FrameOne — Regulated Businesses
Regulatory frameworks — FCA PS21/3, ISO 22301, NIS2, Cyber Essentials — were written for enterprises. The evidence they require is the same regardless of how many people you employ. Most SMEs in regulated sectors are producing that evidence through a combination of consultants, spreadsheets, and Word documents that are out of date before they leave the printer.
Regulators and auditors increasingly expect a live, continuously maintained posture. A self-assessment document produced in advance of a review is not the same as being able to demonstrate operational resilience on any given day. The gap between those two things is where regulatory risk lives.
BC plans maintained separately from your operational environment go out of sync the moment something changes. A new system, a new supplier, a restructured team — the plan doesn't know. When you need it most, it describes a business that no longer exists.
Month-end, peak trading windows, regulatory submission deadlines — these periods carry materially higher operational risk than ordinary business days. Your current tools and plans treat every day the same. Regulators increasingly do not.
A consultancy can produce a gap analysis or a BC plan. It cannot keep it current. The ongoing cost of maintaining regulatory evidence through periodic consultant engagements is significant — and the result is still a document, not a live capability.
FrameOne is designed for businesses that carry real regulatory obligations but not the enterprise resources to manage them. It produces compliance evidence as a continuous byproduct of how you run — not as a periodic exercise that happens before someone asks.
Your FCA PS21/3 self-assessment, ISO 22301 gap report, and business continuity documentation are outputs of the system you use every day. Regulators see a continuously maintained posture, not a snapshot assembled under time pressure.
Define your maximum tolerable disruption periods per service, record your tolerance testing, and maintain an evidenceable audit trail — in the format regulators recognise. Impact tolerance is not an annual exercise; it is a continuously updated record.
Plans are connected to the live operational model, not maintained as separate documents. When your environment changes — a new system, a new supplier, a restructured team — your continuity documentation reflects it without a manual update cycle.
The knowledge your best people carry is captured in the system, not lost when they are unreachable. Whoever responds to an incident has access to current runbooks, dependencies, and escalation paths — not a playbook that was accurate eighteen months ago.
When a regulator or auditor asks, the evidence is already there. Not assembled from emails and spreadsheets, but maintained continuously as part of how you operate — searchable, timestamped, and ready to present.
You do not need a blank-sheet exercise or a dedicated architecture programme to get started. FrameOne can read your existing documentation — Word files, PDFs, spreadsheets — and propose an initial operational model from what you already have. Operational clarity in days, not months. You start from where you are, not from zero.
Wealth managers, boutique asset managers, payment processors, and financial services firms facing FCA PS21/3 operational resilience obligations — where the regulator expects a live, evidenceable posture and the cost of non-compliance is existential.
Professional services firms facing ISO 22301 compliance requirements from larger clients — where an inability to demonstrate operational resilience risks losing the contract, regardless of whether a regulator is directly involved.
Healthcare operators navigating CQC and data governance obligations. Any SME in a regulated sector that has received a compliance request they cannot currently answer with confidence, and cannot afford to answer slowly.
If you're navigating the period immediately after an acquisition and need to build operational visibility quickly, see FrameOne for post-acquisition businesses. If you're an MSP looking to deliver resilience as a managed service to your regulated clients, see FrameOne for MSPs.
FrameOne is in early development. We are talking to regulated businesses to understand which obligations are most pressing and where current approaches are falling short. If any of this is familiar, we would like to hear from you.
We'll be in touch shortly.