Skip to main content

Principle 12: Operational Resilience

Managing agents should maintain robust and resilient operations, embedding cyber resilience and effective third-party risk management.

To support this, managing agents should:

Prioritise resilience of the most important services; embedding appropriate governance for operational resilience into their businesses and prioritising recovery of important business services within identified and tested impact tolerances

Invest in their operational resilience, including their control environments, so that the risk of a future event causing harm to customers or threatening the business’ viability is mitigated

Embed cyber resilience into operations; protecting their information systems, processes, people and data from external or internal compromise to prevent harm to customers, loss of data, contagion and/or reputational damage to the wider Lloyd’s market

Below are some of the frequently asked questions about this Principle, including the questions that were asked in the Technical Briefing session(s).

If you have any further questions, please reach out to

These are still under discussion; we are keen to make sure we strike the right balance and not place unnecessary burdens on managing agents.

Discussions around operational resilience will take place with the Operational Resilience team who will discuss elements of third party Coverholders and DCAs. Some other aspects regarding third-party Coverholders and DCA’s could be picked up elsewhere.

By the end of April we would like both your PRA / FCA self-assessment as well as the Lloyd’s Principles self-assessment. The PRA / FCA self-assessment will help us determine the level of compliance across the market and we aim to feedback with examples of good practice from the self-assessments we see.