FOUNDED 2025 · INDEPENDENT UK PRACTICE
InfoSecAI
The Brief DISPATCH 005
OPERATIONAL RESILIENCE 10 JUN 2026 6 MIN READ

Important Business Services. The Naming Problem.

Naming an Important Business Service feels like an administrative task. It is not. The IBS list is the spine of operational resilience reporting, and most firms have a list that breaks the first time a senior operations leader reads it. The naming problem is not academic.

Why naming is the spine of the framework.

The UK operational resilience framework, set out in the FCA's PS21/3 and the PRA's SS1/21, asks firms to do one thing well. Identify the services whose disruption would cause intolerable harm to clients or the market, set tolerances for that disruption, and remain inside those tolerances. Everything else, the mapping, the testing, the third-party register, the self-assessment, flows from the naming.

Name the wrong services and the entire programme is mapped to the wrong dependencies, tested against the wrong scenarios, and reported against the wrong tolerances. The supervisor does not need to find a control gap to find the firm non-compliant. The supervisor only needs to find that the IBS list does not survive contact with the COO.

Three failure modes in current IBS lists.

Three patterns recur across UK firms, regardless of size or sector.

The product list. The firm has listed its products as IBSs. Current account. Mortgage. Cards. Insurance. This is not what the framework asks for. A product is a commercial offering. A service, in this framework, is the operational capability that delivers the product to the client at the moment of need. "Make a payment" is a service. "Current account" is a product. The supervisor will spot the conflation in the first paragraph of the self-assessment.

The internal capability list. The firm has listed its internal operations as IBSs. "Customer onboarding". "Trade settlement". "Reconciliation". These are internal capabilities. They are not what the client experiences. The IBS list should be visible from the outside, not from the inside.

The everything list. The firm has listed thirty IBSs. Thirty is a tell. The framework expects firms to identify the services whose disruption would cause intolerable harm. By definition, that is a small number. Most firms have between four and twelve. Thirty IBSs is a firm that has not made a decision about what intolerable means.

Thirty IBSs is a firm that has not yet decided what intolerable means.

What the FCA, PRA and Bank of England are actually testing.

Supervisors are not testing whether the firm has an IBS list. They are testing whether the firm has made a defensible business decision about what disruption it would not be acceptable to inflict on its clients or the market.

The supervisor expects to see, behind the list, three pieces of evidence. First, a documented method for arriving at the list. Second, a board-level sign-off, with minutes that record the discussion, not the conclusion. Third, a willingness to defend the list in supervisory dialogue, including the services that were considered and excluded.

If the list is presented with no method, no minuted discussion and no exclusion rationale, the supervisor will infer that the list was assembled by the resilience team in isolation and approved without challenge. That inference is rarely wrong.

A naming approach that survives operational review.

The naming approach that works is short. It is best done in three workshops over four weeks.

Workshop one identifies the firm's clients. Not the customer base. The discrete client populations whose harm the firm has to consider: retail clients, wholesale clients, the market itself, and where relevant the firm's group. Each population has different harm thresholds. A two-hour service interruption is intolerable for retail payment clients and unnoticed by wholesale derivative counterparties.

Workshop two identifies what each client population requires from the firm at the moment of need. Not the products the firm sells them. The capabilities they call on. "Receive a payment". "Access cash". "Place a trade". "Receive a claim payment". The output is a short list of client-visible services, one per client population, written in plain language.

Workshop three sets tolerances. For each service, the maximum duration of disruption beyond which harm becomes intolerable. The number is decided by the COO, with the General Counsel present, against client-impact evidence the resilience team prepares in advance. The output is dated, signed and presented to the board.

The output is a list of four to twelve IBSs, each with a named client population, a plain-language service, a stated tolerance and a documented rationale. Every subsequent piece of resilience work flows from that list. The supervisory dialogue, when it comes, is straightforward.

If the existing list does not look like this, the right move is to retire it and run the three workshops. Iterating from a broken list is harder than starting again. The supervisor will not penalise a firm for replacing a list that did not survive operational review. The supervisor will penalise a firm for defending one.

Paul Jolliffe, Founder of InfoSecAI
WRITTEN BY

Paul Jolliffe

FOUNDER · INFOSECAI · MBA · CISSP · ISO 27001:2022 LA / LI / IA · PRINCE2 Practitioner

Twenty years of senior security leadership across financial services, healthcare, government, telecoms and technology. Independent UK practice founded 2025.

Book a 30-minute working consultation About the practice
02Keep reading
DISPATCH 004 · 3 JUN 2026

AI Governance for Boards. Five Questions Every Director Should Ask.

 DISPATCH 006 · 17 JUN 2026

What the FCA Asks in the First Thirty Minutes.
03The Brief · subscribe

One email, when there is something worth saying.

Each dispatch sent on the day it is published. No tracking pixels, no marketing automation. Unsubscribe in a single click.