If you have been reading about operational resilience evidence gaps, supervisory expectations, or the difference between documentation and regulatory-grade evidence, at some point the same question will occur to you: where does my firm actually stand?
The Diagnostic Assessment is the product that answers that question. This article describes precisely what it involves, what it is not, what the client receives at the end of it, and what the realistic path forward looks like once it is complete. It is written for CROs, COOs, and Heads of Operational Resilience who are considering commissioning one but want a clear picture of the engagement before starting a conversation.
The Operational Resilience Diagnostic Assessment is a fixed-fee, 4 to 6 week independent review of a firm's operational resilience programme against the current regulatory evidencing standard. It is a gap analysis, not an implementation programme. It establishes an honest, evidenced account of the firm's current position, identifies the specific gaps between that position and the standard regulators are applying in 2026, and produces a prioritised roadmap for closing those gaps.
The Diagnostic exists because the question "are we compliant?" and the question "would our evidence survive supervisory scrutiny?" require different methods to answer. An internal team can answer the first question based on its own knowledge of the programme. The second question requires an external practitioner to apply the supervisory lens to the firm's actual evidence holdings, without the assumptions and editorial judgements that inevitably shape any team's view of its own work.
The Diagnostic is the starting point for firms that want an honest answer to the second question.
Before describing what the Diagnostic covers, it is worth being explicit about three things it is not.
It is not a documentation audit. The Diagnostic does not review whether the firm has the right policies in place or whether its framework structure is complete. Framework completeness was the relevant question before March 2025. Evidence quality is the relevant question now. The assessment reviews whether the evidence held against each programme element would satisfy a PRA or FCA supervisor, not whether the element exists.
It is not a large engagement. At 4 to 6 weeks and a defined scope, the Diagnostic is designed to move at pace and produce actionable findings quickly. The client does not need to clear diaries for an extended project. The demand on internal time is focused on four to six structured practitioner interviews and document provision, not a months-long programme workstream.
It is not a sales process dressed as an assessment. The Diagnostic findings are honest and independent, which means they will reflect the programme's actual position, including its strengths. If a firm's scenario testing evidence is solid and its IBS mapping is current, the Diagnostic will say so. The findings are not calibrated to produce a remediation engagement. They are calibrated to reflect what a supervisor would find.
The assessment reviews the firm's operational resilience programme across six domains. Each domain maps directly to a specific regulatory obligation under PRA SS1/21, FCA SYSC 15A, or DORA where applicable.
IBS identification and impact tolerance validation. Whether the firm's current IBS selection is defensible against a PRA or FCA supervisor's scrutiny, whether the impact tolerance statements are metric-based and connected to customer harm thresholds, and whether those tolerances have been validated through scenario testing. This is the domain where the most significant gaps are typically found.
IBS mapping currency. Whether the dependency mapping for each IBS accurately reflects the firm's current operating model across people, processes, technology, facilities, and third-party relationships. Maps produced in 2022 or 2023 that have not been maintained following organisational or technology changes are assessed against the current standard, not the standard at the time they were produced.
Scenario testing quality and evidence. Whether the firm's annual testing is designed to expose genuine vulnerabilities, whether the evidence produced meets the SS1/21 evidencing standard, and whether the findings, lessons learned, remediation tracker, and board reporting trail are complete. This is the domain most commonly assessed as partially adequate rather than either strong or absent.
Supplier exit planning and tested capability. Whether exit plans exist for material outsourcing arrangements, whether they address both managed and stressed exit scenarios, and whether there is testing evidence to support the feasibility claims made in the plans. Where DORA applies, the review assesses Article 28 contractual compliance and per-service exit documentation against the DORA standard.
Board reporting adequacy. Whether the board is receiving position-based reporting or activity-based reporting, whether the self-assessment meets the SS1/21 Chapter 8 standard, and whether the SMF24 has the contemporaneous evidence trail needed to demonstrate active oversight.
Regulatory traceability. Whether the firm can map its current evidence holdings to specific regulatory requirements across the applicable frameworks, and whether that mapping identifies where evidence is present, partial, or absent. This element produces one of the four deliverables at close.
Phase 1: Mobilise and baseline (Week 1). The engagement opens with a kick-off meeting confirming scope, document requirements, and interview scheduling. FourthLine reviews the firm's existing programme documentation against a structured assessment framework and begins building the regulatory traceability matrix. The document review phase establishes the baseline position and identifies the areas requiring the deepest interview scrutiny in Phase 2.
Phase 2: Assessment and analysis (Weeks 2 to 4). Four to six structured practitioner interviews are conducted with the SMF24, Head of Operational Resilience, COO, and where relevant the Head of Third Party Risk and IT Director. These interviews test programme substance, not documentation existence. The assessment team develops the gap register and rates each finding by regulatory severity across four bands: Urgent, High, Moderate, and Low. The rating reflects both the regulatory exposure the gap creates and the time required to close it.
Phase 3: Findings and roadmap (Weeks 5 to 6). The findings are written up as the current state assessment report, the gap register is finalised with severity ratings and sequencing logic, and the remediation roadmap is structured for board presentation. A findings session is held with the SMF24 and relevant ExCo members. Where the Annual Resilience Retainer is the recommended next step, a retainer proposal scoped directly to the findings is presented at this session.
At the close of the Diagnostic Assessment, the client receives five deliverables.
The current-state assessment report is a full written document with rated findings across all six domains, an evidenced assessment of the gap to the 2026 regulatory standard, and the factual basis for each finding referenced to specific programme evidence reviewed during the engagement.
The prioritised gap register is an annotated remediation backlog distinguishing critical regulatory exposure from medium-term development priorities, with each item sequenced by the combination of regulatory severity and delivery feasibility. This is the document the SMF24 uses to manage the remediation programme and brief the board on the current position.
The regulatory traceability matrix cross-references the firm's current evidence holdings against each applicable regulatory requirement under PRA SS1/21, FCA SYSC 15A, and DORA where in scope. It identifies, for each requirement, whether the firm holds compliant evidence, partial evidence, or no evidence. This document is structured for use in supervisory engagement.
The board-ready summary pack is a two-page executive summary of the findings, formatted for presentation to the board or Risk Committee. It presents the firm's current regulatory position, the highest-priority gaps, and the proposed remediation approach in a format that enables the board to exercise genuine governance oversight of the finding and the response.
The findings presentation is a structured session with the FourthLine lead at which all findings are presented and discussed, including recommended sequencing, the retainer proposal where applicable, and direct answers to the SMF24's questions about the programme's current regulatory exposure.
For most firms, the Diagnostic findings identify a programme of work that extends beyond a one-off project. The gap register typically reveals a combination of items that can be addressed quickly, items that require a structured 12-month programme, and items that will persist as ongoing maintenance obligations for as long as the firm carries its regulatory obligations.
Where the Annual Resilience Retainer is the right next step, the retainer proposal presented at Diagnostic close is scoped directly to the findings. There is no second discovery process and no duplicated work. The retainer team picks up from the Diagnostic gap register and builds from there. For firms that proceed from Diagnostic to Retainer, the Diagnostic fee is typically offset against the Year 1 retainer investment.
For firms that are not yet ready to commit to a 12-month retainer, the gap register and remediation roadmap are independently useful. They give the SMF24 a clear, sequenced action list that the internal team can begin working through immediately, with the option to return to FourthLine for specific workstreams as capacity and budget allow.
The Diagnostic does not create a dependency on FourthLine for future work. It creates a clear picture of where the programme stands and what it needs, and the client decides what to do with that picture.
The Diagnostic Assessment is fixed fee. Scope is defined at the outset. There are no day-rate overruns and no scope creep provisions that allow the engagement to expand without the client's explicit agreement.
Three fee tiers apply based on firm complexity. Standard tier (single-regulated firm, up to four IBS, standard complexity): £15,000 to £18,000 plus VAT. Enhanced tier (dual-regulated firm, up to six IBS, higher supplier complexity or DORA in scope): £18,000 to £22,000 plus VAT. Complex tier (complex group structure, Lloyd's syndicate, international operations, or seven or more IBS): £22,000 to £25,000 plus VAT. Payment is 50 per cent on engagement, 50 per cent on delivery of the final report.
To establish which tier applies, the starting point is a 30-minute scoping call. No proposal is issued before that conversation. The scoping call is the point at which FourthLine confirms whether the Diagnostic is the right entry point for the firm's situation, outlines what the engagement would involve, and answers the questions that matter before a procurement decision is made.