Impact Tolerance is quantifying the level of disruption, a critical business service can accommodate or absorb, before such disruption creates a significant impact or harm on the organisation or its customers. These impact could be financial, operational, regulatory etc. Regulators now mandating the financial services organisations to quantify these impact tolerances in terms of time or such other measure like volume, value etc.
The setting of impact tolerances would help the organisation with the following:
- Supporting firms in prioritizing investments and resource allocation
- Providing the firm with a clear scope when they want to test their operational resilience readiness
- Provide the board and senior management a clear picture to drive resilience
The other micro benefits of having impact tolerance are:
- Ability to define alternative process and procedures in case the primary system fails
- Ability to come up with substitute options for the important business service delivery
It’s often seen that there is confusion in understanding Impact tolerance, risk appetite and recovery time objective and many of us consider all these as similar. Risk appetite is the level of risk which the organisation is willing to accept in case the risk occurs. Whereas an impact tolerance operates under the premise that a risk will occur and inspires the organisation to focus on improving their operational resilience. Similarly a recovery time objective (RTO) is a time based metric, measuring the time required to get the process back to operational, whereas an impact tolerance focuses on preventing harm to consumers and organisation itself.
As a practice, organisations need to set and review their impact tolerances at least once a year. They should also revisit the impact tolerances whenever there is a material change to their business or the environment in which they operate.
UK`s Financial Conduct Authority has given some guidance on factors to be considered when setting impact tolerances. The factors to be considered includes the following:
- Nature of the client base, including consideration of vulnerability
- Number of clients that may be adversely impacted
- Potential financial loss to clients
- Potential financial loss to the firm where this could harm the firm’s clients or pose a risk to the resilience of the UK financial system
- Potential level of reputational damage to the firm where this could harm the firm’s clients or pose a risk to the resilience of the UK financial system
- Potential impact on the market or consumer confidence
- Risk of contagion to other business services, other firms or the UK financial system
- Potential loss of functionality or access for clients
- Potential loss of confidentiality, integrity or availability of data
- Potential aggregate impact of disruptions to multiple important business services
- Firms can also consider:
a) Typical time frames where harm could occur
b) Complaint levels and volume of client contact
c)Estimated time to recovery
Setting impact tolerances at multiple thresholds and monitoring the exposures of the data over a period of time, helps organisations to understand the right level of tolerance.
To discuss your impact tolerance issues or operational resilience needs further, please contact us here.