There is a version of events in which the March 2025 operational resilience deadline marked the end of the hardest part. The framework was built, the self-assessment was board-approved, the implementation programme was closed. The work was done.
That version is, for most mid-tier firms, incorrect.
The March 2025 deadline closed the implementation phase. What it opened was the supervision phase: the period in which the PRA and FCA move from asking whether firms have built their frameworks to examining whether those frameworks hold up under scrutiny. That examination is now active, and the standard being applied is materially higher than the standard most mid-tier firms prepared for.
This article sets out what the supervisory environment looks like in practice, what the PRA and FCA are specifically examining across the next 12 months, and what mid-tier firms across insurance, banking, and investment management should be doing now to ensure their programmes are in a position to withstand what is coming.
The Shift from Implementation to Supervision
Regulatory implementation deadlines create a natural psychological endpoint. Compliance functions orient their programmes around them, boards receive reports confirming completion, and internal resource is redeployed to other priorities once the milestone is met. This is a predictable and understandable pattern.
The difficulty is that operational resilience does not work that way. PRA SS1/21 and FCA SYSC 15A do not describe a one-time build obligation. They describe a permanent programme requirement: annual scenario testing, ongoing IBS mapping maintenance, regularly refreshed impact tolerance validation, and continuous board-level governance and reporting. The March 2025 deadline confirmed that firms had completed the initial implementation phase. It did not discharge the ongoing obligations that begin the day after.
The PRA's supervisory focus in 2026 reflects this directly. Supervisors are not revisiting whether firms have frameworks in place. They are examining the quality of evidence behind those frameworks: whether impact tolerances have been genuinely tested or merely documented, whether IBS mapping is current or stale, whether scenario testing is designed to expose genuine vulnerabilities or to confirm a pre-agreed narrative. These are not the same questions that the implementation phase required firms to answer, and the evidence required to satisfy them is substantially more demanding.
The FCA's approach follows a similar trajectory, with thematic review activity in the insurance and investment management sectors focusing specifically on evidence depth. The question being asked in thematic reviews is not "what does your policy say?" It is "show us the evidence that your resilience position holds.
What Supervisors Are Examining: The Four Core Areas
Across both the PRA and FCA supervisory cycles, four areas are under consistent examination for mid-tier firms in the current 12-month window.
Impact tolerance validation. Setting impact tolerances was a March 2025 requirement. Demonstrating that those tolerances have been validated under realistic stress is the 2026 obligation. Under PRA SS1/21 Chapter 5, the tolerance must be supported by scenario testing evidence that shows the firm can recover within it. A tolerance statement that has been carried forward from 2022 or 2023 without a structured validation exercise is not evidence of resilience. It is a documented starting point, and supervisors are now asking for proof that it has been tested.
IBS mapping currency. The PRA and FCA both expect IBS mapping to be maintained as a live document, not treated as a completed deliverable. The specific examination point is whether mapping reflects the firm's current operating model: current technology dependencies, current third-party relationships, current people and facility structures. Firms that completed mapping in 2022 and have not conducted structured maintenance reviews since are carrying a gap between their documented resilience position and their actual one. That gap is typically larger than internal teams recognise, precisely because the team that built the mapping is often the same team assessing its currency.
Scenario testing evidence standards. Annual scenario testing is an explicit obligation under PRA SS1/21 Chapter 7. The PRA's supervisory approach is examining both whether testing has been conducted and whether it meets the evidencing standard. The required elements are the scenario rationale, the methodology, the execution record, the full findings, the impact tolerance outcome per IBS, the lessons learned, and the remediation actions with named owners and dates. Testing records that describe the exercise without producing this evidence trail do not meet the standard, regardless of how substantive the underlying exercise was. This is the most common gap identified in FourthLine's diagnostic work across insurance, banking, and investment management.
Board governance and the self-assessment. PRA SS1/21 Chapter 8 and FCA SYSC 15A both require the self-assessment to be board-approved and for boards to be receiving regular, substantive resilience reporting. Supervisors are examining both the document and the governance process behind it. A self-assessment that reflects genuine board engagement, documented challenge, and honest treatment of material findings looks entirely different to one that has been produced by the programme team and noted by the board without scrutiny. The distinction is apparent to an experienced supervisor within minutes, and it carries direct implications for the SMF24's personal accountability position.
The Sector-Specific Picture
The supervisory environment is common to all PRA and FCA regulated firms. The way it manifests differs by sector, and understanding those differences matters for prioritising preparatory work.
For insurers, the primary exposure is the combination of PRA SS1/21 and the ICT resilience obligations under PRA SS2/21. Many mid-tier insurers addressed the operational resilience requirements of SS1/21 without fully mapping those obligations against the parallel technology resilience requirements of SS2/21. Firms with material technology dependencies supporting their Important Business Services, which includes virtually all mid-tier insurers given the reliance on policy administration platforms, claims handling systems, and reinsurance settlement processes, are not in a complete regulatory position if they have addressed one without the other.
For banks and challenger banks, the primary exposure is the intersection of PRA SS1/21 and DORA. For any firm with EU-regulated entities or material EU-facing operations, DORA creates ICT risk management and third-party oversight obligations that extend beyond the FCA and PRA frameworks in specific areas. Firms that have conducted a DORA assessment at the group level without mapping obligations to individual entity structures are carrying residual exposure that the group-level view does not capture.
For investment managers and wealth firms, the FCA's thematic review activity is the immediate catalyst. The FCA has been conducting targeted reviews of operational resilience evidence quality across investment management in 2025 and 2026. The findings from those reviews are consistent with the pattern seen across other sectors: documentation is largely complete; evidence is frequently insufficient; the gap between what firms believe their supervisory position to be and what a reviewer actually finds is material.
The Ongoing Obligation Most Firms Are Under-Resourcing
The supervision phase does not arrive once and depart. It is the permanent operating environment for regulated firms. The PRA and FCA do not expect operational resilience to be managed reactively, assembling evidence when a review is imminent and allowing it to drift between engagements.
The specific obligations that create ongoing resource requirements are: annual scenario testing designed and facilitated to a supervisory standard; quarterly IBS mapping maintenance to reflect operating model changes; annual self-assessment refresh to PRA SS1/21 Chapter 8; quarterly board-level resilience reporting that reports the firm's position rather than its activity; and regulatory horizon monitoring that translates new supervisory guidance and Dear CEO letters into programme implications before they arrive as questions in a review.
Most mid-tier firms are managing these obligations with internal resource that was sized for the implementation phase, not the ongoing supervisory phase. The result is a slow but consistent drift between the evidence quality the firm believes it holds and the evidence quality a supervisor would find. That drift is invisible until a supervisory engagement makes it visible, at which point the remediation cost and timeline are substantially higher than they would have been with a structured ongoing programme.
What to Do in the Next 90 Days
For firms that completed the implementation phase and have not since conducted a structured, independent review of their evidence position, the priority in the next 90 days is straightforward: establish the current-state position honestly, before the regulator establishes it for you.
The most effective first step is an independent diagnostic assessment conducted by practitioners with direct experience of PRA and FCA supervisory interaction. An independent view applies the supervisory lens to the firm's evidence, identifies the gap between current holdings and the standard being applied in 2026, and produces a prioritised remediation roadmap that sequences the highest-risk gaps first.
The second priority is governance. If the board is receiving activity-based MI rather than position-based reporting, that needs to change before the next supervisory engagement. The board's ability to exercise genuine oversight under SS1/21 Chapter 8 depends on receiving reporting that shows where the firm's resilience position actually is, not what the programme team has been doing.
The third priority is the annual testing cycle. If the current year's scenario testing has not yet been scoped, designed, and calendared, it should be. Annual testing is a standing obligation. Firms that enter the second half of the calendar year without a confirmed testing programme in place are already behind the evidencing cycle that supervisors expect to see.
FourthLine works with mid-tier firms across insurance, banking, and investment management to establish and maintain the ongoing programme that the supervision phase requires. Our Diagnostic Assessment is the starting point for firms that want an honest, independent account of where their programme stands. Our Annual Resilience Retainer is the structural solution for firms that want to ensure their evidence position is maintained to the supervisory standard throughout the year, not only in the months before a review.