Beyond the business continuity plan: what operational resilience really means for a football club

Most football clubs have a business continuity plan. Very few have thought about operational resilience, and the distinction is not semantic. A continuity plan tells you what to do after something breaks. Operational resilience asks a harder question: can the club keep delivering the services that matter, throughout the disruption, not just after it. Financial services firms were forced to make this shift five years ago. Football clubs are about to discover why it matters to them too.

This article is the first in our series on Operational Resilience for Football clubs. You can find other articles in this series here.

Lagom Article Header CTA
Lagom Sports Compliance

This article is brought to you by Lagom Sports Compliance -- the leading governance, risk, compliance and anti-financial crime consultancy built exclusively for professional football. We help clubs, agents and leagues navigate the IFR, UEFA licensing and EU AML obligations with proportionate, practitioner-led support.

Want to talk through what this means for your club?

The document in the drawer

Ask most football clubs whether they have a business continuity plan and the answer is yes. Ask when it was last tested against a live scenario, and the answer is usually a good deal less confident. The business continuity plan has become, for many organisations, a compliance artefact -- a document produced to satisfy an insurer, a board sub-committee or an auditor, filed away, and revisited only when something has already gone wrong.

That is not a criticism unique to football. It was, until recently, the default state of the UK financial services sector too. And it is precisely the problem the Financial Conduct Authority set out to fix when it published Policy Statement PS21/3, Building Operational Resilience, in March 2021. The FCA's insight, which took the sector the better part of four years to fully absorb, was that continuity planning and resilience are not the same discipline. A firm can have an excellent continuity plan and still not be resilient. The two questions are different, and only one of them is actually about protecting the people who depend on the organisation when things go wrong.

The distinction that matters: recovery versus continuity of service

Business continuity planning asks: if this service fails, how do we get it back? It is a recovery discipline. It assumes disruption, then focuses on the steps -- the failover systems, the alternative premises, the emergency contact trees -- that bring the organisation back to normal operation. It is measured in recovery time: how many hours or days until the service is restored.

Operational resilience asks a different and harder question: can we continue delivering this service, within acceptable limits, throughout the disruption? It does not assume that recovery is the goal. It assumes that some level of continued delivery, even in a degraded state, is what the people relying on the service actually need -- and it works backwards from that requirement to determine what the organisation must be able to withstand, not just what it must be able to fix afterwards.

The FCA's own framing, developed jointly with the Bank of England and the Prudential Regulation Authority, is instructive precisely because it was built for organisations whose failures cause direct and immediate harm to the people who depend on them. A bank that cannot process payments is not merely inconvenienced -- its customers cannot pay rent, cannot buy food, cannot meet payroll for their own staff. The FCA's rules require firms to identify the specific services whose interruption would cause intolerable harm to consumers or to market integrity, and then to build genuine resilience around those services specifically, rather than treating resilience as a single organisation-wide exercise.

Continuity vs Resilience Callout

A continuity plan is a promise to fix things after they break. Operational resilience is a design discipline that asks whether the organisation can keep its most important promises while things are still broken.

Why this translates directly to football

It would be easy to dismiss PS21/3 as a financial services concern with no obvious relevance to a football club. That would be a mistake. Strip away the banking-specific language and the underlying logic applies with very little modification: football clubs are complex operational organisations that deliver services whose failure causes real harm to real people, on a schedule they do not control and cannot postpone.

A matchday that cannot proceed safely because ticketing, access control or stewarding has failed is not merely an inconvenience -- it is a public safety issue, a regulatory issue and, for a club whose revenue depends heavily on matchday income, a financial issue with immediate cash implications. A transfer registration system that is unavailable in the final hours of a window is not an IT problem -- it can be the difference between completing a signing and losing a player the club has already agreed terms for. A payroll failure affecting players and staff is not an administrative delay -- it is an employment and, depending on scale and duration, a regulatory matter. None of these are hypothetical. All of them have happened to football organisations, and all of them illustrate the same point: the services football clubs deliver are time-critical, cannot always be substituted, and their failure has consequences that a recovery plan alone does not address.

The instinct to treat this as "just IT" or "just operations" is exactly the instinct PS21/3 was designed to correct in financial services. Resilience, done properly, is a board-level governance discipline. It requires the same seniority of ownership, the same rigour of evidence and the same discomfort with reassuring but untested assumptions that the FCA now expects of a bank. 

The four-part discipline

Operational resilience, as the framework has matured in financial services, rests on four connected disciplines. None of them is complicated in concept. All of them are demanding in practice, because they require the organisation to be genuinely honest about its own vulnerabilities rather than reassured by the existence of a plan.

  1. Identify the important business services. Not every activity a club undertakes is an important business service in the resilience sense. The discipline starts by identifying the specific, narrow set of services whose interruption would cause serious harm -- to supporters, to players, to staff, to the club's financial position or to its regulatory standing. This is harder than it sounds. The instinct is to list everything the club does; the discipline is to identify the small number of services where failure is genuinely intolerable, not merely inconvenient.

  2. Set impact tolerances. For each important business service, the club needs to determine the maximum tolerable disruption -- expressed in time, in volume, or in some other concrete metric -- beyond which the harm becomes unacceptable. How long can the ticketing system be unavailable before a fixture is genuinely compromised? How long can the club be locked out of its transfer registration system during a live window before a deal is lost? An impact tolerance is not an aspiration to fix things quickly. It is a hard line the club has decided, in advance and with proper sign-off, it cannot afford to cross.

  3. Map what the service actually depends on. Every important business service is delivered by a combination of people, processes, technology, facilities and third parties -- and most organisations, football clubs very much included, do not have this mapped with any real precision. Mapping means identifying, specifically, which individuals, which systems, which suppliers and which physical locations a service depends on, including the third-party providers who sit outside the club's direct control but whose failure is still the club's problem to manage.

  4. Test against severe but plausible disruption. A plan that has never been tested against a realistic adverse scenario is a hypothesis, not a capability. Scenario testing means stress-testing each important business service against genuinely severe disruptions -- the loss of a critical system, the unavailability of key facilities or personnel, the failure of a critical third-party supplier -- and honestly assessing whether the club can remain within its impact tolerance, or whether the test has revealed a vulnerability that needs remediation.

Board Discipline Not IT Project Box

Why this is a board discipline, not an IT project

The FCA's supervisory experience since PS21/3 came into force is directly relevant here, and it is not flattering to organisations that treated resilience as a delegated technical exercise. Firms that identified their important business services too narrowly -- often relying on a single factor like whether a competitor could step in, rather than assessing the genuine harm of failure -- were found by the regulator to have under-scoped their own resilience work. Firms that could not clearly justify why they had set a particular impact tolerance, rather than a stricter or looser one, were told their rationale was inadequate. And firms that had mapped their internal systems but not the third-party suppliers underpinning them were found to have the largest and least understood gaps in their entire resilience posture.

The pattern is consistent: resilience gaps are discovered where organisations delegated the thinking to a technical team instead of demanding board-level ownership of the judgement calls -- which services actually matter, how much disruption is genuinely tolerable, and whether the evidence supports the confidence the organisation has in itself. Football clubs building resilience capability now have the advantage of not repeating that mistake.

The IFR connection: resilience as licensing strength, not licensing requirement

It is important to be precise here: the Independent Football Regulator does not mandate a PS21/3-equivalent operational resilience regime for English football clubs. There is no rule requiring clubs to identify important business services, set impact tolerances or run scenario testing in the specific form the FCA requires of banks. Any suggestion otherwise would misstate the licensing framework.

What is true, and increasingly relevant as the full licensing application window approaches, is that the IFR's operating licence conditions ask questions that a club with genuine operational resilience work behind it is simply better placed to answer well. The financial plans condition requires clubs to demonstrate they can meet their obligations -- a club that has mapped its critical dependencies and stress-tested its ability to continue delivering matchday, payroll and financial reporting services under disruption has a materially stronger evidence base for that demonstration than a club relying on an untested continuity document. The corporate governance condition requires clubs to explain publicly how they apply the governance code -- and a board that can point to a structured, tested resilience programme, with clear ownership and evidenced testing, is demonstrating exactly the kind of governance maturity the condition is designed to surface.

The connection, in other words, runs through governance quality rather than through a specific resilience rule. A club preparing its IFR licence application in the period running up to the application window opening on 2 November 2026 is, in practical terms, being asked by the IFR to demonstrate that it understands its own operational vulnerabilities and has planned for them credibly. Operational resilience work -- done properly, with board ownership and genuine testing -- is one of the strongest ways to generate that evidence, even though the IFR framework does not name the discipline directly.

IFR Same Question Callout

The IFR will not ask a club to produce an impact tolerance document. It will ask the club to demonstrate that it understands its own vulnerabilities and has planned for them credibly. Those are, in substance, the same question asked in different language.

What will our football club operational resilience series cover?

This is the first article in a series applying the operational resilience discipline specifically to football clubs. The remaining five articles work through each part of the framework in football-specific detail: how to identify a club's own important business services rather than defaulting to a generic list; how to set impact tolerances that are genuinely defensible rather than aspirational; how to map the people, systems, facilities and third parties a club actually depends on, including the outsourced suppliers that carry more concentration risk than most clubs realise; how to build and run scenario testing against severe but plausible football-specific disruption; and how to treat cyber and data resilience as a governed discipline within the wider resilience programme rather than a separate IT concern.

The starting point for all of it is the distinction this article has set out: a business continuity plan is not the same thing as operational resilience, and a club that has only ever built the former has not yet done the work that genuinely protects it, its players, its supporters and its regulatory standing when something goes wrong.

Building genuine operational resilience starts with an honest conversation about where the gaps actually are.

Lagom Sports Compliance works with football clubs across governance, risk, compliance and operational resilience -- helping boards understand where their genuine vulnerabilities lie and what a credible, evidenced resilience programme looks like for their specific circumstances.

If this article has raised questions about your club's own position, we would welcome a conversation.

Lagom Article Header CTA
Lagom Sports Compliance

This article is brought to you by Lagom Sports Compliance -- the leading governance, risk, compliance and anti-financial crime consultancy built exclusively for professional football. We help clubs, agents and leagues navigate the IFR, UEFA licensing and EU AML obligations with proportionate, practitioner-led support.

Want to talk through what this means for your club?

Frequently asked questions: operational resilience for football clubs

Previous
Previous

What are a football club's "important business services"? Identifying the operations that cannot be allowed to fail

Next
Next

CJEU ROGON judgment: why football agent regulation is moving in one direction