The WFE welcomes the Bank of England, FCA and PRA’s discussion paper on operational resilience calling on firms to demonstrate their operational resilience in the event of a cyber-attack or IT disruption, as well as using this paper to inform their approach to building cyber resilience in the UK financial system. The key points we make in response to the questions below are: (i) the proposed approach on objectives relating to continuity of business services could be feasible and proportionate, to the extent that it recognises current practices within organisations that already have recovery time and recovery point objectives defined as part of their BCM / DR requirements; (ii) there are differing levels of key risk indicator maturity between firms for measuring risk appetite / risk tolerances; and (iii) communication processes are defined in incident management and crisis management planning.