It’s an all too familiar story. A financial firm stumbles over a compliance issue – maybe AML controls, an internal fraud or an IT failure. Of course the FCA asks to see the risk management framework that would no doubt address all aspects of this crystallised risk with detailed mitigation steps. But it’s not ready. It’s still a work in progress. After a tense conversation about doing the best job possible with limited resources and something about only being a very simple firm, it’s clear to everyone involved that the risk management framework just isn’t good enough. What follows is an expensive Section 166 review and a remediation plan laying out the torturous path to a fit-for-purpose ICARA.
There is a cheaper way…
Climbing the Learning Curve
Since its implementation in January 2022, the Investment Firms Prudential Regime (IFPR) has forced firms to rethink their risk management. As most firms have produced multiple ICARA cycles, their in-house expertise has steadily grown. However, the FCA’s expectations have grown too. Initially there was a tolerance as firms responded to the steep learning curve, but three years into the regime, the FCA now expects a mature, board-led integrated process, not just a document.
ICARA must now strengthen governance, financial resilience, and response capabilities—not merely compliance.
In this article, I explain what needs to be considered in this year’s ICARA cycle. But here’s a summary for those short on time.
Area | What Changed in 2025 Expectations |
Risk Assessments | Shift from generic templates to material harms tied to business model |
Risk Appetite | Quantitative and aligned with commercial and financial planning |
Stress Testing | Forward-looking, multi-variable, plausible but severe scenarios |
Recovery Options | Broader, fully credible, with realistic execution plans covering capital/liquidity levers |
Wind‑Down Planning | Structured, assumes stress & group issues, minimum 12-month timeline |
Governance & SMCR | FCA expects deep Senior Manager engagement and documented challenge |
Early Warning Indicators | EWIs must exceed regulatory minima, with mapped actions and timings |
Tools & Tech | Increased use of risk management platforms vs Excel: improves collaboration and reduces error risk |
Building a Robust ICARA Framework
The process must centre around the business model as this drives the risk of harms. Once this is established for BAU conditions, then it must be examined through the lens of stress scenarios. A good range of credible recovery options should be developed to help get through the severe scenarios, with a quality wind down plan in case it all goes wrong. Senior management and the Board must be actively involved throughout the process as the best ICARAs come from robust discussions.
- Identify the Material Harms your firm could inflict
Begin with material harms – the actual impacts your firm may have on clients, the market, and the firm itself – instead of recycled risks from a generic list. This needs to align with your business model and strategy, and adapt as it evolves.
- Cohesion Between Risk Appetite and Strategy
Ensure a quantitative risk appetite is linked to your strategic objectives and financial buffers. Risk limits should flow from internal planning and inform capital and liquidity frameworks.
- Quality over Quantity: Scenario Design & Stress Testing
Use forward-looking, firm-specific, multi-variable stress tests. Go beyond historical simulations: explore plausible severe events like concurrent market shocks, counterparty failure, or operational outages. Test recovery options under these conditions, documenting assumptions clearly.
- Recovery & Wind-Down Planning
Strengthen recovery options (a broader set of capital and liquidity levers), assess their execution credibility, timings and group support reliability if the group itself is under stress.
Wind-down plans must assume stress conditions and firesale asset disposal, monitor group interdependencies, and allow an appropriate wind-down timeframe – at least 12 months.
- Governance, Senior Manager Oversight & Early Intervention
Boards and Senior Managers must be actively engaged, trained on IFPR expectations, and challenge ICARA assumptions robustly.
Set early warning indicators (EWIs) beyond the 110% capital threshold to allow timely management action with explicit triggers and escalation paths.
Enhanced 2025 Priorities
Technology & Risk Platforms
While spreadsheets remain popular, their limitations are clear: Excel-based tools hamper collaboration, version control, and integration. Firms are encouraged to adopt risk management platforms to enhance real-time data, cross-functional workflows, and accuracy.
Stress Scenarios Reflect Evolving Risks
Recent upheavals—including banking shocks, macroeconomic volatility, and digital operational disruptions—necessitate stress tests that reflect tailored firm-specific risks. Firms should document scenario design and rationale.
Alignment of OFAR Monitoring with ICARA
Mandatory compliance with the Overall Financial Adequacy Rule (OFAR) remains. Firms should embed OFAR monitoring within ongoing governance and management account processes, ensuring timely detection of any breaches.
Key Take Away
ICARA in 2025 is now less about meeting requirements and more about strategically embedding resilience into governance, financial planning, operational capability and stress preparedness.
This updated framework reflects FCA expectations, market developments, and evolving risks under IFPR. Continuous improvement – with strong governance, robust stress testing, and credible recovery planning – is the key to making ICARA a real value driver, not just a regulatory checkbox.
