Impact tolerance

What Is Impact Tolerance?

Impact tolerance is the maximum tolerable level of disruption that an organization can endure for an important business service before causing unacceptable harm to its clients, stakeholders, or the financial system.⁶⁰, ⁶¹, ⁶² This concept is a cornerstone within the broader field of Operational resilience, representing a proactive shift in financial risk management.⁵⁹ Rather than solely focusing on preventing disruptions, impact tolerance acknowledges that unforeseen events are inevitable and mandates that firms define clear limits for how much disruption they can withstand.⁵⁷, ⁵⁸ By setting an impact tolerance, financial institutions establish critical thresholds for key services, ensuring they can continue delivering essential functions even during severe but plausible disruptions.⁵⁶ The goal is to identify the point at which disruptions transition from inconvenient to genuinely harmful, impacting consumers, market integrity, or the firm's safety and soundness.⁵⁴, ⁵⁵

History and Origin

The evolution of operational resilience, and with it, impact tolerance, gained significant traction following major financial disruptions. Historically, the focus in financial services was primarily on disaster recovery and Business continuity planning, emphasizing post-event restoration rather than proactive mitigation.⁵³ However, the increasing complexity of global financial systems, the proliferation of digital technologies, and the rise in cyber threats necessitated a more robust approach.⁵¹, ⁵²

A pivotal moment was the 2008 financial crisis, which exposed vulnerabilities across the interconnected global financial system. The crisis, characterized by a severe contraction of liquidity and widespread panic, underscored the need for financial institutions to withstand systemic shocks beyond traditional financial stability measures.⁵⁰ In response to such events and growing operational incidents, regulatory bodies began to develop more stringent requirements. In July 2018, UK financial regulatory authorities (the Bank of England, Prudential Regulation Authority, and Financial Conduct Authority) jointly introduced the term "operational resilience" into the regulatory landscape through a discussion paper, which also outlined the concept of impact tolerance.⁴⁶, ⁴⁷, ⁴⁸, ⁴⁹ This led to formalized policies and guidance, with the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) in the UK mandating impact tolerance assessments as part of operational resilience programs.⁴⁴, ⁴⁵ Globally, the Basel Committee on Banking Supervision (BCBS) further solidified this approach by issuing its "Principles for Operational Resilience" in March 2021, aiming to strengthen banks' ability to absorb operational risk and maintain critical operations through disruptive events like pandemics, cyber incidents, and technology failures.⁴¹, ⁴², ⁴³ This marked a shift from merely preventing incidents to preparing for and recovering from them effectively.

Key Takeaways

• Impact tolerance defines the maximum permissible level of disruption to an important business service.
• It is a core component of Operational resilience frameworks in the financial sector, designed to protect consumers and market integrity.
• Firms must identify their critical services and set specific, measurable impact tolerances, often including a time-based metric.⁴⁰
• Setting impact tolerances requires firms to assume disruptions will occur and to plan their response and recovery capabilities accordingly.³⁹
• Regular Scenario testing is crucial to ensure a firm can remain within its defined impact tolerances.

Interpreting the Impact Tolerance

Interpreting impact tolerance involves understanding the point at which a disruption to an important business service becomes intolerable. This is not merely about inconvenience but about preventing severe, irrecoverable harm to clients, jeopardizing a firm's safety and soundness, or posing a risk to the wider Financial stability.³⁷, ³⁸

When an organization sets an impact tolerance, it typically quantifies the acceptable limits of disruption using various metrics. These can include:

• Maximum tolerable duration: The longest period a service can be unavailable or degraded (e.g., payment systems must be restored within 4 hours).³⁵, ³⁶
• Data loss limits: The maximum amount of data that can be lost without causing intolerable harm.
• Volume or value thresholds: The maximum number or value of transactions that can be unprocessed.
• Customer impact: The maximum number of customers or the severity of harm to customers.³³, ³⁴

The process of setting and interpreting impact tolerances compels firms to shift their mindset from simply minimizing the probability of disruption to actively managing the consequences of disruption. It requires a deep understanding of the interdependencies between people, processes, technology, and third parties that support critical business services.³² A firm's ability to operate within its defined impact tolerances indicates its resilience in the face of adverse events, serving as a key indicator for regulators and stakeholders alike.³¹

Hypothetical Example

Consider "SecurePay Financial," a hypothetical digital bank that processes millions of online payments daily. SecurePay identifies its "real-time payment processing" as an important business service because its disruption could cause immediate and widespread financial harm to customers and impact broader Financial markets.

SecurePay's board, in consultation with its Risk management team, sets an impact tolerance for real-time payment processing:

• Maximum tolerable duration of disruption: 2 hours.
• Maximum tolerable volume of unprocessed payments: 50,000 transactions.
• Maximum tolerable financial loss to customers (recoverable by SecurePay): $1 million.

One day, a severe cyberattack targets SecurePay's payment processing system.

1. Initial disruption: Payment processing halts. The incident response team is immediately activated.
2. Hour 1: Systems are offline. Unprocessed payments quickly accumulate, nearing 25,000. SecurePay initiates its emergency protocol, diverting traffic to a backup data center.
3. Hour 1.5: The backup system is partially online, processing payments at a reduced rate. Unprocessed transactions peak at 45,000.
4. Hour 2: The primary system is restored to full functionality. All pending transactions begin to clear. The total duration of significant disruption was 2 hours, exactly at the impact tolerance limit. The volume of unprocessed payments remained below 50,000. While some customers experienced delays, the financial loss was within the recoverable threshold due to prompt action.

In this scenario, SecurePay successfully remained within its set impact tolerance, demonstrating its operational resilience despite a severe cyberattack. This proactive definition of limits allowed them to prioritize their response and recover before intolerable harm occurred.

Practical Applications

Impact tolerance is a crucial element of modern regulatory frameworks, particularly within the financial services industry. Regulators worldwide, including the Financial Conduct Authority (FCA) in the UK and the Federal Reserve in the United States, mandate that firms identify important business services and establish impact tolerances for them.²⁸, ²⁹, ³⁰ This enables supervisors to assess a firm's capacity to withstand and recover from significant operational disruptions.

Key practical applications include:

• Regulatory Compliance: Firms must demonstrate to regulatory bodies their ability to operate within defined impact tolerances, often requiring detailed self-assessments, mapping of processes, and Scenario testing.²⁶, ²⁷
• Strategic Investment: By understanding the maximum acceptable disruption, firms can prioritize investments in technology, infrastructure, and Cybersecurity to strengthen critical operations. This helps ensure resources are allocated effectively to build resilience where it matters most.²⁵
• Third-Party Risk Management: As financial services increasingly rely on external vendors and providers, impact tolerance extends to managing Third-party risk. Firms must assess how disruptions to their third-party relationships could impact their own ability to stay within their tolerances.²⁴ The Federal Reserve, for instance, has issued guidance to community banks on assessing threats when connecting with financial technology (fintech) companies, emphasizing the importance of due diligence in these third-party arrangements.²³
• Incident Response and Recovery: Impact tolerances provide clear targets for incident response teams, guiding their efforts to restore services and minimize harm during a crisis. Knowing the critical thresholds helps dictate the urgency and scale of recovery operations.
• Enhanced Governance and Oversight: Boards and senior management are responsible for reviewing and approving impact tolerances, which creates a better understanding of the firm's true resilience posture and fosters a culture of preparedness.²⁰, ²¹, ²²

Limitations and Criticisms

While impact tolerance represents a significant advancement in Operational resilience, its implementation can present challenges and is not without its nuances. One limitation stems from the difficulty in precisely quantifying "intolerable harm," which can be subjective and vary based on the nature of the business service and its consumer base.¹⁹ Firms may struggle with the availability of granular data needed to accurately identify different points of harm and to quantify the potential disruption in measurable terms.¹⁸

Furthermore, the process of setting impact tolerances can be complex for large, diverse organizations with numerous interconnected business services and dependencies. Ensuring that impact tolerances are appropriately broad-based, especially during peak demand periods, adds another layer of complexity.¹⁶, ¹⁷ There is also the challenge of integrating impact tolerances with existing Risk management frameworks, particularly regarding how they relate to a firm's overall Risk appetite and other established metrics like Recovery time objective. While impact tolerances are intended to be complementary, their distinct focus on outcome-based objectives versus likelihood or restoration time requires careful alignment to avoid confusion or duplication of effort.

Impact Tolerance vs. Risk Appetite

Impact tolerance and Risk appetite are both integral components of a firm's overall Enterprise risk management framework, but they serve distinct purposes. Risk appetite defines the amount and type of risk an organization is willing to accept in pursuit of its strategic objectives. It considers both the likelihood and potential impact of risks, setting boundaries for risk-taking activities across the entire enterprise.¹⁴, ¹⁵ For example, a firm might have a high risk appetite for innovation but a very low risk appetite for regulatory non-compliance.

In contrast, impact tolerance operates under the premise that a disruptive event will occur. It focuses specifically on the consequences of a disruption to an important business service, defining the maximum tolerable level of harm or outage that can be endured before unacceptable outcomes materialize.¹⁰, ¹¹, ¹², ¹³ Unlike risk appetite, which is forward-looking and preventative in its core, impact tolerance is reactive in its application, guiding how a firm should respond and recover when a severe but plausible disruption has already taken place. While risk appetite helps determine which risks to take and how much, impact tolerance dictates how much disruption can be absorbed for critical services when a risk materializes, without causing intolerable harm.

FAQs

What is the primary purpose of setting impact tolerances?

The primary purpose of setting impact tolerances is to help financial firms understand the maximum level of disruption they can withstand for important business services before causing intolerable harm to clients or posing a risk to Financial markets.⁸, ⁹ It shifts the focus from merely preventing disruptions to preparing for and recovering from them effectively.

How do regulators use impact tolerances?

Regulators use impact tolerances as a key tool to assess the Operational resilience of financial institutions. They expect firms to identify critical services, set measurable impact tolerances, and regularly test their ability to remain within these thresholds during severe but plausible scenarios. This helps ensure the stability of the financial system and protection of consumers.⁶, ⁷

Is impact tolerance the same as a recovery time objective (RTO)?

No, impact tolerance is not the same as a Recovery time objective (RTO). An RTO is a specific, time-based target for restoring a particular system or process after a disruption.⁴, ⁵ Impact tolerance is a broader concept that focuses on the maximum tolerable level of disruption to an entire important business service, including factors beyond just time, such as data integrity or customer impact. While RTO can be a metric used within an impact tolerance, impact tolerance provides a more holistic view of acceptable harm.³

What types of disruptions does impact tolerance address?

Impact tolerance addresses a wide range of operational disruptions, including Cybersecurity incidents, technology failures, natural disasters, third-party service provider outages, and even pandemics. It acknowledges that such events are inevitable and aims to ensure a firm can continue to deliver critical operations regardless of the specific cause of the disruption.¹, ²