The decision about who to engage for operational resilience work is, in most mid-tier firms, made by a CRO or COO who has probably engaged a large consultancy for something before. They know what the model looks like. They know the strengths. And if they have engaged one for resilience work specifically, they probably also know, with some precision, what the limitations look like.
This article is not a critique of large consultancies. It is an honest description of a structural mismatch between how large consultancy delivery models are built and what mid-tier regulated firms actually need from an operational resilience engagement. Understanding that mismatch is the starting point for making a procurement decision that is good for the programme, rather than one that looks defensible on paper.
How Large Consultancy Delivery Models Work
Large consultancies are built for large clients. That is not a criticism. It is a structural fact, and it shapes everything about how their delivery models function.
At a firm of several hundred or several thousand consultants, the commercial model requires that the most senior people spend the majority of their time winning work, not delivering it. The partner or director who presents the pitch, interprets the regulatory context during the sales process, and builds the trust relationship with the CRO is not the person who will be on-site designing the IBS mapping methodology, facilitating the scenario testing exercise, or producing the scenario testing evidence pack. That work is delivered by a team beneath them, typically consultants at manager or senior associate level, with the senior partner appearing for kick-off, quarterly steering committees, and the final presentation.
This model works extremely well for very large clients. A FTSE 100 bank with a six-person internal operational resilience team can quality-assure the output from a consultancy's delivery team, can push back when the methodology does not fit the firm's specific context, and has enough institutional knowledge to compensate for the gaps in a junior delivery team's regulatory specialism. The consultancy's brand, methodology, and scale are genuine assets in that context.
For a mid-tier firm with a two-person risk function and no dedicated operational resilience headcount, the same model produces a fundamentally different outcome. The internal team does not have the resource to quality-assure a junior delivery team's work. The regulatory specialism that justified the fee sits in the partner who appears four times a year. The people building the programme are learning on the job, using a methodology that was designed for enterprise clients and adapted, with varying degrees of success, for a firm a quarter of the size.
The output of this process is typically comprehensive documentation. Frameworks, policies, process maps, self-assessment templates, IBS registers. A substantial deliverable set that demonstrates significant work has been done. Whether that documentation would survive direct supervisory scrutiny, whether the scenario testing was designed to genuinely stress the firm's IBS architecture or to produce a presentable output, whether the evidence would hold up when a PRA supervisor asks to see the gap between the documented tolerance and the tested reality: these are different questions, and they are the questions that matter in 2026.
The Three Structural Mismatches
For mid-tier firms specifically, three structural features of large consultancy delivery models create predictable problems in operational resilience engagements.
The seniority gap. The most experienced practitioner in the room during delivery is usually not senior enough to make the critical judgement calls that a regulatory programme requires. These are not process decisions; they are decisions about what a PRA supervisor will specifically test, what the boundary between an adequate and an inadequate scenario design looks like, and how to translate a regulatory framework's intent into evidence that a real supervisor would find credible. Those judgements come from direct, repeated supervisory engagement experience. They are not possessed by a consultant two years out of university, regardless of how capable that consultant is. At a mid-tier firm, the absence of that senior judgement at the point of delivery is the primary determinant of output quality.
The methodology mismatch. Large consultancies develop methodologies for their largest, most complex clients, then scale them down for smaller engagements. The scaling-down is imperfect. A methodology built for an institution with 50 Important Business Services, a dedicated internal resilience function, and multi-jurisdictional regulatory obligations will not produce the same quality of output when compressed to fit a 300-person insurer with four IBS and a two-person risk team. The deliverables look similar. The underlying analytical rigour is calibrated to a different client. The evidence produced looks comprehensive because the template is comprehensive, not because the template is correctly fitted to the firm.
The cost-outcome relationship. Large consultancy fees for operational resilience work at mid-tier firms typically run at three to five times the cost of specialist independent delivery for equivalent scope. The fee premium does not reflect greater output quality for this client type; it reflects the cost structure of a large firm delivering the engagement. The overhead of partnership economics, global capability, and brand infrastructure does not translate into better scenario testing design, more credible impact tolerance validation, or higher-quality board reporting for a 400-person insurer. For that firm, the premium is a cost without a corresponding benefit
What Independent Specialist Delivery Looks Like
The comparison that matters for a CRO or COO evaluating options is not between large consultancy and independent specialist in the abstract. It is between specific delivery models and the outcomes they produce for a firm of their size and regulatory complexity.
An independent specialist firm built specifically for mid-tier regulated firms operates differently in three ways that are directly relevant to the quality of an operational resilience programme.
Senior delivery throughout. The practitioner who scopes the engagement is the practitioner who delivers it. There is no handoff between the person who understood the context during the sales process and a team who must reconstruct that understanding from a briefing document. The regulatory judgements are made by the most senior person in the engagement, because that is the same person doing the work. For a mid-tier firm whose internal team cannot quality-assure output from a junior delivery team, this is not a preference. It is the only model that reliably produces regulatory-grade evidence.
Purpose-built methodology. A methodology built specifically for mid-tier UK financial services firms, calibrated to the FCA and PRA regulatory standard rather than adapted from an enterprise framework, produces evidence that is correctly fitted to the firm's regulatory context. The scenario testing design reflects how a PRA supervisor would examine a firm of this size and complexity, not how a scenario testing methodology designed for a global bank would approach the same question. The IBS mapping depth is calibrated to the firm's actual dependency structure, not to a template that assumes a significantly more complex operating model.
Proportionate cost. At FourthLine, a Diagnostic Assessment is fixed-fee at £15,000 to £25,000. An Annual Resilience Retainer is £60,000 to £90,000 per annum. These are not discounted versions of a large consultancy engagement. They are the correct price for senior-led delivery by a specialist firm whose cost structure reflects its size. For a mid-tier firm, the comparison is not between the FourthLine fee and the large consultancy fee. It is between the FourthLine fee and the cost of a regulatory finding made during a PRA supervisory engagement because the programme produced by a large consultancy's junior delivery team did not meet the evidencing standard.
The Question Worth Asking Before You Decide
The procurement question that most mid-tier CROs and COOs do not ask explicitly, but should, is this: at the point where the work is actually being done, who will be doing it, and are they senior enough to make the regulatory judgements that determine whether the output is fit for purpose?
For a large consultancy engagement, the honest answer is usually that the work will be done by a team led by someone at manager or senior manager level, with partner oversight. For a specialist independent engagement with a firm of FourthLine's model, the honest answer is that the work will be done by the senior practitioner who scoped the engagement, supported by a named senior associate.
That distinction is not a procurement preference. It is a risk management decision. For a mid-tier firm where the SMF24 carries personal accountability for the programme's output, where the evidence produced will be examined by a PRA or FCA supervisor, and where the budget for advisory support is finite, the question of who is actually in the room is the most important commercial decision the firm will make about its resilience programme.
FourthLine has delivered operational resilience programmes for Arch Insurance, Foresters Financial, Hampden and Co, Chetwood Financial, Ruffer Investment Management, Interactive Investor, and Novia Financial. Each of those engagements was led and delivered by senior practitioners throughout. The evidence produced for each firm was designed to withstand supervisory scrutiny, not to satisfy internal governance. That is what the FourthLine model is built to produce, and it is why mid-tier firms choose it.