The Importance of Impact Tolerance in Operational Resilience

Impact tolerance is a vital element of operational resilience and is an emerging area of focus. Here’s what you need to know.
What is Impact Tolerance?
Impact Tolerance vs Operational Resilience
The Future of Impact Tolerance
How to Create an Impact Tolerance Operational Resilience Framework

 

In the last few years there has been an increasing focus on impact tolerance in operational resilience. However, there is some confusion as to what it actually means.

The phrase “impact tolerance” was coined by the UK financial services regulators in 2018 in their paper, “Building operational resilience in financial services.” So what is it? And how does it impact your organization?
 

 

What is impact tolerance?


Impact tolerance is a rising area of operational resilience focus. The Bank of England defines it as, “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.” 

In other words, impact tolerance accepts that disruptive events will happen to and within an organization. It requires those organizations to determine how much disruption they can actually withstand, and for how long. This includes three main steps or elements for your organization.

  1. The identification of key business services, products and systems to understand how disruption will have impacts on the overall business viability as well as beyond your own organization.
  2. The setting of a maximum acceptable downtime for key business services, products and systems (this is your organization’s tolerance).
  3. The implementation of a process that will ensure that you can continue to deliver your core services and remain within your impact tolerances when you face disruption (and even severe disruption). 

 

Impact tolerance vs operational resilience 


Operational and security incidents are on the rise, and the ability to withstand cyber security threats, particularly in the financial services industry, is becoming increasingly vital. The UK regulator, Financial Conduct Authority (FCA), anticipates that all organizations governed by it will need to comply with impact tolerances and have a strong operational resilience framework in place by the second half of 2024.

This isn’t just limited to financial services institutions. Regulators around the world are starting to expect organizations in many industries to have plans in place to enable them to resume important functions despite a major disruption. 
 

What is operational resilience?


Operational resilience is an entity’s ability to “withstand and recover from shocks” (APRA), including managing organizational disruptions. Simply put, it allows your business to keep operating during turbulent times.

Operational resilience is rising in importance for two main reasons:

  1. The rising risk of cyber-attack (and the increasing vulnerabilities in this area); and
  2. Increasing vulnerability due to widespread information channels, such as social media, which means that any failures are more known and can cause more damage. 

Recognizing this importance, many regulators are including operational resilience within their overarching GRC framework. 

See also: 

The interaction of impact tolerance & operational resilience 


Understanding the subtle interaction between operational resilience and impact tolerance can be difficult. However, it is helpful to think of impact tolerance as the centerpiece of the operational resilience framework. Your impact tolerance process is a vital tool for helping your organization to discover elements of risk and how to tackle them via your operational resilience plan. 

Impact tolerance forms a critical element of the regulatory approach to operational resilience. This process has two main roles:

  1. To help you to measure your current resilience against other market players.
  2. To help you determine the wider impact or your risk and resilience across the industry or the ecosystem generally. 

The goal is to build resilience to ensure the continuity of your organization’s key business services.

See also: Operational Resilience Examples
 

Is impact tolerance the same as recovery time objective?


Recovery time objective (RTO) is a concept that has previously been used by regulators such as the Prudential Regulatory Authority and the FCA. The current use of impact tolerances doesn’t eliminate or replace the concept of RTO, but instead, builds on it to give us more understanding into operational risk and resilience. 

The difference between the two lies primarily in the duration of time. RTO relates to the amount of time that an organization specifically targets for restoring a key business system, process, or capability after a disruption.

On the other hand, impact tolerance is a wider approach relating to the organization’s ability to tolerate the disruption to that key capability generally. So, for example, the RTO for deposit services might be two hours, but the tolerance for that disruption could be as much as four hours. 

When setting your impact tolerances, RTO becomes one of the metrics that you must consider.
 

How to set impact tolerances within your operational resilience framework


Setting impact tolerances in operational resilience begins with understanding the metrics for the particular threat (as well as all the others) that could threaten the organization’s overall viability. You must utilize all your data and have a firm understanding of how end users are impacted by each type of disruption.

Your organization will want to look at the effects of the disruption without factoring in the other actions that the organization might take to mitigate exposure. That way you can get to the bottom of the true extent of the disruption, including the number of transactions or customers affected, the maximum duration of the disruption and the maximum value of the disruption. 

Finally, your organization needs to ask itself when the disruption would become a risk to the financial stability, safety, and soundness of the organization, or when it will create harm to customers or impact overall market integrity. Once you understand all this information, you will be able to determine impact tolerance thresholds. Setting these as a unit of time is useful because it’s easy to monitor, track and replicate for different scenarios and disruptions.

See also: Operational Resilience Strategy

 

The future of impact tolerance


Impact tolerance/operational resilience is becoming one of the most important risk and corporate compliance elements of modern organizations. Regulators across the globe are increasingly scrutinizing the ability of organizations to manage, adapt to, and recover from operational disruptions. So, whatever the size of your organization you must have plans in place to resume functionality in the event of a major disruption. 


Impact on the Financial Services industry


The financial services industry in particular is impacted by regulation around impact tolerance & operational resilience. While not every country or every industry has had these changes implemented, it appears likely that they will do in the future. And the operations that have been developed as part of the financial sector should be considered as indicators of the future overall regulation.  

 

 

 

How to create an impact tolerance operational resilience framework


An impact tolerance operational resilience framework has a vital and growing role to play in your organization. Creating one that functions well is important to your organization overall. 

This framework must include assessing your resilience against set impact tolerances, including methodologies for identifying key business services. To do this, it must incorporate the following capabilities:

  • Identify and protect itself from potential risks; 
  • Respond and adapt quickly to crises, shocks, and disruptions;
  • Minimize impact on customers;
  • Minimize impact on the delivery of business-critical operations; and
  • Maintain strong operations outside of the area impacted by crisis or disruption.

Your impact tolerance operational resilience approach should blend enterprise risk, actuarial, and modeling with data and resilience expertise in order to deliver a fully integrated system that ties operational risk, risk transfer, and resilience capabilities together. This system must represent a single solution that can bring all of these elements together in a compliant, efficient, and effective way.

A strong operational resilience solution, such as Ansarada GRC, is an important tool to execute your impact tolerance assessments as part of your operational resilience framework. It will allow your organization to respond to disruptions quickly and flexibly, and to be able to work within your own identified impact tolerance levels. 


Use Ansarada GRC to:

  • Define what is an ‘inconvenience’ vs. ‘intolerable harm’, and establish tolerance levels across processes and resources
  • Use the Impact Time Matrix to measure the impact against the duration the service is not working
  • Put in controls and mitigants to ensure you can maintain critical operations within tolerance levels
  • Be able to confidently demonstrate this to APRA
  • Once tolerances are established, conduct regular scenario testing to calibrate impact tolerances

 

 

Boost your impact tolerance & operational resilience

Book a demo of Ansarada GRC's Operational Resilience software today.
Book a demo