A New Regulatory Reality for QFC-Authorised Firms
The Qatar Financial Centre Regulatory Authority (QFCRA) has introduced significant new operational resilience requirements through the Operational Resilience and Miscellaneous Amendments Rules 2024 (QFCRA Rules 2024-4).
The amendments introduced a new Chapter 8 into the General Rules and Controlled Functions (CTRL) Rulebook 2020, establishing comprehensive requirements relating to:
- Operational Risk Management;
- Operational Resilience;
- Outsourcing Governance;
- Information and Communication Technology (ICT) and Information Security; and
- Business Continuity Management.
While the amendments became effective on 1 October 2025, one particular requirement deserves immediate attention.
Under Rule 8.3.5(4), authorised firms must ensure that they can remain below their approved impact tolerances for each critical operation in the event of a severe but plausible disruption. Importantly, Rule 8.3.5(5) provides that this requirement takes effect on and after 1 October 2026.
For many firms, that deadline may appear distant. In reality, it leaves a relatively narrow implementation window.
Operational Resilience Is More Than Business Continuity
Many organisations believe that having a Business Continuity Plan means they are operationally resilient.
Operational resilience is considerably broader.
The new requirements expect firms to understand:
- Which operations are genuinely critical to the organisation;
- The maximum level of disruption that can be tolerated before significant harm occurs;
- The people, systems, information assets, facilities, and third-party providers that support those operations;
- The scenarios that could disrupt critical operations; and
- How the organisation would respond, recover, and continue delivering critical services during severe but plausible disruptions.
Operational resilience therefore represents an organisational capability rather than a standalone document or compliance exercise.
Why Many Firms May Not Yet Be Ready
Based on our assessment of the QFC market and our discussions with QFC-regulated firms, many organisations remain at the awareness stage.
A significant number of firms have:
- Risk management policies;
- Business continuity plans;
- Outsourcing arrangements; and
- Information security controls.
However, many have not yet:
- Identified and documented their critical operations;
- Established governing-body-approved impact tolerances;
- Mapped operational dependencies and single points of failure;
- Assessed the resilience implications of outsourcing arrangements;
- Developed severe but plausible disruption scenarios; or
- Connected operational resilience requirements to their broader risk management and governance frameworks.
As a result, firms may significantly underestimate the effort required to achieve operational resilience readiness before October 2026.
The Importance of Proportionality
Importantly, the QFCRA recognises that operational resilience requirements should be proportionate to the nature, scale, and complexity of each authorised firm.
A small asset management firm will not be expected to implement the same operational resilience arrangements as a large financial institution with multiple business lines and complex operations.
However, proportionality does not remove the obligation to comply.
Every authorised firm should be able to demonstrate that it:
- Understands its critical operations;
- Has established appropriate impact tolerances;
- Understands its key operational dependencies;
- Maintains effective business continuity arrangements; and
- Has considered how it would continue operating during severe disruptions.
Operational Resilience Should Be Viewed as a Strategic Initiative
Operational resilience should not be approached as a narrow compliance exercise or a documentation project.
Done properly, operational resilience provides organisations with a structured understanding of:
- Their most important services and activities;
- Their operational vulnerabilities and dependencies;
- Their exposure to technology, cyber, third-party, and concentration risks;
- Their ability to respond to and recover from disruptions; and
- Their overall preparedness in an increasingly uncertain environment.
Operational resilience therefore creates benefits that extend well beyond regulatory compliance. It strengthens organisational resilience, enhances governance and decision-making, and helps firms build greater confidence in their ability to withstand and recover from disruption.
The Time to Prepare Is Now
The October 2026 deadline is approaching faster than many organisations appreciate.
Firms that begin their operational resilience journey early will have sufficient time to:
- Understand the requirements;
- Conduct meaningful assessments;
- Design proportionate solutions;
- Obtain governing body approvals; and
- Implement and test their operational resilience arrangements.
Conversely, firms that delay may find themselves attempting to implement complex requirements under significant time pressure.
The question is no longer whether operational resilience requirements apply.
The more important question is:
Does your organisation currently understand its critical operations, impact tolerances, and operational dependencies sufficiently to demonstrate resilience before 1 October 2026?
About LAMAH Intelligent Solutions
LAMAH Intelligent Solutions supports organisations across the GCC in strengthening operational resilience, risk governance, cybersecurity readiness, and enterprise risk management capabilities. Through our expertise in Digital Transformation, IT GRC, and Integrated Risk Management, we help organisations build the governance structures, resilience capabilities, and risk management frameworks needed to operate confidently in complex and rapidly evolving environments.
As part of our Operational Resilience services, we support QFC-authorised firms through executive awareness sessions, rapid readiness assessments, implementation programmes, and ongoing resilience testing and validation activities.
This article forms part of LAMAH Intelligent Solutions’ ongoing research on operational resilience, cybersecurity, digital resilience, and integrated risk management in an increasingly complex global environment.
Disclaimer
The views and information expressed in this article are provided for general informational and educational purposes only and do not constitute professional, legal, financial, regulatory, or investment advice. LAMAH Intelligent Solutions and the author(s) make no representations or warranties as to the accuracy, completeness, or suitability of the information contained herein and accept no liability for any loss or damage arising from reliance on it. Readers are advised to seek independent professional advice before making any decisions based on this content.
