DFSA’s Consultation Paper No. 170 (CP170) marks a clear evolution in how operational resilience will be defined and supervised in the DIFC. While still in consultation, the direction is clear.
This is not a refresh of business continuity planning, nor a narrow enhancement of existing controls.
Instead, the proposals introduce a service-focused, outcome-driven framework that places accountability firmly at the board level. The central question is no longer whether a firm can recover systems within set timeframes, but whether it can continue to deliver its most important services within defined thresholds of harm when disruption occurs.
This approach aligns the DFSA with international standards and comparable regimes already adopted by regulators such as the UK’s Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), as well as the Hong Kong Monetary Authority (HKMA), Monetary Authority of Singapore (MAS), Australian Prudential Regulation Authority (APRA), Office of the Superintendent of Financial Institutions (OSFI) in Canada, and the Qatar Financial Centre Regulatory Authority (QFCRA). For firms operating across jurisdictions, this consistency is familiar. For others, it represents a meaningful step change in expectations.
Firms Will Need to Rethink How Resilience Is Defined and Governed
Several themes within CP170 stand out and require careful consideration.
- First, while all DFSA-regulated firms are in scope, not all will ultimately identify Critical Business Services whose disruption could cause significant harm to clients, the financial system, or confidence in the DIFC. That said, where such services do exist, firms will be expected to define Impact Tolerances that reflect the maximum tolerable level of disruption. These tolerances must be clearly articulated, evidenced, and approved at board level.
- Second, the concept of resilience extends beyond technology. Resource and dependency mapping will need to capture people, processes, third parties and infrastructure. In particular, concentration risk across outsourcing arrangements and key service providers is likely to face increased scrutiny.
- Third, scenario testing is expected to move beyond theoretical exercises. Firms will need to demonstrate that their testing frameworks support real decision-making under stress, including trade-offs between competing priorities and the potential for prolonged disruption.
- Finally, the emphasis on near-misses introduces a more dynamic supervisory lens. Firms may be expected to notify the DFSA not only when tolerances are breached, but when they are at risk of being breached. This reinforces the need for timely monitoring, escalation, and governance.
Why This Matters During Consultation
With a proposed 24-month implementation period, it may be tempting to view CP170 as a future-state consideration. In practice, experience from other jurisdictions suggests that firms that delay mobilisation often face challenges embedding a service-based approach into their operating model.
Operational resilience requires a different way of thinking. It cuts across organisational silos and requires alignment between compliance, risk, operations, technology, and the board. Identifying Critical Business Services, defining meaningful tolerances, and mapping dependencies are not purely technical exercises. They involve judgement, iteration, and, in many cases, cultural change.
Starting early allows firms to engage with the consultation from a position of insight. It also provides time to test assumptions, refine governance structures, and ensure that resilience considerations are embedded into strategic decisions, including outsourcing, change programmes, and growth initiatives.
Perhaps most importantly, firms should begin to consider not just what frameworks they have in place, but what they can credibly demonstrate. Supervisory focus is increasingly shifting toward evidence of effectiveness rather than documentation alone.
Practical Steps Firms Can Take Now
While the final rules are yet to be confirmed, firms can take several steps today to prepare:
- Assess your current state: Many firms already have elements of resilience within business continuity, risk management, and outsourcing frameworks. A structured gap assessment against proposed requirements can highlight where enhancements are needed and where existing capabilities can be leveraged.
- Identify your most important services: Focus on the impact to clients, markets, and the firm rather than internal structures. Engaging senior stakeholders early, including the board, is critical to ensure alignment on what truly matters.
- Define impact tolerances: Impact Tolerances should be realistic, measurable, and defensible. This often requires a combination of quantitative data and qualitative judgment, supported by a clear rationale.
- Map dependencies: Understand the full ecosystem supporting each critical service, including third parties and intra-group arrangements. This is also an opportunity to reassess concentration risk and strengthen contingency planning.
- Strengthen scenario testing: Evaluate whether current exercises truly test decision-making under stress or remain largely procedural. Increasing realism and incorporating cross-functional participation will be key.
Boards Will Play a More Active Role in Resilience Oversight
One of the most significant aspects of CP170 is the emphasis on board accountability. Boards will be expected to approve Critical Business Services, set Impact Tolerances, and oversee the firm’s resilience strategy.
This elevates operational resilience from a day-to-day concern to a strategic priority. It also requires clear communication between management and the board, supported by meaningful metrics and reporting.
For many firms, this will involve refining governance structures and ensuring that resilience is integrated into existing committees and decision-making processes. It may also require targeted education to ensure that board members are comfortable with the concepts and their responsibilities.
A Structured Approach Can Support Effective Implementation
As firms begin to navigate these requirements, there is clear value in taking a structured and independent approach. External perspectives can help challenge assumptions, benchmark practices against other jurisdictions, and provide practical insight into what effective implementation looks like in practice.
This is particularly relevant where firms are balancing multiple regulatory priorities, or where internal resources are stretched. A well-designed programme ensures that efforts are focused, proportionate, and aligned with supervisory expectations.
Preparing Now Will Support a Smoother Transition
CP170 sets a clear direction for operational resilience in the DIFC. While the final rules are yet to be confirmed, the underlying principles are well established and consistent with global regulatory trends.
Firms that take early, considered steps will be better positioned to embed these requirements effectively and demonstrate resilience in practice. Those that delay may find the transition more challenging as expectations crystallise.
Given the cross-functional nature of operational resilience, many firms are also considering how to bring together the right expertise, challenge assumptions, and ensure their approach is both practical and aligned with supervisory expectations.
How Firms Can Be Supported Through This Transition
Firms do not need to approach this in isolation. ACA Effecta works with DFSA-regulated firms to design, implement, and embed operational resilience frameworks that are aligned with regulatory expectations and practical in implementation.
Our support spans several key areas:
- Operational resilience frameworks and gap analysis: We assess current capabilities against CP170 expectations, identify gaps, and develop clear, prioritised implementation roadmaps.
- Regulatory engagement support: We support firms in interpreting CP170, preparing for regulatory interaction, and developing clear, defensible approaches to service identification, Impact Tolerances and governance.
- Outsourced Compliance Officer and Money Laundering Reporting Officer (MLRO) roles: Our experienced professionals provide ongoing support to firms navigating evolving regulatory requirements, offering hands-on expertise across implementation, governance, and regulatory engagement where internal capacity is limited.
- Third-party risk and outsourcing reviews: We help firms map and assess their dependency landscape, identify concentration risks, and strengthen oversight frameworks for critical third-party providers.
Contact us today to leverage deep experience across global operational resilience regimes, bringing practical insight into what effective implementation looks like and helping your firm move beyond theory to demonstrable resilience.Â