FCA’s Focus on Governance and Preparedness: What Firms Need to Know

January 13, 2026

When the FCA talks about governance, it is not just a tick box exercise. It is about demonstrating resilience, taking accountability and showing that you have mechanisms in place to respond when things go wrong. If the CrowdStrike outage in July 2024 taught us anything, it’s that firms cannot afford to treat governance as a compliance afterthought. The FCA provided feedback[1] after that incident which emphasised that operational resilience is not optional, it is a regulatory expectation.

Governance Lessons from the CrowdStrike Outage

The CrowdStrike outage was not a financial scandal – it was a tech failure. The ripple effects as a result of the outage across the financial services sector exposed a core vulnerability, namely, dependence on third-party providers. The FCA’s post incident analysis found that firms that had mapped their important business services and tested severe but plausible scenarios were able to recover quicker than those who did not.

Why is Governance an Important Part of Risk Management?

The FCA has repeatedly stressed that governance is the backbone of good conduct and risk management. Board and senior managers are expected to lead by example, integrate compliance into business processes and implement and maintain strong oversight of risks and controls. This is not a new concept from the FCA, but its recent communications set out in its 5-year strategy[2] and enforcement cases show a sharper focus on culture and accountability.

Under the Senior Managers and Certification Regime (“SMCR”), individuals can be held personally accountable for governance failures. The FCA has made it clear that poor performance is often the root cause for harm to consumers and markets. Emily Shepperd the FCA’s COO made this point in her February 2025 speech[3] stating “time and time again, when we investigate misconduct, the same root cause emerges – failings in culture and governance”.

FCA Operational Resilience Rules: What Firms Must Do

In terms of the FCA’s Operational Resilience rules[4], since March 2025 firms in scope have been required to be able to demonstrate they can stay within impact tolerances for critical services during disruptions. That means that governance structures must support:

  • clear accountability for resilience planning;
  • regular scenario testing; and
  • effective third-party management.
How We Can Help You Meet FCA Expectations

If you have any concerns about meeting the FCA’s expectations or need practical support, our regulatory team can assist. For example, we advise on governance frameworks, SMCR accountability, review of outsourcing and third-party contracts for compliance, and confirm scenario testing meets FCA requirements.

If you would like to speak to someone in our regulatory team, please contact us.

[1] https://www.fca.org.uk/firms/operational-resilience/crowdstrike-outage-lessons-operational-resilience

[2] https://www.fca.org.uk/about/how-we-work

[3] https://www.fca.org.uk/news/speeches/culture-contagious

[4]https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience

Mark Chapman
Partner, Commercial
<script>
document.addEventListener('DOMContentLoaded', function () {
  const deptEl = document.getElementById('acf-author-department');
  const department = deptEl?.dataset?.department;

  if (typeof gtag === 'function' && department) {
    gtag('set', { author_department: department });
  }
});


  window.dataLayer = window.dataLayer || [];
  const dept = document.getElementById("author-department")?.textContent?.trim();
  if (dept) {
    window.dataLayer.push({
      event: "authorDataReady",
      author_department: dept
    });
  }

</script>
View profileContact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights