The PRA's supervisory statement on operational resilience for UK banks, insurers, and PRA-designated investment firms.
PRA-regulated firms.
Continuous evidence pipeline available; audit support included for all customers.
These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.
Identification of Important Business Services.
Setting impact tolerances and proving the firm can stay within them through severe but plausible scenarios.
Self-assessment submitted to the PRA annually.
Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.
Important Business Service register with mapped ICT dependencies.
Scenario testing harness with operational-resilience-specific runbooks.
Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.
Important Business Service register.
Impact tolerance scenario test reports.
These frameworks share substantial control overlap with PRA SS1/21. Customers running one assessment typically satisfy the others with the same evidence base.
European Union
The EU Digital Operational Resilience Act — applies directly to financial entities and designates critical ICT third-party providers as supervised.
APAC
Singapore MAS Technology Risk Management Guidelines — the gold standard for APAC financial-sector cyber and operational risk.
APAC
APRA's prudential standard on information security for ADIs, insurers, and superannuation funds.
Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.