A PRA supervisor reviewing a firm's board papers will reach a conclusion about the firm's operational resilience governance within the first ten minutes. Not because supervisors are lazy readers, but because the difference between adequate and inadequate board reporting is visible immediately in the structure of the document, the content of the sections, and the quality of what the board is being asked to consider.
The question supervisors are trained to ask is not whether the board received a resilience update. It is whether the board received reporting that would allow a reasonably competent non-executive director to understand the firm's current resilience position, to exercise genuine challenge, and to meet their personal oversight obligations under PRA SS1/21 Chapter 8.
For most mid-tier firms, the honest answer is that their current board reporting does not meet that standard. The gap is not a matter of effort or intent. It is a structural gap between what boards are receiving and what the regulatory framework requires them to have. This article sets out what the PRA expects, how most firms' current reporting falls short, and what a supervisory-grade board MI pack actually contains.
The Regulatory Obligation Is More Specific Than Most Boards Realise
PRA SS1/21 Chapter 8 establishes the self-assessment and governance requirements for operational resilience. The requirement is not simply that boards receive updates on the programme. It is that the board has approved the firm's written self-assessment, has received evidence of the firm's current resilience position, and is exercising genuine oversight of the programme on an ongoing basis.
Three elements of that obligation carry specific implications for board reporting.
First, board approval of the self-assessment is an active governance act, not an administrative sign-off. The PRA expects the self-assessment to reflect the firm's genuine current position, including material weaknesses and open findings. A self-assessment that presents the programme in its best light and receives board approval without documented challenge has not met the governance standard. The approval record should show that the board engaged with the content, asked questions, and made a considered decision to approve rather than simply receiving the document.
Second, board oversight must be ongoing, not periodic. The regulatory language is deliberately open-ended on frequency, but the PRA's supervisory expectation, confirmed through engagement across the insurance and banking sectors, is that boards should be receiving resilience MI at a frequency sufficient to maintain genuine awareness of the firm's current position. Quarterly reporting is the standard that most well-run programmes operate to. Annual updates that summarise the year's activity are not adequate for a standing supervisory obligation.
Third, and most important for the design of board MI, the reporting must enable the board to exercise oversight of the firm's resilience position, not its resilience programme. These are different things, and the distinction is the source of the most common governance gap in mid-tier firms.
The Difference Between Programme Reporting and Position Reporting
Programme reporting describes what the resilience team has been doing. Position reporting describes where the firm's resilience position stands.
A board paper that tells the board the scenario testing exercise was completed in Q2, the IBS mapping was reviewed in March, and the gap register now has seven items closed against four still open is programme reporting. It tells the board the team is working. It does not tell the board whether the firm is resilient.
A board paper that tells the board the firm's current impact tolerance status per Important Business Service, the outcome of the Q2 scenario testing exercise including whether any tolerance was breached and what the remediation action is, the current status of material supplier exit plans against the SS2/21 standard, and the regulatory developments in the coming quarter that require the board's awareness is position reporting. It tells the board something they could not have assumed without being told, and it gives them a basis for genuine governance challenge.
The PRA's supervisory approach to board papers is explicit on this distinction. When a supervisor reviews board minutes, they are looking for evidence that the board discussed specific aspects of the firm's resilience position, asked specific questions about areas where the evidence falls short, and received specific answers. Board minutes that record "the resilience update was noted" are not evidence of genuine oversight. Board minutes that record the questions directors asked about specific tolerance outcomes and the responses given are.
This distinction matters beyond the compliance dimension. A board that receives position-based reporting is in a position to make better decisions about resource allocation, about the appropriateness of the programme's scope, and about the firm's risk appetite. A board that receives activity reporting is not in a position to do any of those things, because it does not have the information required.
What a PRA-Standard Board Resilience MI Pack Contains
The following is the minimum content standard for a quarterly board resilience MI pack that meets the PRA's governance expectations under SS1/21 Chapter 8.
Current impact tolerance position per IBS. For each Important Business Service, the board should be told the current tolerance, whether the most recent scenario testing confirmed the firm can operate within it, and if not, what the remediation action is and by when it will be complete. This is the core governance position statement. It should be presented as a status table, not as narrative, so that the board can see the position across all IBS simultaneously and identify where challenge is warranted.
Scenario testing outcomes. The results of the most recent scenario testing exercise should be reported in a format that tells the board three things: what the scenario tested, whether the firm's IBS remained within tolerance under the scenario conditions, and what material findings arose. The board should not be receiving the full scenario test report as a board paper; it should be receiving a summarised findings report that gives directors the information they need to exercise challenge and that references the full report for those who wish to review it.
Supplier exit capability position. For material outsourcing arrangements, the board should receive a high-level summary of the firm's supplier exit capability: which arrangements have been tested, where feasibility gaps were identified, and what the remediation status is. The SS2/21 obligation requires boards to have oversight of supplier exit capability, not just of exit plan existence. This section of the MI pack creates the governance record of that oversight.
Vulnerability register status. The open findings from scenario testing, mapping reviews, and Diagnostic Assessments need to be visible to the board at a headline level, with the highest-risk items specifically called out. The board should be able to see whether the number of high-risk open items is growing or reducing, and why. A vulnerability register that is maintained internally but never surfaces to the board is not providing governance value and is not meeting the oversight obligation.
Regulatory horizon. The board should receive a concise summary of the regulatory developments in the coming quarter that are directly relevant to the firm's operational resilience position. This is not a general regulatory update; it is a specific translation of upcoming supervisory activity, thematic reviews, Dear CEO letters, and policy developments into the implications for this firm's programme. The SMF24 needs this information to exercise their personal accountability role. Non-executive directors need it to ask the right questions.
SMF24 position statement. The quarterly MI pack should close with a brief statement from the SMF24 confirming their current assessment of the firm's resilience position and their confidence in the programme's direction. This creates a contemporaneous record of the designated senior manager's oversight that is available for supervisory review. It is also the mechanism through which the SMF24 formally acknowledges the position they are being asked to attest to, which is the most important personal liability management step the individual can take.
[AMBER CTA BANNER PLACEHOLDER: "Download: The 2026 Operational Resilience Evidencing Gap — Full PDF Report. Insert amber CTA banner here linking to HubSpot form gated download."]
Why the Format of the Pack Matters as Much as the Content
A board MI pack can contain all the right information and still fail to support genuine governance if it is formatted in a way that buries the important content in narrative prose.
The most common formatting failure in mid-tier firm board reporting is the use of continuous prose to describe each domain. A board director reading four pages of text about scenario testing outcomes is less likely to identify the specific finding that warrants challenge than one reading a status table that shows tolerance status per IBS at a glance. The format should lead the director to the areas that require their attention, not require them to excavate the content to find it.
The second common formatting failure is the absence of a prior quarter comparison. Position-based reporting is most useful when it shows movement: whether the firm's resilience position has improved, deteriorated, or remained static since the last report, and why. A board that can see the Q2 position against the Q1 position is in a fundamentally better governance position than one seeing each quarter's data in isolation.
The third failure is the conflation of programme activities and programme outcomes. Many board packs contain sections headed "Scenario Testing Update" that describe when the exercise was held and how many people attended before briefly noting the outcome. The outcome is the only part the board needs. The logistics are not governance information.
The Connection to the Annual Resilience Retainer
The most common reason board reporting falls short of the PRA standard is not that the Head of Operational Resilience does not know what good looks like. It is that producing a quarterly MI pack to the required standard, on top of running the scenario testing programme, maintaining the IBS mapping, refreshing the self-assessment, and managing the daily regulatory obligations of the programme, is beyond the realistic capacity of most mid-tier firms' internal resilience resource.
The quarterly board MI pack is a core deliverable of FourthLine's Annual Resilience Retainer. It is produced by the same senior practitioners who design and facilitate the scenario testing, maintain the IBS mapping, and manage the programme's regulatory traceability. That integration matters: the MI pack reflects the programme's actual current position because the team producing it is the same team running it.
For firms whose board reporting is currently falling short of the PRA standard, the practical question is whether the gap can be closed with the internal resource available, or whether it requires a structural change to how the programme is supported. In most cases, the answer is the latter, and the Annual Resilience Retainer is the structural solution that makes it achievable at a cost that is proportionate to the firm's size.