The importance of impact tolerance in operational resilience
Impact tolerance is a vital element of operational resilience and an emerging area of focus. Here's what you need to know.
What is impact tolerance?
In the last few years there has been an increasing focus on impact tolerance in operational resilience. However, there is some confusion as to what it actually means.
​
The phrase 'impact tolerance' was coined by the UK financial services regulators in 2018 in their paper, “Building operational resilience in financial services.” So what is it? And how does it impact your organisation?
Definition of impact tolerance
Impact tolerance is a rising area of operational resilience focus. The Bank of England defines it as, “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.”
​
In other words, impact tolerance accepts that disruptive events will happen to and within an organisation. It requires those organisations to determine how much disruption they can actually withstand, and for how long. This includes three main steps or elements for your organisation.​
The identification of key business services, products and systems to understand how disruption will have impacts on the overall business viability as well as beyond your own organisation.
​
The setting of a maximum acceptable downtime for key business services, products and systems (this is your organisation’s tolerance).
​
The implementation of a process that will ensure that you can continue to deliver your core services and remain within your impact tolerances when you face disruption (and even severe disruption).
Impact tolerance vs operational resilience
Operational and security incidents are on the rise, and the ability to withstand cyber security threats, particularly in the financial services industry, is becoming increasingly vital. The UK regulator, Financial Conduct Authority (FCA), anticipates that all organisations governed by it will need to comply with impact tolerances and have a strong operational resilience framework in place by the second half of 2024.
​
This isn’t just limited to financial services institutions. Regulators around the world are starting to expect organisations in many industries to have plans in place to enable them to resume important functions despite a major disruption.
What is operational resilience?
Operational resilience is an entity’s ability to “withstand and recover from shocks” (APRA), including managing organisational disruptions. Simply put, it allows your business to keep operating during turbulent times.
Operational resilience is rising in importance for two main reasons:
The rising risk of cyber-attack (and the increasing vulnerabilities in this area); and
Increasing vulnerability due to widespread information channels, such as social media, which means that any failures are more known and can cause more damage.
Recognising this importance, many regulators are including operational resilience within their overarching GRC framework.
See also:
The interaction of impact tolerance
and operational resilience
Understanding the subtle interaction between operational resilience and impact tolerance can be difficult. However, it is helpful to think of impact tolerance as the centrepiece of the operational resilience framework. Your impact tolerance process is a vital tool for helping your organisation to discover elements of risk and how to tackle them via your operational resilience plan.
​
Impact tolerance forms a critical element of the regulatory approach to operational resilience. This process has two main roles:
-
To help you to measure your current resilience against other market players.
-
To help you determine the wider impact or your risk and resilience across the industry or the ecosystem generally.
The goal is to build resilience to ensure the continuity of your organisation’s key business services.
​
See also: Operational Resilience Examples
Is impact tolerance the same as 'recovery time objective'?
Recovery time objective (RTO) is a concept that has previously been used by regulators such as the Prudential Regulatory Authority and the FCA. The current use of impact tolerances doesn’t eliminate or replace the concept of RTO, but instead, builds on it to give us more understanding into operational risk and resilience.
​
The difference between the two lies primarily in the duration of time. RTO relates to the amount of time that an organisation specifically targets for restoring a key business system, process, or capability after a disruption.
​
On the other hand, impact tolerance is a wider approach relating to the organisation’s ability to tolerate the disruption to that key capability generally. So, for example, the RTO for deposit services might be two hours, but the tolerance for that disruption could be as much as four hours.
​
When setting your impact tolerances, RTO becomes one of the metrics that you must consider.
How to set impact tolerances within
your operational resilience framework
Setting impact tolerances in operational resilience begins with understanding the metrics for the particular threat (as well as all the others) that could threaten the organisation’s overall viability. You must utilise all your data and have a firm understanding of how end users are impacted by each type of disruption.
Your organisation will want to look at the effects of the disruption without factoring in the other actions that the organisation might take to mitigate exposure. That way you can get to the bottom of the true extent of the disruption, including the number of transactions or customers affected, the maximum duration of the disruption and the maximum value of the disruption.
Finally, your organisation needs to ask itself when the disruption would become a risk to the financial stability, safety, and soundness of the organisation, or when it will create harm to customers or impact overall market integrity.
Once you understand all this information, you will be able to determine impact tolerance thresholds. Setting these as a unit of time is useful because it’s easy to monitor, track and replicate for different scenarios and disruptions.
​
See also: Operational Resilience Strategy
The future of impact tolerance
Looking ahead
Impact tolerance/operational resilience is becoming one of the most important risk and corporate compliance elements of modern organisations.
Regulators across the globe are increasingly scrutinising the ability of organisations to manage, adapt to, and recover from operational disruptions.
So, whatever the size of your organisation you must have plans in place to resume functionality in the event of a major disruption.
The financial services industry in particular is impacted by regulation around impact tolerance & operational resilience.
While not every country or every industry has had these changes implemented, it appears likely that they will do in the future. And the operations that have been developed as part of the financial sector should be considered as indicators of the future overall regulation.
Impact on the financial
services industry
How to create an impact tolerance
operational resilience framework
An impact tolerance operational resilience framework has a vital and growing role to play in your organisation. Creating one that functions well is important to your organisation overall.
This framework must include assessing your resilience against set impact tolerances, including methodologies for identifying key business services. To do this, it must incorporate the following capabilities:
-
Identify and protect itself from potential risks;
-
Respond and adapt quickly to crises, shocks, and disruptions;
-
Minimise impact on customers;
-
Minimise impact on the delivery of business-critical operations; and
-
Maintain strong operations outside of the area impacted by crisis or disruption.
Your impact tolerance operational resilience approach should blend enterprise risk, actuarial, and modelling with data and resilience expertise in order to deliver a fully integrated system that ties operational risk, risk transfer, and resilience capabilities together.
This system must represent a single solution that can bring all of these elements together in a compliant, efficient, and effective way.
Use Drova to:
A strong operational resilience solution like Drova is an important tool to execute your impact tolerance assessments as part of your operational resilience framework. It will allow your organisation to respond to disruptions quickly and flexibly, and to be able to work within your own identified impact tolerance levels.
-
Define what is an ‘inconvenience’ vs. ‘intolerable harm’, and establish tolerance levels across processes and resources
-
Use the Impact Time Matrix to measure the impact against the duration the service is not working
-
Put in controls and mitigants to ensure you can maintain critical operations within tolerance levels
-
Be able to confidently demonstrate this to APRA
-
Once tolerances are established, conduct regular scenario testing to calibrate impact tolerances