Anonymised regulated-firm appendix
FCA/PRA Operational Resilience Mapping
Deployment reference: RB-OR-2026-A. Generated 2026-05-10 UTC.
This appendix maps ACP technical evidence to firm-owned operational resilience questions for an anonymised regulated-firm pilot. It is not FCA/PRA certification, legal advice, or a substitute for the firm's formal self-assessment.
Deployment Identity
- Firm name: anonymised / not provided.
- ACP role: supporting control and evidence layer for governed AI use.
- Data boundary: proof tenant and non-customer evidence only.
- Owner before production: firm operational owner and compliance/legal reviewer to be named.
Important Business Service Position
ACP is recorded as a supporting technology dependency for the firm's AI governance process. It is not recorded as the firm's important business service unless the firm designates it as such in its own operational-resilience self-assessment.
Pilot Impact Tolerance
Pilot threshold: restore ACP evidence and health surfaces within 4 business hours, or continue under manual governance with firm risk acceptance. Measurement uses the health endpoint, live evidence page, latest proof-pack conclusion, and decision-evidence retrieval where authorised test data exists.
Severe-But-Plausible Scenarios
| Scenario | Expected impact | Detection signal | Owner | Recovery evidence |
|---|---|---|---|---|
| ACP control-plane outage | Governed AI policy, audit, and evidence records are unavailable; affected workflow pauses or moves to approved manual governance. | /api/healthz failure, evidence page outage, monitor alert, or operator smoke failure. | ACP technical owner restores platform; firm operational owner manages workflow pause/manual fallback. | Restored health endpoint, Playwright page check, CD or rollback run, incident note. |
| Upstream LLM provider disruption | AI execution may be unavailable or routed only through approved policy; unmanaged fallback is not acceptable. | Provider provenance failure, model execution error, unexpected fallback_used=true, or provider smoke failure. | ACP technical owner for provider route; firm accountable owner for use-case continuation. | Redacted provider proof, model/provider audit row, no-secret incident note. |
| Evidence-chain or audit-writing failure | The firm cannot rely on ACP records as complete evidence during the affected period. | Proof-pack evidence_chain/write_audit_trail failure, evidence retrieval error, or audit freshness failure. | ACP technical owner remediates; firm compliance owner handles risk acceptance/evidence disposition. | Passing proof-pack manifest, redacted audit/evidence sample, regression and Playwright verification. |
| Identity or OIDC disruption | Operators or reviewers cannot authenticate, review evidence, or execute governed workflows. | OIDC discovery failure, login/OAuth error, Keycloak health failure, or browser smoke failure. | ACP technical owner; firm operational owner decides whether to pause affected workflow. | Restored OIDC discovery, login/service-token proof, incident note, hardening follow-up where needed. |
Third-Party / Material Dependency Assessment
| Area | Dependency | Pilot materiality rationale | Firm action |
|---|---|---|---|
| Hosting and runtime | DigitalOcean droplet/container runtime | Potentially material if ACP supports a firm-designated important business service or critical governance process. | The firm classifies materiality and confirms recovery expectations. |
| Identity | Keycloak/OIDC and Google/OAuth where used | Material for operator access and evidence review if ACP is a production control path. | The firm confirms authorised-user model and fallback access path. |
| LLM providers | OpenAI and Anthropic provider routes | Material if governed AI execution depends on provider output provenance. | The firm classifies provider materiality and reporting duties. |
| CI/CD and proof pipeline | GitHub Actions, signed proof-pack artifacts, tag-triggered CD | Material for release evidence and control-change assurance. | The firm defines evidence freshness requirement for reviews. |
| Vault / secrets management | Vault and provider-secret source-of-truth controls | Material for credential protection and auditability; Vault audit has a formal-submission freshness caveat. | Capture fresh non-empty audit excerpt or record firm risk acceptance. |
Incident And Reporting Thresholds
ACP does not decide FCA/PRA operational incident or material third-party reporting duties. The firm compliance owner must decide whether an ACP incident has serious regulatory impact, whether any ACP-related arrangement is material, and what communications plan applies to firm-owned services.
Remediation And Review Cadence
- Replace anonymised fields with the firm's named facts before production or formal submission.
- Confirm IBS classification, impact tolerance, and scenario test results before production.
- Refresh third-party materiality annually or after material change.
- Capture a fresh non-empty Vault audit excerpt or firm risk acceptance before formal submission.
- Refresh proof-pack and provider evidence inside the firm-agreed freshness window.
Source Evidence
- FCA/PRA evidence dependency register
- Operational resilience mapping appendix (maintained under version control, available on request).
- Vendor / third-party register (maintained under version control, available on request).
- Incident response and business continuity policies (maintained under version control, available on request).
- Latest proof-pack rerun: GitHub Actions run 25993440229, manifest proof-20260517T142553Z-41670a0b, pass.