the other are not in a complete regulatory position, and supervisors are examining both.
What Preparedness Looks Like in Practice
The insurers that are best placed for supervisory examination in 2026 are not those with the most extensive documentation libraries. They are those whose evidence is current, tested, and traceable.
Current means that IBS mapping, impact tolerance statements, and supplier exit plans reflect the firm's operating model as it stands today, not as it stood when the framework was first built. Maintaining currency requires a structured review process, not a one-time completion exercise.
Tested means that impact tolerances have been validated through scenario testing designed to find genuine weaknesses, not to confirm pre-existing assumptions. The scenario testing record must be able to demonstrate to a supervisor that the firm knows where its resilience position holds and where it does not, and what it has done about the latter.
Traceable means that every element of the evidence base can be mapped back to a specific regulatory obligation. A regulatory traceability matrix, cross-referencing the firm's evidence holdings against PRA SS1/21 and FCA SYSC 15A requirements, is the most efficient way to demonstrate this position both internally and under supervisory examination.
The firms that are most exposed are those where internal resource has maintained the programme at a level sufficient to satisfy internal governance but has not systematically validated the evidence quality against the supervisory standard now being applied. The gap between those two positions is rarely visible from inside the programme.
The Role of an Independent Assessment
For most mid-tier insurers, the most useful first step is an independent assessment of the current evidence position, conducted by practitioners with direct experience of PRA supervisory interaction in the insurance sector.
An independent view produces three things that internal review cannot. First, it applies the supervisory lens: asking the same questions a PRA supervisor would ask, rather than the questions an internal team would ask of its own work. Second, it identifies the gap between the firm's current evidence position and the standard being applied in 2026, giving the CRO and the SMF24 an honest account of where the firm stands before the regulator provides its own assessment. Third, it produces a prioritised remediation roadmap that sequences the most significant gaps by regulatory risk, enabling the firm to address its highest exposures first rather than working through a flat list of findings.
FourthLine has delivered operational resilience programmes for insurance sector clients including Arch Insurance, Foresters Financial, and Hampden and Co. Our Diagnostic Assessment is a fixed-fee, 4 to 6 week engagement that produces a current-state assessment report, a regulatory traceability matrix, and a board-ready remediation roadmap. It is the starting point for insurers who want an honest, independent account of where their programme stands before the PRA's examination finds it for them.