FCA SYSC 13 — Operational Risk: Systems and Controls — SP 800-53 Coverage
How well do NIST SP 800-53 Rev 5 controls address each FCA SYSC 13 requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.
Clause-by-Clause Analysis
Sorted by clauseSYSC 13.1-2 Application, purpose and operational risk management framework
Rationale
PM-01 information security program plan and PM-09 risk management strategy establish the organisational framework for operational risk management. PM-02 senior information security officer establishes executive accountability. PM-11 mission/business process definition identifies the business activities subject to operational risk. PM-29 (Rev 5) risk management program leadership formalises senior management engagement. PL-01 planning policy, PL-02 system security plans, and PL-09 (Rev 5) central management enable unified governance and documented planning. RA-01 risk assessment policy and RA-03 risk assessment provide the methodology for identifying and evaluating risks. Together these controls establish a documented risk management framework with leadership accountability for the IT dimension of operational risk.
Gaps
SYSC 13.1 defines operational risk using the Basel Committee definition encompassing loss from inadequate or failed internal processes, people, systems, and external events. Its application extends to all FCA-authorised firms proportionate to the scale, nature and complexity of their activities. SYSC 13.2 requires firms to interpret SYSC 3.1.1R (establishment and maintenance of systems and controls) in the context of operational risk. SP 800-53 provides a strong IT risk management framework but does not encompass: the broader operational risk taxonomy including non-IT categories (legal risk, conduct risk, reputational risk, people risk), governing body approval and oversight of the operational risk framework as a whole, integration with the firm's overall risk appetite statement, alignment with FCA Principle 3 (organising and controlling affairs responsibly and effectively), or the proportionality principle that is central to the FCA's principles-based approach.
SYSC 13.3 Related Handbook requirements and regulatory cross-references
Rationale
PM-01 information security program plan, PM-09 risk management strategy, and PL-01 planning policy provide a foundation for integrated risk management that could support cross-referencing between regulatory requirements. These controls establish programme-level documentation where cross-references to other obligations might be captured.
Gaps
SYSC 13.3 cross-references other FCA Handbook provisions that interact with operational risk including SYSC 3 (systems and controls), SYSC 4 (general organisational requirements), SYSC 8 (outsourcing), SYSC 12 (group risk), SYSC 14 (prudential risk), INSPRU (prudential sourcebook), and the Threshold Conditions. SP 800-53 has no concept of regulatory cross-referencing or integration between different regulatory sourcebooks. The FCA's layered regulatory architecture — where SYSC 13 guidance must be read alongside binding rules in other chapters — is entirely outside SP 800-53's scope.
SYSC 13.4 Requirements to notify the appropriate regulator
Rationale
IR-06 incident reporting provides a framework for reporting security incidents to designated authorities. PM-07 enterprise architecture indirectly supports understanding which events may trigger regulatory notification. SI-05 security alerts and advisories supports awareness of events that may require notification. These controls offer a partial foundation for regulatory notification processes.
Gaps
SYSC 13.4 establishes obligations for firms to notify the FCA of material operational risk events, significant process failures, and events that could affect the firm's ability to meet its regulatory obligations. SP 800-53 incident reporting (IR-06) addresses reporting within the organisation and to US federal authorities (US-CERT) but does not address FCA-specific notification thresholds, timelines, or the regulatory relationship between supervised firms and the FCA. The SM&CR implications of failure to notify — including potential personal liability for senior managers — are FCA-specific regulatory concepts with no SP 800-53 parallel.
SYSC 13.5.1 Risk management terms — risk culture
Rationale
AT-01 security awareness policy and AT-02 awareness training build the foundation for organisational risk awareness. AT-03 role-based training ensures personnel understand their risk responsibilities. AT-06 (Rev 5) training feedback measures the effectiveness of awareness programmes. PL-04 rules of behaviour establishes expected conduct regarding risk management. PM-13 security workforce addresses staffing and competence. PM-14 testing/training/monitoring programme provides a structured approach to reinforcing risk-aware behaviours.
Gaps
SYSC 13.5 defines risk culture as the general awareness, attitude and behaviour of employees and appointed representatives regarding risk and risk management. This is a broader organisational concept than security awareness training — it encompasses tone from the top, risk appetite communication, incentive structures, whistleblowing culture, and the firm's general attitude toward risk-taking. SP 800-53 training controls address security-specific awareness but do not address the cultural and behavioural dimensions of operational risk management that the FCA expects, including whether risk culture supports or undermines the firm's stated risk appetite and whether conduct risk is embedded in the culture.
SYSC 13.5.2 Risk management terms — operational risk profile and exposure
Rationale
RA-02 security categorisation classifies systems by impact. RA-03 risk assessment identifies and evaluates risks. RA-07 (Rev 5) risk response documents risk treatment decisions. RA-09 (Rev 5) criticality analysis identifies critical business functions and their dependencies. PM-08 critical infrastructure plan identifies systems essential to operations. PM-09 risk management strategy defines risk tolerance. PM-11 mission/business process definition maps business activities. PM-28 (Rev 5) risk framing establishes the organisational context for risk decisions.
Gaps
SYSC 13.5 defines operational exposure as the degree of operational risk faced by a firm expressed in terms of likelihood and impact of operational loss, and the operational risk profile as the types of operational risks faced. SP 800-53 risk assessment controls address IT system risk well but do not capture the full operational risk profile including non-IT categories such as manual process failures, key person dependencies, legal and regulatory change risk, and external event exposure. The FCA expects firms to maintain a comprehensive view of their operational risk profile across all business lines and risk categories, not limited to information systems.
SYSC 13.5.3 Risk management terms — risk identification, assessment, monitoring and reporting
Rationale
RA-01 risk assessment policy establishes the methodology. RA-03 risk assessment and RA-04 risk assessment update provide ongoing risk evaluation. RA-05 vulnerability monitoring identifies technical weaknesses. RA-07 (Rev 5) risk response defines treatment options. CA-02 control assessments and CA-05 plan of action and milestones track remediation. CA-07 continuous monitoring provides ongoing assurance. PM-06 measures of performance tracks programme effectiveness. PM-14 testing/training/monitoring programme governs the assessment lifecycle. PM-31 (Rev 5) continuous improvement drives systematic improvement.
Gaps
SYSC 13.5 expects firms to maintain a full risk management lifecycle covering identification, assessment, monitoring, control and reporting of operational risks. SP 800-53 covers the IT security aspects well. Gaps remain in: operational loss event data collection and analysis (firms are expected to track actual losses from operational failures), key risk indicator (KRI) frameworks that provide leading indicators of operational risk trends, scenario analysis for severe but plausible operational risk events, board-level risk reporting aggregating operational risk exposure across the firm, and integration with the firm's Internal Capital Adequacy Assessment Process (ICAAP) where operational risk feeds into capital requirements.
SYSC 13.6.1 People — employee capability and awareness
Rationale
AT-01 through AT-04 provide comprehensive security awareness and training with records. AT-06 (Rev 5) training feedback measures effectiveness. PS-01 personnel security policy and PS-02 position risk designation address role-based security requirements. PS-06 access agreements formalise employee responsibilities. PS-09 (Rev 5) position descriptions incorporates security responsibilities into role definitions. PM-13 security workforce ensures adequate staffing and competence levels.
Gaps
SYSC 13.6 requires firms to ensure all employees are capable of performing and aware of their operational risk management responsibilities. SP 800-53 training controls are information security focused. Gaps include: broader competence requirements covering business process knowledge and regulatory awareness (not just security training), fitness and propriety assessments aligned with FCA requirements and SM&CR certification, training on conduct risk and customer outcomes, and ensuring appointed representatives and tied agents (specific FCA categories) understand their operational risk obligations.
SYSC 13.6.2 People — segregation of duties
Rationale
AC-05 separation of duties directly addresses the requirement for appropriate segregation of employee responsibilities to prevent conflicts of interest and reduce fraud risk. AC-06 least privilege reinforces segregation by limiting access to the minimum necessary for each role. CM-05 access restrictions for change restricts modification privileges to authorised personnel. PS-02 position risk designation identifies roles requiring enhanced segregation based on risk.
Gaps
SYSC 13.6 requires appropriate segregation of employees' duties to reduce opportunities for fraud, error and conflicts of interest. SP 800-53 addresses IT access segregation well. Minor gaps remain in: segregation requirements for non-IT business functions (e.g., separating front office, middle office and back office in financial services), segregation of duties for appointed representatives and tied agents, and the FCA's expectations around segregation in the context of conduct risk (e.g., separating advisory and execution functions).
SYSC 13.6.3 People — supervision and management oversight
Rationale
PM-02 senior information security officer establishes executive oversight. PM-29 (Rev 5) risk management program leadership formalises senior management engagement. PS-01 personnel security policy and PS-09 (Rev 5) position descriptions define supervisory responsibilities. PS-07 external personnel security addresses oversight of contractors and outsourced staff. AC-13 supervision and review provides for monitoring of user access activities.
Gaps
SYSC 13.6 requires appropriate supervision of employees in the performance of their responsibilities, including management oversight of staff handling client assets, executing transactions, and operating critical systems. SP 800-53 addresses supervision of IT access but does not cover: FCA expectations for line management oversight of business operations, supervisory arrangements for appointed representatives and tied agents, management information requirements for monitoring staff conduct and performance, or the SM&CR requirement for prescribed responsibility holders to maintain adequate oversight of their areas.
SYSC 13.6.4 People — recruitment, screening and succession
Rationale
PS-01 personnel security policy establishes the framework for personnel management. PS-02 position risk designation identifies sensitive roles. PS-03 personnel screening provides background checks and vetting proportionate to risk. PS-04 personnel termination and PS-05 personnel transfer manage access during employment changes. PS-07 external personnel security addresses third-party staff. PS-08 personnel sanctions provides disciplinary framework for policy violations.
Gaps
SYSC 13.6 requires appropriate recruitment and subsequent processes to review the fitness and propriety of employees. SP 800-53 personnel security controls address IT access vetting well. Gaps include: FCA fitness and propriety requirements under FIT sourcebook (broader than security clearance), SM&CR certification regime requiring annual fitness and propriety attestation for certified function holders, succession planning to ensure continuity of critical operational roles (SYSC 13.6 expects firms to address key person dependencies), and regulatory reference requirements specific to UK financial services recruitment.
SYSC 13.6.5 People — policy statements and procedures manuals
Rationale
PL-01 planning policy and PL-02 system security plans provide documented policy frameworks. PL-04 rules of behaviour establishes acceptable use and conduct expectations. SA-05 system documentation ensures procedures are documented and available. CM-06 configuration settings documents operational configurations. AC-01 access control policy and procedures provides documented access management procedures. Together these controls create a comprehensive documentation framework for IT systems and controls.
Gaps
SYSC 13.6 requires clear policy statements and appropriate systems and procedures manuals to support employees in managing operational risk. SP 800-53 addresses IT policy and procedure documentation well. Gaps remain in: business operations procedure documentation beyond IT (e.g., client onboarding, trade execution, settlement processes), regulatory handbooks and compliance procedure manuals specific to FCA-regulated activities, and ensuring procedures are accessible to and understood by appointed representatives and tied agents.
SYSC 13.7.1 Processes and systems — process and system controls
Rationale
CM-01 through CM-08 provide comprehensive configuration management covering baseline configurations, change control, least functionality, and component inventory. SA-01/SA-03/SA-08/SA-10/SA-11 address system acquisition lifecycle, security engineering principles, developer configuration management, and security testing. SI-01 system integrity policy, SI-02 flaw remediation, SI-06 security functionality verification, SI-07 software integrity verification, SI-10 information input validation, and SI-11 error handling address system reliability and integrity. This control set provides strong coverage of the IT systems dimension of SYSC 13.7.
Gaps
SYSC 13.7 requires firms to establish and maintain appropriate systems and controls for managing operational risks from inadequacies or failures in processes and systems, including those of third-party suppliers. SP 800-53 provides comprehensive IT system controls. Minor gaps: SYSC 13.7 also covers non-IT business processes (e.g., trade settlement, reconciliation, client money handling), end-to-end operating cycle integrity for products and activities, and monitoring of process risk indicators (reconciliation exceptions, compensation payments, documentation errors) that extend beyond IT system monitoring.
SYSC 13.7.2 Processes and systems — IT infrastructure and reliability
Rationale
CM-02 baseline configuration and CM-08 system component inventory provide infrastructure documentation and tracking. MA-01 through MA-03 establish maintenance policy, controlled maintenance, and maintenance tools management. MA-06 timely maintenance ensures prompt resolution of identified issues. MA-07 (Rev 5) field maintenance addresses off-site equipment servicing. SC-05 denial-of-service protection and SC-06 resource priority address availability and performance. SI-02 flaw remediation ensures systems are kept current. SI-13 (Rev 5) predictive maintenance enables proactive failure prevention through component reliability monitoring.
Gaps
SYSC 13.7 specifically references IT systems including computer systems and infrastructure required for automation of processes — application and operating system software, network infrastructure, desktop, server and mainframe hardware. SP 800-53 provides comprehensive IT infrastructure controls. Minimal gap: SYSC 13.7 expects firms to consider the importance and complexity of systems used in the end-to-end operating cycle for products and activities, which may include specialised financial services infrastructure (e.g., market data feeds, SWIFT connectivity, payment rails) not explicitly addressed by SP 800-53.
SYSC 13.7.3 Processes and systems — information security and access controls
Rationale
AC-01 through AC-07 provide comprehensive access control policies, account management, access enforcement, separation of duties, least privilege, and unsuccessful logon attempts. AC-17 remote access, AC-19 mobile device access, and AC-20 external system use address extended access scenarios. IA-01 through IA-05 establish identification and authentication frameworks with authenticator management. IA-08 non-organisational user authentication addresses external party access. SC-07 boundary protection, SC-08 transmission confidentiality, SC-12/SC-13 cryptographic controls, and SC-28 data-at-rest protection provide comprehensive data security.
Gaps
SYSC 13.7 requires appropriate information security controls as part of the firm's process and system risk management. SP 800-53 provides best-in-class access control and information security coverage. Negligible gap: minor differences in how FCA-regulated firms apply access controls to specific financial services contexts such as dealing room access, client data segregation requirements under CASS (Client Assets Sourcebook), and access controls for regulatory reporting systems.
SYSC 13.7.4 Processes and systems — change management
Rationale
CM-03 configuration change control establishes formal change management processes. CM-04 impact analysis of changes assesses risk before implementation. CM-05 access restrictions for change limits who can implement changes. CM-09 configuration management plan documents the approach. CM-14 (Rev 5) signed components ensures integrity of software changes through cryptographic verification. SA-10 developer configuration management and SA-11 developer security testing address development change controls. SI-02 flaw remediation manages patch deployment. SI-07 software integrity verification confirms changes have not been tampered with.
Gaps
SYSC 13.7 requires appropriate change management processes to reduce the likelihood of system and process failures. SP 800-53 provides comprehensive change management controls. Minor gap: SYSC 13.7 also expects change management to cover non-IT changes such as business process changes, organisational restructuring, new product introductions, and regulatory change implementation that may alter the firm's operational risk profile.
SYSC 13.7.5 Processes and systems — monitoring and reconciliation
Rationale
AU-02 auditable events and AU-03 content of audit records define what is monitored. AU-06 audit review and analysis and AU-07 audit record reduction and report generation support log analysis and reporting. AU-12 audit record generation ensures comprehensive logging. CA-07 continuous monitoring provides ongoing assurance. SI-04 information system monitoring and SI-06 security functionality verification detect anomalies. PM-06 measures of performance tracks operational effectiveness. PM-14 testing/training/monitoring programme governs the monitoring lifecycle.
Gaps
SYSC 13.7 specifically references monitoring of process risk indicators including reconciliation exceptions, compensation payments for client losses, and documentation errors. SP 800-53 monitoring controls are focused on IT security events rather than business process operational indicators. Gaps include: business process reconciliation monitoring (trade matching, settlement reconciliation, client money reconciliation), financial loss event tracking and analysis, near-miss event collection, and operational KRI dashboards aggregating IT and business process metrics for management reporting.
SYSC 13.8.1 External events — business continuity management
Rationale
CP-01 contingency planning policy and CP-02 contingency plan establish the business continuity framework. CP-03 contingency training and CP-04 contingency plan testing ensure readiness. CP-05 contingency plan update maintains currency. CP-06 alternate storage site, CP-07 alternate processing site, and CP-08 telecommunications services address infrastructure resilience. CP-09 system backup and CP-10 system recovery provide data protection and recovery capabilities. CP-12 (Rev 5) safe mode enables degraded operation maintaining essential functions. CP-13 (Rev 5) alternative security mechanisms provides fallback controls during disruption.
Gaps
SYSC 13.8 requires firms to implement appropriate arrangements to maintain continuity of operations by reducing both the likelihood and impact of disruption. SP 800-53 contingency planning controls are comprehensive for IT continuity. Gaps: SYSC 13.8 also expects business continuity for non-IT operations (premises, people, manual workarounds), succession planning for key personnel, and insurance as a mitigation tool for operational losses — concepts outside SP 800-53 scope. The FCA also expects continuity planning to address market-wide disruption scenarios affecting multiple firms simultaneously.
SYSC 13.8.2 External events — disaster recovery, resilience and dual processing
Rationale
CP-02 contingency plan includes disaster recovery provisions. CP-04 contingency plan testing validates recovery capabilities. CP-06/CP-07/CP-08 provide geographic resilience through alternate sites and communications. CP-09 system backup and CP-10 system recovery address data and system restoration. CP-11 alternate communications protocols ensures communication resilience. SC-05 denial-of-service protection and SC-06 resource priority address availability under stress. SC-24 (Rev 5) fail in known state ensures predictable system behaviour during failures. SC-36 distributed processing and storage supports resilience through geographic distribution. SI-13 (Rev 5) predictive maintenance enables proactive failure prevention. SI-17 (Rev 5) fail-safe procedures provide additional failure handling to support recovery and graceful degradation.
Gaps
SYSC 13.8 expects firms to have disaster recovery capabilities for IT systems including alternative site recovery, dual processing, and systems resilience to reduce both the likelihood and impact of disruption. SP 800-53 provides strong IT disaster recovery and resilience controls. Minor gaps: SYSC 13.8 references the specific risk assessment firms should perform when sharing recovery sites with other organisations (evaluating the risk of multiple calls on shared resources), real-time dual processing expectations for critical financial services operations (e.g., payment processing, market making), and geographic separation requirements relevant to UK financial infrastructure — practical concerns for FCA-regulated firms not explicitly addressed by SP 800-53.
SYSC 13.8.4 External events — managing change and new activities
Rationale
CM-03 configuration change control and CM-04 impact analysis of changes assess risk from changes. PM-09 risk management strategy provides the framework for evaluating new risks. PM-11 mission/business process definition identifies how new activities alter the business. RA-03 risk assessment evaluates new risks. RA-07 (Rev 5) risk response defines treatment approaches. SA-03 system development lifecycle and SA-08 security and privacy engineering principles ensure new systems are designed with appropriate controls.
Gaps
SYSC 13.8 requires firms to manage the risks of expected changes and unexpected events, ensuring the adequacy of the organisation and reporting structure for managing change, and the adequacy of its crisis management and business continuity plans for expected changes. SP 800-53 covers IT change risk well. Gaps include: operational risk assessment for non-IT changes (mergers, acquisitions, new product launches, regulatory changes), organisational change management (restructuring, senior management changes), the FCA's specific expectations around new product approval processes that assess operational risk, and market event response planning for external shocks.
SYSC 13.8.5 External events — insurance and risk transfer
Rationale
PM-09 risk management strategy addresses overall risk treatment approaches. RA-07 (Rev 5) risk response includes risk transfer as a treatment option alongside acceptance, mitigation, and avoidance.
Gaps
SYSC 13.8 references insurance as a tool to mitigate the impact of disruption and operational losses. SP 800-53 RA-07 acknowledges risk transfer as a concept but does not address insurance procurement, policy adequacy assessment, or the role of insurance in the operational risk management framework. The FCA expects firms to consider insurance coverage as part of their overall operational risk mitigation strategy and to understand policy limitations and exclusions. Cyber insurance, professional indemnity, and business interruption insurance — all relevant to FCA-regulated firms — are outside SP 800-53 scope.
SYSC 13.9.1 Outsourcing — governance and oversight of outsourced functions
Rationale
SA-04 acquisition process establishes security requirements for service providers. SA-09 external system services governs the use of outsourced IT services. SR-01 supply chain risk management policy, SR-02 supply chain risk management plan, and SR-03 supply chain controls and processes provide the governance framework for third-party oversight. SR-06 supplier assessments and reviews enables ongoing monitoring of outsourced service providers. PM-30 (Rev 5) supply chain risk management strategy establishes enterprise-level third-party governance.
Gaps
SYSC 13.9 provides specific guidance on managing outsourcing in the context of operational risk, including the principle that outsourcing may affect a firm's exposure to operational risk through reduced control over people, processes and systems. SP 800-53 supply chain controls provide a good foundation. Gaps include: the FCA's requirement that firms cannot outsource regulatory responsibility, intra-group outsourcing considerations (firms should not assume reduced risk from regulated or intra-group providers), materiality assessment of outsourced functions aligned with SYSC 8 requirements, and the FCA's specific expectations around notification to the regulator of material outsourcing arrangements.
SYSC 13.9.2 Outsourcing — due diligence and service provider selection
Rationale
SA-04 acquisition process and SA-09 external system services establish procurement security requirements. SA-21 (Rev 5) developer screening adds personnel vetting for external providers. SR-04 provenance assesses the origin and trustworthiness of components and services. SR-05 acquisition strategies addresses how to source services securely. SR-06 supplier assessments and reviews enables evaluation of provider capability. SR-07 supply chain operations security assesses provider security practices. PS-07 external personnel security addresses vetting of third-party staff.
Gaps
SYSC 13.9 expects firms to conduct appropriate due diligence before entering outsourcing arrangements, including assessing the service provider's financial stability, operational capability, and regulatory standing. SP 800-53 supply chain controls cover technical assessment well. Gaps include: assessment of service provider financial viability and business continuity (not just IT security), evaluation of provider regulatory status and standing with relevant authorities, consideration of concentration risk from multiple outsourcing arrangements with the same provider, and assessment of jurisdictional and legal risks for offshore outsourcing — all FCA-specific expectations.
SYSC 13.9.3 Outsourcing — contractual protections, monitoring and audit rights
Rationale
SA-04 acquisition process specifies security requirements in contracts. SA-09 external system services addresses service-level agreements and security requirements for outsourced services. SR-03 supply chain controls and processes establishes contractual control requirements. SR-06 supplier assessments and reviews establishes ongoing evaluation of service providers. SR-08 notification agreements addresses communication obligations between parties. SR-10 inspection of systems or components enables on-site and technical inspections. CA-07 continuous monitoring provides a framework for ongoing assurance. AU-16 cross-organisational audit logging supports audit trail integration across organisational boundaries.
Gaps
SYSC 13.9 expects appropriate contractual protections covering service levels, performance monitoring, escalation procedures, termination rights, and transition assistance, combined with ongoing monitoring and audit rights over outsourced operations. SP 800-53 provides security-specific contractual and monitoring controls but does not address: quantitative service level agreements (SLAs) with financial penalties, the FCA's specific requirement for regulator access rights (the FCA and its auditors must be able to inspect outsourced operations), data ownership and information confidentiality provisions specific to client data, sub-outsourcing approval rights and oversight of the provider's supply chain, performance monitoring against contractual SLAs, escalation frameworks for service deterioration, and regular independent assurance over outsourced activities.
SYSC 13.9.5 Outsourcing — business continuity and exit planning
Rationale
CP-01 contingency planning policy and CP-02 contingency plan address continuity planning that should include outsourced services. CP-04 contingency plan testing validates that recovery works across organisational boundaries. SA-09 external system services and SR-03 supply chain controls provide governance of outsourced services. SR-12 component disposal addresses end-of-life considerations for outsourced components.
Gaps
SYSC 13.9 requires firms to ensure appropriate contingency arrangements for business continuity in the event of significant loss of services from a provider, including for financial failure of the provider and unexpected termination of the outsourcing arrangement. SP 800-53 addresses IT continuity but gaps remain in: exit planning and transition strategies to ensure orderly transfer of services to alternative providers, data migration and portability requirements, continued access to data and documentation during and after transition, ensuring the firm can resume direct operations if needed, and the specific risk assessment for concentration of multiple outsourcing arrangements with a single provider.
SYSC 13.G.1 Governance — board and senior management accountability
Rationale
PM-01 information security program plan establishes the organisational framework. PM-02 senior information security officer designates executive accountability. PM-10 security authorisation process assigns system-level accountability. PM-29 (Rev 5) risk management program leadership formalises senior leadership engagement with risk management. PS-09 (Rev 5) position descriptions incorporates security responsibilities into organisational roles. PL-09 (Rev 5) central management enables unified governance oversight.
Gaps
SYSC 13 is underpinned by SYSC 3, which requires a firm's governing body to take reasonable care to establish and maintain a system of control appropriate to its business. The FCA expects board-level oversight of operational risk including setting risk appetite, reviewing the operational risk framework, and personal accountability under SM&CR. SP 800-53 addresses senior leadership roles but does not address: board of directors' fiduciary accountability for operational risk, the SM&CR regime where prescribed responsibility holders bear personal regulatory liability, integration of operational risk into enterprise risk appetite frameworks, or the FCA's expectations for non-executive director challenge of operational risk management.
SYSC 13.G.2 Governance — risk appetite and tolerance setting
Rationale
PM-09 risk management strategy includes risk tolerance concepts. PM-28 (Rev 5) risk framing establishes the organisational context for risk decisions. RA-03 risk assessment evaluates risk against tolerance. RA-07 (Rev 5) risk response documents treatment decisions aligned with risk appetite.
Gaps
SYSC 13 expects firms to define their operational risk appetite as part of the overall risk management framework, with the governing body approving the level of risk the firm is prepared to accept. SP 800-53 addresses risk tolerance at the system categorisation level but does not address: board-approved operational risk appetite statements, quantitative loss tolerance thresholds, risk appetite cascading from enterprise to business line to activity level, the distinction between risk appetite (desired level) and risk tolerance (acceptable variance), and alignment between stated risk appetite and actual risk-taking behaviour — all FCA expectations.
SYSC 13.G.3 Governance — internal audit and independent assurance
Rationale
CA-02 control assessments provide independent evaluation of control effectiveness. CA-04 security certification offers formal assurance. CA-07 continuous monitoring enables ongoing assurance. PM-06 measures of performance tracks programme effectiveness. PM-14 testing/training/monitoring programme governs the assessment cycle.
Gaps
SYSC 13 operates within the FCA's three lines of defence model where internal audit provides independent assurance over operational risk management. SP 800-53 provides assessment controls but does not address: the formal three lines of defence governance model expected by the FCA, internal audit function independence requirements, the scope of internal audit coverage of operational risk (beyond IT controls), reporting lines from internal audit to the audit committee and the board, and the FCA's expectations for periodic independent reviews of the operational risk framework itself.
SYSC 13.G.4 Governance — record keeping and regulatory reporting
Rationale
AU-01 audit and accountability policy establishes logging and record-keeping requirements. AU-09 protection of audit information safeguards the integrity of records. AU-11 audit record retention addresses data retention. SI-12 information management and retention covers broader information lifecycle management. PM-04 plan of action and milestones process tracks remediation activities.
Gaps
SYSC 13 operates within the FCA's broader record-keeping requirements (SYSC 9), which require firms to maintain orderly records of their business. SP 800-53 addresses IT audit logs well but gaps include: broader business record-keeping requirements for operational risk events and near-misses, regulatory reporting obligations to the FCA (including operational risk returns), retention periods aligned with FCA and other UK regulatory requirements (e.g., MiFID II record-keeping), and the requirement to make records available to the FCA on request.
Methodology and Disclaimer
This coverage analysis maps from FCA SYSC 13 clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.
Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.
This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.