[OR] [P2] [S3] [ITo] [C10] Governance, Ownership, and Accountability

[P2] [S3] Chapter 10

Governance, Ownership, and Accountability

Introduction

Impact tolerance is not merely a technical or analytical output—it is a governance commitment. It defines the level of disruption an organisation is willing to accept and therefore reflects its risk appetite, customer obligations, and regulatory responsibilities.

Without clear governance, ownership, and accountability, impact tolerances risk becoming theoretical targets that are neither enforced nor embedded into decision-making.

Regulators increasingly expect organisations to demonstrate that impact tolerances are owned, approved, monitored, and regularly reviewed at the highest levels.

This chapter outlines how governance structures, defined roles, and accountability frameworks ensure that impact tolerance is operationalised, sustained, and defensible.

Purpose of the Chapter

The purpose of this chapter is to:

• Define governance structures for impact tolerance
• Clarify roles and responsibilities across the organisation
• Establish ownership of Critical Business Services (CBS) and Sub-CBS
• Outline approval and review processes
• Highlight documentation and audit requirements

Board and Senior Management Responsibilities

Role of the Board

The Board of Directors holds ultimate accountability for operational resilience, including the approval of impact tolerances.

Key Responsibilities:

• Approve the organisation’s operational resilience framework
• Endorse impact tolerance thresholds for critical services
• Ensure alignment with risk appetite and strategic objectives
• Oversee management’s implementation of resilience capabilities
• Challenge assumptions and ensure tolerances are customer-centric and realistic

The Board must ensure that tolerances reflect not only operational capability but also customer expectations, regulatory requirements, and systemic responsibilities.

Role of Senior Management

Senior Management is responsible for translating Board expectations into operational execution.

Key Responsibilities:

• Identify and prioritise Critical Business Services (CBS)
• Ensure impact tolerances are defined, validated, and implemented
• Allocate resources to maintain operations within tolerance
• Oversee scenario testing and resilience improvements
• Establish escalation protocols for tolerance breaches or near breaches

Senior Management must ensure that tolerances are not static but are continuously monitored and refined.

Three Lines of Defence Model

The governance of impact tolerance should align with the Three Lines of Defence (3LoD) model to ensure effective control, oversight, and assurance.

First Line of Defence – Business and Operations

Ownership Role

• Own and manage CBS and Sub-CBS
• Define and propose impact tolerances
• Ensure operational capability to remain within tolerance
• Execute recovery and continuity measures during disruptions

Key Accountability:

Deliver services within defined impact tolerance thresholds

Second Line of Defence – Risk and Compliance

Oversight Role

• Define policies, frameworks, and methodologies
• Review and challenge impact tolerance definitions
• Ensure alignment with risk appetite and regulatory expectations
• Monitor adherence and report breaches

Key Accountability:

Ensure impact tolerances are appropriate, consistent, and compliant

Third Line of Defence – Internal Audit

Assurance Role

• Independently assess the effectiveness of the impact tolerance framework
• Validate governance, processes, and controls
• Review evidence supporting tolerance setting and testing
• Identify gaps and recommend improvements

Key Accountability:

Provide independent assurance that tolerances are robust and effective

Ownership of CBS and Sub-CBS

Clear ownership is critical to ensuring accountability for impact tolerance.

CBS Ownership

Each Critical Business Service must have a designated Service Owner.

Responsibilities of CBS Owner:

• Define service scope and boundaries
• Propose impact tolerance thresholds
• Ensure mapping of dependencies
• Oversee scenario testing and performance monitoring
• Escalate issues and initiate remediation

Sub-CBS Ownership

Sub-CBS ownership may be distributed across functional areas.

Responsibilities of Sub-CBS Owners:

• Manage specific service components
• Provide input on tolerance setting
• Maintain operational capability within defined thresholds
• Support dependency mapping and scenario testing

Supporting Roles

Key Principle

Every CBS and Sub-CBS must have clear, named ownership, with accountability for operating within impact tolerance.

Approval and Review Processes

Impact tolerance must be formally approved and periodically reviewed.

Approval Process

A structured approval process ensures that tolerances are:

• Validated by relevant stakeholders
• Supported by evidence and analysis
• Aligned with organisational risk appetite

Typical Approval Workflow

• Preparation

• CBS identification
• Dependency mapping
• Scenario analysis

• Validation

• Cross-functional stakeholder review
• Risk and compliance challenge

• Recommendation

• Consolidation of tolerance proposals

• Approval

• Senior Management approval
• Board approval for critical services (where required)

Review Process

Impact tolerances must be reviewed regularly to remain relevant.

Review Triggers:

• Major incidents or disruptions
• Scenario testing outcomes
• Changes in business model or services
• Technology or system changes
• New or updated regulatory requirements
• Significant changes in customer expectations

Review Frequency

• Annual review (minimum baseline)
• Ad-hoc review triggered by events or changes

Monitoring and Escalation

Governance must include mechanisms for ongoing monitoring and escalation.

Monitoring Requirements

• Real-time or near real-time tracking of service performance
• Early warning indicators (e.g., backlog, system degradation)
• Threshold monitoring against defined tolerances

Escalation Framework

Key Principle

Impact tolerance must be actively managed, not passively documented

Documentation Requirements

Proper documentation is essential for governance, audit, and regulatory compliance.

Key Documents

Documentation Principles

• Clear and structured
• Evidence-based
• Consistently updated
• Accessible for audit and regulatory review

Audit and Assurance Requirements

Regulators expect organisations to demonstrate that impact tolerance is not only defined but also effectively implemented.

Internal Audit Focus Areas

• Governance structure and accountability
• Accuracy and completeness of CBS identification
• Validity of impact tolerance definitions
• Evidence supporting tolerance thresholds
• Effectiveness of scenario testing
• Monitoring and escalation processes

Regulatory Expectations

Supervisors may assess:

• Whether tolerances are realistic and defensible
• Whether governance oversight is effective
• Whether organisations can demonstrate compliance under stress scenarios
• Whether remediation actions are tracked and completed

Integration with Operational Resilience Lifecycle

Governance and accountability span the entire lifecycle:

Common Challenges

Best Practices

• Establish clear ownership at the CBS and Sub-CBS levels
• Ensure active Board and Senior Management engagement
• Embed impact tolerance into the risk appetite framework
• Align governance with the Three Lines of Defence
• Implement continuous monitoring and escalation mechanisms
• Maintain robust documentation and audit trails
• Conduct regular reviews and updates

Governance, ownership, and accountability are the pillars that transform impact tolerance from a defined threshold into a managed and enforceable discipline. Clear roles, structured approval processes, and robust oversight ensure that tolerances are not only defined but actively monitored, challenged, and improved.

By aligning governance with the Three Lines of Defence and embedding accountability at all levels—from the Board to operational teams—organisations can ensure that their impact tolerance framework is both credible and sustainable.

Ultimately, strong governance enables organisations to demonstrate to regulators, customers, and stakeholders that they are not only prepared for disruption but are capable of managing it within clearly defined and accountable limits.

C1	C2	C3	C4	C5	C6
C7	C8	C9	C10	C11	C12
C13	C14	C15	C16	C17	C18

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.