Most mid-tier financial services firms in the UK have an operational resilience programme. Many have had one since the March 2022 implementation deadline. A significant number invested heavily in frameworks, policies, and process maps in the run-up to the March 2025 embedding deadline.

The problem is not the absence of work. The problem is what that work produced: documentation that satisfies internal governance but would not survive direct supervisory scrutiny.

That distinction, between documentation and evidence, is now the defining regulatory risk for mid-tier firms in 2026. The PRA and FCA are no longer asking whether a framework exists. They are asking whether a firm can prove its resilience position holds under realistic operational stress. The two questions require fundamentally different answers, and the gap between most firms' current position and what regulators are now looking for is material.

This piece sets out what that gap looks like in practice, where it appears most often, and what the regulatory standard for evidence actually requires. It draws on FourthLine's delivery experience across insurers, banks, and investment firms at the mid-tier level, including work with Arch Insurance, Foresters Financial, Chetwood Financial, Hampden and Co, Ruffer Investment Management, Interactive Investor, and Novia Financial.

Why the Supervisory Environment Has Changed

The March 2025 deadline marked the end of the implementation phase. Firms were expected by that date to have identified their Important Business Services, set impact tolerances, mapped dependencies, completed scenario testing, and produced a board-approved self-assessment under PRA SS1/21 Chapter 8 and FCA SYSC 15A.

The regulatory focus has now shifted. Supervisors are not conducting tick-box assessments of whether a framework is in place. They are conducting evidence reviews: asking firms to demonstrate, with contemporaneous and independently verifiable documentation, that their resilience position is real, current, and tested.

This shift has significant practical implications. A firm can have a fully documented IBS library, a set of board-approved impact tolerances, and an annual scenario testing schedule on paper, and still fail to meet the supervisory standard if the evidence behind each of those elements does not hold up to examination.

The PRA's supervisory approach in 2026 is specifically probing the quality of evidence, not the existence of framework elements. FCA thematic review activity in the investment management and insurance sectors has similarly moved toward evidence depth as the primary assessment lens. For firms that completed implementation and then stepped back, the gap between their current documentation position and the current regulatory expectation is likely wider than their internal assessments suggest.

For firms with EU operations or EU-regulated group entities, DORA (Digital Operational Resilience Act), effective January 2025, introduces a parallel set of ICT resilience and third-party risk management obligations that create additional evidencing requirements on top of, and in some areas beyond, the FCA and PRA frameworks.

The Five Evidencing Gaps That Appear Most Consistently

Across FourthLine's assessment work with mid-tier firms, five gaps appear with sufficient regularity that they can be treated as structural characteristics of the sector's current position, rather than firm-specific failures.

Gap 1: Impact tolerances that describe capability rather than test it

Most mid-tier firms have impact tolerance statements. The majority were set in 2022 or 2023 and have not been substantially reviewed since. The typical format is a metric: a maximum tolerable period of disruption, expressed in hours or days, per Important Business Service.

The problem is that setting a tolerance is not the same as demonstrating it. Under PRA SS1/21 Chapter 5 and FCA SYSC 15A.3, impact tolerances must be validated through scenario testing. Supervisors are not satisfied by a documented tolerance; they want to see evidence that the firm has tested its ability to recover within that tolerance under realistic disruption conditions, and that the test produced contemporaneous findings, a documented outcome, and a clear remediation record where the tolerance was not met.

Many firms have tolerances that were set at a level their internal teams believed achievable but have never been stress-tested. The distinction matters because a tolerance that has not been tested is a statement of intent, not a demonstration of resilience. In a supervisory context, those are not equivalent.

Gap 2: IBS mapping that stops at the process level

Important Business Service mapping is one of the most commonly completed elements of initial implementation programmes. It is also one of the most consistently underdeveloped at the dependency level.

Under FCA SYSC 15A.2.4 and the PRA's expectations set out in SS1/21, IBS mapping must trace the dependency chain for each service across five resilience pillars: people, processes, technology, facilities, and third-party relationships. Process-level mapping, which describes what the service does without tracing the specific resources and relationships it depends on, is not sufficient for supervisory purposes.

The practical implication is that a firm with an IBS library that does not trace technology system dependencies, specific key-person dependencies, or third-party provider dependencies to individual service level has not completed the mapping requirement to the regulatory standard, regardless of how comprehensive the documentation looks internally.

Gap 3: Scenario testing that confirms optimism rather than tests it

Scenario testing is an annual obligation under both PRA SS1/21 and FCA SYSC 15A. The PRA's expectation, confirmed through supervisory interaction across the sector, is that testing must be designed to expose genuine vulnerabilities rather than demonstrate compliance with a pre-agreed narrative.

The most common failure mode is scenario design that is insufficiently severe. If every test scenario results in a successful recovery within tolerance, either the firm is exceptionally resilient, or the scenarios are not realistic. Supervisors are increasingly sophisticated in distinguishing between the two.

A credible scenario testing programme designs scenarios that genuinely stress the firm's dependencies: technology outages affecting multiple IBS simultaneously, key personnel unavailability during peak operational periods, supplier failures that activate exit plan requirements, and correlated disruptions that cannot be resolved through standard recovery playbooks. The evidence pack for each test must include the scenario rationale, the testing methodology, the findings in full, the impact tolerance outcome (met or not met, per IBS), the lessons learned, and the remediation timeline.

Firms that have produced scenario testing records that describe the exercise process rather than document the evidence trail are carrying a material evidencing gap, even if the testing itself was substantive.

Gap 4: Supplier exit plans that exist on paper and nowhere else

The PRA's requirements under SS2/21 and the FCA's exit planning expectations under PS21/3 require firms to maintain documented exit strategies for material outsourcing arrangements and to test those strategies for operational and financial feasibility. DORA Article 28 introduces equivalent requirements for ICT service providers supporting critical or important functions, with specific documentation standards that go beyond the general SS2/21 obligation.

The typical mid-tier firm has exit plans in place. Most of those plans describe a managed, consensual transition to an alternative provider: the existing supplier cooperates, provides adequate notice, transfers data, and maintains service quality during the transition period.

Regulators are specifically testing whether firms have also modelled and tested a stressed exit: a scenario in which the supplier fails without warning, enters financial difficulty, or delivers materially degraded service with no cooperation during transition. These are fundamentally different planning problems, and the evidence required to demonstrate feasibility in a stressed scenario, people, systems, data access, alternative provider capability, and transition cost under operational disruption, is substantially more demanding.

The gap between a documented exit plan and a tested exit capability is one of the most commercially significant evidencing gaps in the sector, and it is the one that regulators are currently examining most closely.

Gap 5: Board reporting that describes activity rather than demonstrates resilience

PRA SS1/21 Chapter 8 requires boards to have approved the firm's self-assessment and to receive regular reporting on the operational resilience programme. FCA SYSC 15A creates equivalent governance obligations. The intent of both frameworks is that boards should be exercising genuine oversight, not receiving programme status updates.

The most common gap in board reporting is the distinction between activity-based MI and position-based MI. A board pack that shows scenario testing exercises completed, IBS maps updated, and gap register items closed is describing programme activity. A board pack that shows the current impact tolerance status per Important Business Service, the evidenced outcome of scenario testing (tolerance met or not met), the current supplier exit capability against the SS2/21 standard, and the regulatory horizon implications for the coming quarter is reporting the firm's resilience position.

Supervisors reviewing board packs are specifically looking for evidence that the board is receiving the latter, not the former. Boards that are not receiving position-based reporting are not in a position to exercise the accountability that the SM and CR framework, via the SMF24 designation, requires them to hold.

What Regulator-Ready Evidence Actually Contains

Understanding the gap is necessary. Understanding what is required to close it is the more commercially urgent question.

Regulator-ready evidence is not the same as comprehensive documentation. The distinction is testability: every element of the evidence base must be independently verifiable, contemporaneous, and traceable to a specific regulatory requirement.

In practice, a programme that meets the supervisory standard in 2026 contains the following across each Important Business Service:

An IBS identification rationale that documents why each service was selected, with reference to customer harm criteria, the firm's risk appetite, and any changes to the operating model since original identification. The rationale must be board-acknowledged and version-controlled.

Dependency mapping that traces each service to specific people, technology systems, physical facilities, and third-party relationships, with the criticality of each dependency rated and the single points of failure identified. Mapping must reflect the firm's current operating model: a map that was accurate in 2023 but has not been updated following material technology changes or supplier transitions is not evidentially valid.

Impact tolerance statements that are metric-based, connected to customer harm thresholds, and supported by stress-testing evidence. Each tolerance must have a documented validation history: when was it last tested, what was the outcome, and what remediation action followed from any tolerance breach during testing.

Scenario testing records that include: the scenario selection rationale (why this scenario is severe but plausible for this firm), the testing methodology, the participants, the outcomes per IBS (tolerance met or not met), the findings in full, the lessons learned, and the remediation timeline with ownership. Records must be dated and version-controlled.

Supplier exit evidence that distinguishes between documented plans and tested capability, with separate evidence for non-stressed and stressed exit scenarios for each material outsourcing arrangement.

Board reporting that shows position, not activity, with a documented record of board challenge, board approval of the self-assessment, and board acknowledgement of any material finding.

A regulatory traceability matrix that maps the firm's evidence holdings to specific requirements under the applicable frameworks, identifying where evidence exists, where it is partial, and where it is absent.

This is the standard that supervisors are now applying. It is achievable for mid-tier firms, but it requires a structured gap assessment to establish the current position before remediation can be sequenced appropriately.

What to Do if You Recognise This Position

The firms that are best positioned in 2026 are not those that built the most comprehensive documentation programmes before the March 2025 deadline. They are those that have been most honest about the gap between their documentation position and their evidence position, and have taken structured, sequenced action to close it.

The first step for any firm that has not recently had an independent, structured review of its evidence holdings is to establish an accurate current-state position. Internal reviews, conducted by the team responsible for the programme, are rarely sufficient: they are conducted by people who built the framework, using the same assumptions that shaped it. The evidencing gap is most commonly invisible to the people closest to the programme.

FourthLine's Diagnostic Assessment is a fixed-fee, 4 to 6 week independent review of a firm's operational resilience programme against the current supervisory standard. It produces a current-state assessment report, a prioritised gap register, a regulatory traceability matrix, and a board-ready remediation roadmap, delivered by senior practitioners with direct experience of PRA and FCA supervisory interaction across the insurance, banking, and investment sectors.