Operational resilience is the ability of a firm to keep delivering its most important services — and to recover quickly — when something goes wrong: an IT outage, a cyber-attack, a supplier failure, a lost building. It is a deliberate step beyond traditional business continuity. Continuity asks "how do we recover?"; resilience asks "what level of disruption can our clients and the market actually tolerate, and can we stay within it?". For Isle of Man firms, this is the direction of regulatory travel — and the firms that prepare now will not be scrambling later.

A formal regime next door

In the UK, operational resilience is no longer guidance — it is rules. The FCA's policy statement PS21/3 and the corresponding handbook provisions (SYSC 15A) require firms to identify their important business services, set impact tolerances, map and test, and operate within those tolerances. The rules came into force on 31 March 2022, with firms expected to be able to remain within their impact tolerances by 31 March 2025. The PRA set parallel expectations for banks and insurers.

The European Union has gone further still. The Digital Operational Resilience Act (DORA) — Regulation (EU) 2022/2554, which applies from January 2025 — creates a single, binding framework for ICT risk, incident reporting, resilience testing and the oversight of critical third-party technology providers across the financial sector. Any Isle of Man firm with EU clients, group entities or counterparties is already feeling its pull.

Where the Isle of Man stands

The Isle of Man FSA has not (yet) introduced a standalone operational-resilience rulebook of the FCA's kind. It frames these risks as operational risk — its operational-risk guidance defines that as loss from failed internal processes, people and systems, or external events — supported by the Financial Services Rule Book 2016, which already requires a risk-management framework (rule 8.6), business continuity arrangements (rule 8.15), and the Authority's consent for material outsourcing (rule 8.16).

But the direction is unmistakable. The FSA's Supervisory Priorities 2025–2027 name "Financial & Operational Resilience" as one of its three priority areas, alongside governance and supervisory data, and flag outsourcing and third-party dependency as areas of supervisory focus. In other words: the language of "operational resilience" is arriving on the Island, and the expectations behind it are already supervisable through the existing framework. Waiting for a dedicated rulebook before acting is the wrong bet.

What Isle of Man firms should do now

The good news is that the UK and EU regimes agree on the building blocks, and they translate directly to a proportionate Isle of Man approach:

• Identify your important business services. Not your departments — the services that, if disrupted, would cause real harm to clients or the market (for many firms: client onboarding, payments, access to assets, reporting).
• Set impact tolerances. For each important service, the maximum level of disruption you could tolerate before that harm becomes unacceptable — expressed in concrete terms (time, volume), not vague aspiration.
• Map the dependencies. The people, processes, technology, facilities and third parties each important service relies on — so you can see where it would actually break.
• Test against severe but plausible scenarios. Not best-case drills — realistic disruptions (a key supplier fails, ransomware, a prolonged outage) that show whether you can stay within tolerance.
• Govern and report it. The board owns operational resilience, sees the testing results, and acts on the gaps. This is where it connects to IT governance and to technology risk — resilience is the outcome those disciplines exist to deliver.

Third parties are the sharp edge

The single biggest theme across PS21/3, DORA and the FSA's own priorities is the same: your resilience is only as strong as the suppliers you depend on. Outsourcing a critical system does not outsource the risk — the Rule Book makes that explicit, and DORA builds an entire oversight regime around critical ICT third parties. Mapping your material suppliers, understanding their own resilience, and having a plan for their failure is no longer optional good practice; it is where supervisors will look first.

We help Isle of Man firms build proportionate operational resilience — identifying important business services, setting defensible impact tolerances, mapping dependencies and third parties, and giving the board the assurance it needs ahead of the regulatory curve.

Frequently asked questions

Is operational resilience a legal requirement on the Isle of Man?

There is no standalone Isle of Man operational-resilience rulebook yet. The FSA addresses these risks through operational risk and the Financial Services Rule Book 2016 (risk management, business continuity and outsourcing), and its 2025–2027 supervisory priorities explicitly name financial and operational resilience — so the expectations are already supervisable, and the formal direction of travel is clear.

How is operational resilience different from business continuity?

Business continuity focuses on recovering after an incident. Operational resilience is broader: it starts from the client's and market's tolerance for disruption, requires you to identify your important business services and set impact tolerances, and tests whether you can stay within them through severe but plausible scenarios. Continuity is one input to resilience, not the whole of it.

Does DORA apply to Isle of Man firms?

DORA is an EU regulation, so it does not apply to the Island directly. But Isle of Man firms with EU clients, group companies or service relationships are affected in practice, and DORA's approach — especially its oversight of critical third-party technology providers — signals where international expectations are heading.