Operational resilience is one of the few regulatory expectations that explicitly puts the board on the hook. The PRA and FCA both expect boards — not management, not the risk function — to set impact tolerances, approve scenarios, and own the firm's ability to remain within tolerance through severe but plausible disruption. This is a short, practical brief for insurance NEDs and board risk committees on what good looks like.

The four obligations boards need to understand

1. Identify important business services

An important business service (IBS) is a service the firm provides to external customers, the disruption of which would cause intolerable harm to customers or risk to market integrity. For an insurer, IBS examples typically include: ability to bind cover, ability to pay valid claims, ability to take payment, ability to handle complaints, and ability to provide servicing.

Boards should challenge the list. A list of 30 IBSs almost certainly confuses customer services with business processes; a list of three almost certainly underestimates customer dependency. Five to ten is the realistic range.

2. Set impact tolerances

For each IBS, the board sets the maximum tolerable level of disruption — measured in time, but also in customer outcomes (e.g. "no claim payment delayed beyond 24 hours" or "binding cover unavailable for no more than 4 hours during working day"). The tolerance is the regulator's bright line: stay within it under severe but plausible scenarios, or explain why not.

3. Map the end-to-end

For each IBS, map every person, process, technology, facility, information asset and third party required to deliver it. Boards don't need to read the maps; they need to be satisfied the maps exist, are current, and identify single points of failure.

4. Scenario test

Test the ability to remain within tolerance under severe but plausible scenarios — cyber outage, third-party failure, key person loss, premises loss, data corruption. Each test should produce a decision: stay within tolerance (good), breach tolerance with a fix in flight (acceptable, with a date), or breach tolerance with no credible fix (escalate, invest, or revise tolerance with regulator engagement).

Third-party concentration: the question boards keep missing

Most insurers now depend on a small number of large cloud, payments, and software providers. The question "what happens if AWS, Azure, or a single core PAS vendor has a multi-day outage" should be on every risk committee's agenda at least annually. Concentration risk also lives inside supplier sub-contracting — your vendor's vendor — which is rarely visible without a directed exercise.

What good board reporting looks like

A workable quarterly operational resilience pack to the board contains:

  • The IBS list with each service's current resilience status.
  • Impact tolerance status — within / approaching / breached for each IBS.
  • Material disruption events in quarter, with root cause and learning.
  • Scenario tests completed and outcomes.
  • Material third-party changes, concentration shifts, or sub-contracting updates.
  • Remediation programme RAG and any tolerance breaches forecast.

The five questions a NED should ask

  1. Show me the IBS list. Who signed it off, and when did the customer impact assumptions last get challenged?
  2. For the IBS I am most worried about, what is the impact tolerance and when did we last evidence we could stay within it under a severe-but-plausible scenario?
  3. What is our single biggest third-party concentration, and what is the credible exit plan?
  4. What disruption events did we have this quarter, and what did we actually change as a result?
  5. Where are we relying on a single person, system or supplier with no documented contingency?

Common failure modes

  • Treating resilience as an IT or business-continuity refresh — it isn't, and the regulator will say so.
  • Setting tolerances that are essentially "as long as it takes" — they are not tolerances.
  • Mapping IBSs to systems but never to people and third parties.
  • Scenario tests that are tabletop exercises with no decisions or actions captured.
  • Board reporting that is green every quarter — usually because nothing is being tested.

JanthanaK works with insurance boards and risk committees on operational resilience, scenario design and remediation programmes through the Insurance Transformation practice. Book a 30-minute board briefing if you'd like a no-obligation review of where your firm is against PRA/FCA expectations.