Every mid-tier insurer we have assessed has gaps in their operational resilience programme. That is not a criticism. It is a structural observation about how implementation programmes work, how internal resource gets redeployed after a deadline passes, and how the distance between building a framework and maintaining it to a supervisory standard grows quietly over time.

The five gaps described in this article are not hypothetical risks. They are the findings that appear, in some form, in every Diagnostic Assessment FourthLine has delivered to a mid-tier insurance firm. They appear in Lloyd's syndicates and standalone insurers, in specialist lines firms and in MGAs, in firms that invested heavily in implementation and in firms that moved faster with lighter resource. The patterns are consistent enough that an insurance CRO reading this article should be able to locate their own programme in what follows.

This is not a general overview of the operational resilience framework. It is a description of what actually goes wrong, why it goes wrong in the insurance sector specifically, and what the consequences are when a PRA supervisor asks to see the evidence.

Gap 1: Impact Tolerances That Have Never Been Genuinely Tested

The most common gap in mid-tier insurance programmes is the simplest to state and the hardest to close quickly: impact tolerance statements that describe what the firm believes it can recover within, supported by no testing evidence that confirms it can.

Impact tolerances were required by the March 2025 deadline. Most insurers have them. The typical format is a metric per Important Business Service: a maximum tolerable period of disruption expressed in hours or days. The problem is that these tolerances were set, in most cases, during the implementation phase by internal teams who applied professional judgement about what the firm should be able to achieve. Reasonable people. Reasonable judgements. But judgements that have never been stress-tested.

Under PRA SS1/21 Chapter 5, the tolerance must be validated through scenario testing. The supervisory question is not whether the tolerance is set. It is whether the firm has run a scenario that specifically tests recovery within that tolerance under realistic disruption conditions, and whether the output of that test was documented to a standard that demonstrates the position rather than merely asserts it.

What makes this gap distinctively difficult for insurers is the nature of their IBS architecture. Claims handling, policy administration, and underwriting platforms are frequently operated through outsourced or co-sourced arrangements with specialist technology providers whose recovery capabilities have not been independently verified against the insurer's tolerance statements. The tolerance says recovery within 24 hours. The technology dependency has never been stress-tested to confirm that is achievable. The gap between those two positions is invisible until a scenario test or a real incident makes it visible.

The remediation is not complex in concept: design a test that specifically targets the tolerance, build the evidence pack during the test, and produce a formal outcome statement per IBS. The difficulty is that doing this properly requires external facilitation and a test design that is genuinely severe rather than confirmatory. Internal teams rarely design tests that find their own weaknesses. That is not a character failing. It is how human beings behave when they are assessing work they built.

Gap 2: IBS Mapping That Stops at the Process Level

Important Business Service mapping is one of the most commonly completed elements of mid-tier insurance programmes. It is also one of the most consistently underdeveloped at the dependency level.

Under FCA SYSC 15A.2.4 and PRA SS1/21, IBS mapping must trace the full dependency chain for each service across all five resilience pillars: people, processes, technology, facilities, and third-party relationships. The PRA's supervisory expectation, expressed in SS1/21 and confirmed through engagement with firms across the insurance sector, is that mapping must be granular enough to identify single points of failure and to inform scenario design.

What FourthLine consistently finds is mapping that describes what the IBS does without tracing the specific resources and relationships it depends on. A claims handling service is mapped to a claims processing platform, but not to the specific individuals whose absence would prevent that platform from being operated, the third-party loss adjusters whose unavailability would prevent claims from being assessed, or the reinsurance settlement process whose delay would prevent the firm from managing its exposure during an extended disruption.

This matters in two ways. First, it means the firm's scenario testing cannot be properly designed: if you do not know what your IBS depends on at the granular level, you cannot design a test that stresses those dependencies realistically. Second, it means the dependency map cannot support the firm's supplier exit planning: if the critical people, systems, and third parties for each IBS are not identified, the exit planning for material outsourcing arrangements cannot be properly scoped.

The insurance sector has a specific compounding factor here. The operating models of mid-tier insurers change. Delegated authority arrangements are added or modified. Technology platforms are migrated. Specialist underwriters join or leave. Each of these changes has the potential to alter the dependency structure of an IBS, and without a structured quarterly mapping review process, the map becomes stale. A map that was accurate in 2023 but has not been maintained since is not evidentially valid in 2026, and a supervisor will ask when it was last updated.

 

Gap 3: Scenario Testing Designed to Confirm Rather Than Challenge

Annual scenario testing is an explicit obligation under PRA SS1/21 Chapter 7. Most mid-tier insurers are running annual tests. The gap is not in whether testing happens. It is in whether the testing is designed to find genuine weaknesses or to confirm that the firm's existing plans work.

The pattern FourthLine identifies most frequently is scenario design that begins from the recovery plan rather than from the dependency structure. The scenario is designed around a disruption that the recovery plan already addresses. The test runs through the recovery steps. The plans are confirmed to work. The outcome is documented. The test is signed off.

What is absent is the question that a PRA supervisor would ask: was this scenario severe enough to genuinely stress the firm's resilience position? A scenario that results in every IBS recovering within tolerance, from a test designed by the team that wrote the recovery plans, using participants who know the plans in advance, does not produce the kind of evidence that demonstrates genuine resilience. It produces evidence that the firm can execute a planned response to a pre-briefed scenario. Those are not the same thing.

The PRA has been explicit, through supervisory engagement across the insurance sector, that a testing programme that consistently produces clean outcomes raises questions about scenario design rather than confirming resilience. If the tests never find anything, the scenarios are not severe enough.

A credible scenario testing programme for an insurer in 2026 involves: scenarios designed from the current dependency map rather than from the recovery plan; at least one scenario each year that involves simultaneous failure of multiple critical dependencies; participation from the people who would actually manage the response, not a practised working group; and an evidence pack that captures genuine decision-making under scenario conditions, not a narrative of what happened after the fact.

The consequence of continuing to run confirmatory testing is not simply a gap in the evidence. It is a gap that a supervisor will identify quickly and probe directly. The question "what did this test find?" is easy to answer if the test was genuinely challenging. It is very difficult to answer credibly if it was not.

Gap 4: Supplier Exit Plans That Exist on Paper and Nowhere Else

Mid-tier insurers are heavily dependent on third-party suppliers for their most operationally critical activities. Claims handling platforms, policy administration systems, third-party loss adjusters, reinsurance brokers, and specialist underwriting technology providers are frequently the dependencies without which the firm's Important Business Services cannot function. The exit planning exposure in the insurance sector is therefore acute.

Most mid-tier insurers have documented exit plans for their material outsourcing arrangements. The plans were produced, in most cases, during the implementation phase. They name an alternative provider, describe a transition sequence, and set out a timeline. They describe a managed, consensual exit.

What they do not address, and what PRA SS2/21 and FCA SYSC 15A require them to address, is the stressed exit scenario: the situation in which the supplier fails without warning, enters financial difficulty, or delivers materially degraded service with no cooperation during transition. The regulatory obligation is not to have a plan for an orderly exit. It is to be able to demonstrate, with tested evidence, that the firm can manage a disorderly one.

The specific vulnerabilities that a stressed exit test exposes in insurance firms are consistently similar. The alternative provider named in the plan frequently does not have the capacity to onboard a new client within the transition timeline assumed. The data portability provisions in the current contract do not align with what the exit plan requires. The personnel responsible for managing the transition are not the people who wrote the plan, and in many cases have not been briefed on it. The timeline for standing up an alternative claims handling arrangement assumes a level of operational readiness in the market that a simultaneous industry disruption would undermine.

None of these gaps are visible from the document. Every one of them surfaces when the plan is tested. The insurance sector's exposure on this gap is heightened by the concentration of specialist suppliers: there are fewer viable alternatives for specialist claims management platforms or delegated authority technology than there are for generic cloud infrastructure, and the transition complexity is correspondingly higher.

Gap 5: Board Reporting That Describes Activity Rather Than Demonstrates Position

The governance obligation under PRA SS1/21 Chapter 8 is precise: the board must have approved the firm's self-assessment and must be receiving regular reporting on the operational resilience programme that enables genuine oversight. The intent is that boards exercise active governance over the firm's resilience position, not receive progress updates on a programme that internal teams are managing independently.

The board reporting gap in mid-tier insurance firms is consistent across firm size and programme maturity. Boards receive quarterly updates that confirm the programme is on track, list completed activities, and note the status of outstanding items from the gap register. This is activity-based reporting.

What the PRA expects to see, and what a supervisor reviewing board packs will look for, is position-based reporting: the current impact tolerance status per Important Business Service, the outcome of the most recent scenario test and any tolerance breaches identified, the current supplier exit capability against the SS2/21 standard and whether any material gaps remain open, and the regulatory horizon implications for the coming quarter. The board pack that contains this information demonstrates genuine governance. The board pack that confirms the programme team has been busy does not.

The consequences of this gap operate on two levels. First, it means the board cannot exercise the genuine oversight that PRA SS1/21 requires, which is a compliance failure in itself. Second, it means the SMF24 who carries personal accountability for operational resilience under the Senior Managers and Certification Regime is making attestations about the firm's resilience position based on activity reporting rather than evidenced position reporting. That creates a personal liability exposure that the SMF24 may not be fully aware of.

The fix is structural, not incremental. It requires redesigning the board MI pack to report the firm's current regulatory position per domain, not the programme team's quarterly activities. FourthLine's quarterly board MI pack production is a core Annual Resilience Retainer deliverable specifically because this gap cannot be closed by giving the existing pack more detail. The format itself needs to change.

What to Do if You Recognise Two or More of These Gaps

These five gaps are not independent. They compound each other. Stale IBS mapping means scenario tests cannot be properly designed. Confirmatory scenario tests mean impact tolerances are never genuinely validated. Untested supplier exit plans mean the firm's recovery capability under the scenario conditions that matter most has never been established. Weak board reporting means the board is not in a position to exercise genuine oversight of a programme with all these open questions in it.

If two or more of these gaps describe your firm's current position, the priority is an independent, structured assessment of where the programme actually stands against the current supervisory standard, conducted by practitioners who apply the PRA's lens rather than the programme team's.

FourthLine's Diagnostic Assessment is a fixed-fee, 4 to 6 week engagement that produces an honest, evidenced account of the firm's current regulatory position across all five of the domains described above. It is the starting point for insurance firms that want to know where they genuinely stand before the PRA's review tells them.