Skip to content
Go to homepageDrova logo

Impacttoleranceexplained

Define acceptable disruption levels.

Learn how to set impact tolerances, measure potential harm to customers and operations, and comply with regulatory expectations for critical services.

Illustration of collaborative compliance planning

What this guide covers:

  1. 01
    What is impact tolerance?
  2. 02
    Why it matters
  3. 03
    How to set tolerances
  4. 04
    Monitor and review
  5. 05
    Impact tolerance FAQs

What is impact tolerance?

Impact tolerance is the maximum level of disruption a critical service can withstand before causing intolerable harm to customers, markets, or the organisation.

Hours
Time

Express tolerances in minutes or hours for clarity.

Harm
Focus

Consider customer outcomes, safety, and regulatory impact.

Review
Cadence

Update tolerances alongside service reviews.

WHY IT MATTERS

Why impact tolerances guide resilience decisions

Clarifies priorities. Teams know exactly when to escalate or invest in redundancy because the allowable disruption level is written down.

Supports compliance. Regulators require documented tolerances for important services, particularly in financial services and DORA regimes.

Improves testing. Scenarios focus on the limits that matter most, giving leadership confidence that “severe but plausible” really means something.

STEPS

How to set impact tolerances

  1. Identify harm Define what unacceptable harm looks like (financial, operational, customer).
  2. Set thresholds Agree on maximum disruption time, volume, or service degradation.
  3. Validate Review thresholds with stakeholders, risk appetite, and regulators if needed.

CADENCE

How to monitor and review tolerances

  1. Track KRIs Use leading indicators to signal when tolerances may be approached and highlight risks early.
  2. Scenario test Validate that tolerances hold under severe events so leadership trusts the numbers.
  3. Report breaches Escalate immediately if tolerances are exceeded, recording impact and remediation.
  4. Refresh annually Update tolerances when services, customers, or regulations change so they stay relevant.

Impact tolerance quick wins

Build a template

Document service name, tolerance metric, rationale, and owner.

Link to appetite

Ensure tolerances align with risk appetite statements.

Publish summaries

Share tolerances with leadership and response teams.

IMPACT TOLERANCE GLOSSARY SNAPSHOT

Impact tolerance glossary snapshot

Impact tolerance. Maximum disruption allowed before intolerable harm occurs.

Maximum tolerable outage. A time-bound tolerance metric used in some regulations.

Customer harm. Negative outcomes for customers, markets, or the organisation if tolerances are breached.

FAQS

Impact tolerance FAQs

How do we pick the right metric?

Use minutes/hours for time, % transactions impacted, or qualitative descriptors tied to customer outcomes.

Who approves tolerances?

Service owners propose them; risk committees and boards approve them, especially in regulated industries.

How granular should tolerances be?

Start with critical services; expand to supporting services as the program matures.

Do tolerances replace SLAs?

No—SLAs describe normal operations, while tolerances define disruption limits.

Drova RunReady keeps tolerances, service maps, and test results together for easy reporting.

Ready to document impact tolerances?

Learn more about Drova RunReady

GRC 101 HUB

Explore related topics

Operational resilience hub

Understand how tolerances fit into the broader program.

Important business services

Define services before setting tolerances.

Scenario testing

Test tolerances under severe events.

Business continuity

Ensure plans can meet the tolerances set.

Financial services resilience

See regulatory expectations for tolerances.

DORA overview

Digital Operational Resilience Act requirements include tolerances.