← Frameworks / Operational Risk

FCA SYSC 13 — Operational Risk: Systems and Controls

Financial Conduct Authority rules for operational risk management applicable to all FCA-regulated firms. Covers operational risk identification and assessment, systems and controls, business continuity planning, outsourcing, technology and cyber risk, change management, information security, access control, data integrity, incident management, insurance, record keeping, and board governance responsibilities. Part of the FCA Senior Management Arrangements, Systems and Controls (SYSC) sourcebook.

Clauses: 28

Avg Coverage: 65.1%

Publisher: Financial Conduct Authority (FCA) Version: SYSC 13 (current)

FCA SYSC 13 → SP 800-53 SP 800-53 → FCA SYSC 13 Coverage Analysis

Clause	Title	SP 800-53 Controls
SYSC 13.1-2	Application, purpose and operational risk management framework	PM-01 PM-02 PM-09 PM-11 PM-29 PL-01 PL-02 PL-09 RA-01 RA-03
SYSC 13.3	Related Handbook requirements and regulatory cross-references	PM-01 PM-09 PL-01
SYSC 13.4	Requirements to notify the appropriate regulator	IR-06 PM-07 SI-05
SYSC 13.5.1	Risk management terms — risk culture	AT-01 AT-02 AT-03 AT-06 PL-04 PM-13 PM-14
SYSC 13.5.2	Risk management terms — operational risk profile and exposure	RA-02 RA-03 RA-07 RA-09 PM-08 PM-09 PM-11 PM-28
SYSC 13.5.3	Risk management terms — risk identification, assessment, monitoring and reporting	RA-01 RA-03 RA-04 RA-05 RA-07 CA-02 CA-05 CA-07 PM-06 PM-14 PM-31
SYSC 13.6.1	People — employee capability and awareness	AT-01 AT-02 AT-03 AT-04 AT-06 PS-01 PS-02 PS-06 PS-09 PM-13
SYSC 13.6.2	People — segregation of duties	AC-05 AC-06 CM-05 PS-02
SYSC 13.6.3	People — supervision and management oversight	PM-02 PM-29 PS-01 PS-07 PS-09 AC-13
SYSC 13.6.4	People — recruitment, screening and succession	PS-01 PS-02 PS-03 PS-04 PS-05 PS-07 PS-08
SYSC 13.6.5	People — policy statements and procedures manuals	PL-01 PL-02 PL-04 SA-05 CM-06 AC-01
SYSC 13.7.1	Processes and systems — process and system controls	CM-01 CM-02 CM-03 CM-06 CM-07 CM-08 SA-01 SA-03 SA-08 SA-10 SA-11 SI-01 SI-02 SI-06 SI-07 SI-10 SI-11
SYSC 13.7.2	Processes and systems — IT infrastructure and reliability	CM-02 CM-08 MA-01 MA-02 MA-03 MA-06 MA-07 SC-05 SC-06 SI-02 SI-13
SYSC 13.7.3	Processes and systems — information security and access controls	AC-01 AC-02 AC-03 AC-05 AC-06 AC-07 AC-17 AC-19 AC-20 IA-01 IA-02 IA-04 IA-05 IA-08 SC-07 SC-08 SC-12 SC-13 SC-28
SYSC 13.7.4	Processes and systems — change management	CM-03 CM-04 CM-05 CM-09 CM-14 SA-10 SA-11 SI-02 SI-07
SYSC 13.7.5	Processes and systems — monitoring and reconciliation	AU-02 AU-03 AU-06 AU-07 AU-12 CA-07 SI-04 SI-06 PM-06 PM-14
SYSC 13.8.1	External events — business continuity management	CP-01 CP-02 CP-03 CP-04 CP-05 CP-06 CP-07 CP-08 CP-09 CP-10 CP-12 CP-13
SYSC 13.8.2	External events — disaster recovery, resilience and dual processing	CP-02 CP-04 CP-06 CP-07 CP-08 CP-09 CP-10 CP-11 SC-05 SC-06 SC-24 SC-36 SI-13 SI-17
SYSC 13.8.4	External events — managing change and new activities	CM-03 CM-04 PM-09 PM-11 RA-03 RA-07 SA-03 SA-08
SYSC 13.8.5	External events — insurance and risk transfer	PM-09 RA-07
SYSC 13.9.1	Outsourcing — governance and oversight of outsourced functions	SA-04 SA-09 SR-01 SR-02 SR-03 SR-06 PM-30
SYSC 13.9.2	Outsourcing — due diligence and service provider selection	SA-04 SA-09 SA-21 SR-04 SR-05 SR-06 SR-07 PS-07
SYSC 13.9.3	Outsourcing — contractual protections, monitoring and audit rights	SA-04 SA-09 SR-03 SR-06 SR-08 SR-10 CA-07 AU-16
SYSC 13.9.5	Outsourcing — business continuity and exit planning	CP-01 CP-02 CP-04 SA-09 SR-03 SR-12
SYSC 13.G.1	Governance — board and senior management accountability	PM-01 PM-02 PM-10 PM-29 PS-09 PL-09
SYSC 13.G.2	Governance — risk appetite and tolerance setting	PM-09 PM-28 RA-03 RA-07
SYSC 13.G.3	Governance — internal audit and independent assurance	CA-02 CA-04 CA-07 PM-06 PM-14
SYSC 13.G.4	Governance — record keeping and regulatory reporting	AU-01 AU-09 AU-11 SI-12 PM-04