Patrick Murphy explains why operational resilience is becoming a board-level priority for advice firms, and why disruption can no longer be treated as a problem for IT providers alone.
For many years, operational resilience was seen as something that applied to large financial institutions.
Banks worried about it.
Global platforms worried about it.
Major insurers worried about it.
Most smaller advice firms did not.
That is now changing.
The Financial Conduct Authority is steadily moving toward a position where every regulated firm — regardless of size — is expected to understand how disruption could affect clients, how quickly the business could recover, and who is accountable when things go wrong.
The Dependency Problem
This matters because modern advice firms are now deeply dependent upon interconnected systems and third-party providers. Platforms, cloud software, outsourced IT, back-office systems, compliance support, communication systems and remote working infrastructure all sit underneath the client proposition.
Most of the time, that dependency is invisible.
Until something fails.
And when it does, the impact is rarely just technical.
It becomes operational.
A cyber incident may prevent advisers accessing client information. A platform outage may delay transactions or withdrawals. An email compromise may interrupt communications or expose clients to fraud risk. The immediate issue may begin in technology, but the consequences quickly spread into client servicing, business continuity, regulatory exposure and reputation.
That is why operational resilience is becoming such an important issue.
It’s About Client Outcomes, Not Technology
At its core, operational resilience is not about technology.
It is about whether the business can continue delivering critical services under pressure.
The FCA is increasingly focused on outcomes rather than infrastructure. Regulators are less interested in whether a firm has installed the latest security software and more interested in understanding what happens to clients when disruption occurs.
Could vulnerable clients still access support?
Could the business continue communicating effectively?
Could critical client servicing continue during operational stress?
And importantly, had the firm already identified where harm could arise before the disruption happened?
This is where operational resilience connects directly into Consumer Duty.
Because foreseeable operational failure can create foreseeable client harm.
The Gap Between Assumption and Reality
For many firms, however, there remains a significant gap between perceived resilience and actual resilience.
Most advice businesses operate through a complex web of external dependencies, yet relatively few have properly mapped which services are genuinely critical to clients, which suppliers underpin those services, how long disruption could realistically be tolerated, or what the escalation process would look like during a serious incident.
Everything appears stable while systems are functioning normally.
But resilience is not tested during normality.
It is tested during disruption.
A Simple Test Most Firms Fail
One of the simplest questions a firm can ask itself is this:
If your core systems went offline tomorrow morning, what would actually happen in the first four hours?
Not theoretically.
Practically.
Most firms have never answered that question fully.
And when you push into the detail, the same pattern usually appears.
No one knows who contacts clients.
No one knows which services continue and which stop.
Advisers cannot access records.
Transactions cannot be processed.
Client calls go unanswered.
Meanwhile, the business stops generating revenue while the phones keep ringing.
That is not a technology failure.
That is a governance failure.
Many firms assume their IT provider has it covered.
But IT providers manage systems.
They do not manage the firm’s ability to continue operating, continue servicing clients, or continue functioning during disruption.
And when something breaks, it is not the IT provider who answers to the FCA, to clients, or to professional indemnity insurers.
It is the firm.
Specifically, it is the directors.
The FCA is placing increasing weight on whether boards have thought seriously about this before disruption occurs, not simply whether they respond once it does.
Operational resilience is a governance responsibility.
It sits at board level.
Why This Is Now a Commercial Issue
There is also a wider commercial dimension emerging.
Professional indemnity insurers, compliance consultants, acquirers and increasingly sophisticated clients are all beginning to look more closely at operational governance.
Why?
Because resilience now affects more than regulatory compliance.
It affects business value.
It affects trust.
It affects continuity.
And it affects whether a firm can continue operating effectively when pressure arrives.
Closing the Governance Gap
This is the specific gap independent cyber governance advisory is designed to address.
Most IFA firms have capable IT support.
Far fewer have independent visibility of their operational resilience position, where their vulnerabilities sit, how dependent they are on third parties, and how the business would actually function during disruption.
That visibility is increasingly what boards are expected to demonstrate.
It is also becoming more relevant to insurers, compliance oversight, and wider governance scrutiny.
GOIA Technologies works with FCA-regulated advice firms to help leadership teams understand operational resilience exposure, governance weaknesses, and cyber risk dependencies before they become operational or regulatory problems.
Final Thought
Operational resilience is no longer a future issue for advice firms.
For many firms, the governance gap already exists.
Systems are running.
Operations appear stable.
But the question the FCA is increasingly asking remains the same:
Can the firm demonstrate that leadership understands its operational vulnerabilities and has prepared for what happens when disruption occurs?
Many firms cannot answer that clearly.
And they are not protected by the fact that nothing has gone wrong yet.
When disruption arrives, the consequences move quickly.
Advisers cannot access records.
Transactions stop.
Client communications fail.
Revenue is interrupted.
And it is not the IT provider who explains the situation to the regulator or to affected clients.
It is the firm.
And ultimately, it is the directors.
If firms want an independent view of their operational resilience exposure and governance position, GOIA Technologies provides cyber governance and operational resilience reviews for FCA-regulated advice firms.
Patrick Murphy CFP is co-founder of GOIA Technologies, which provides independent cyber governance advisory to FCA-regulated advice firms. GOIA Technologies is not FCA-authorised and its services do not constitute regulated financial advice.
![[UNS] celebrate](https://ifamagazine.com/wp-content/uploads/wordpress-popular-posts/801986-featured-300x200.webp)
