[OR] [P2] [S3] [ITo] [C15] Practical Case Study (Banking Sector Example)

[P2] [S3] Chapter 15

Practical Case Study (Banking Sector Example)

Introduction

Understanding the impact tolerance conceptually is important—but its true value is realised when applied in a real-world operational context.

In the banking sector, where customer trust, regulatory compliance, and systemic stability are critical, impact tolerance must be clearly defined, tested, and embedded into day-to-day operations.

This chapter provides a practical case study illustrating how a bank sets and applies impact tolerances for two common Critical Business Services (CBS):

• CBS-1: Deposit and Account Services
• CBS-2: Payments and Funds Transfer Services

The case study follows a structured, step-by-step approach aligned with the methodology outlined in earlier chapters.

Purpose of the Chapter

The purpose of this chapter is to:

• Demonstrate the practical application of impact tolerance methodology
• Illustrate step-by-step tolerance setting for key banking services
• Provide sample outputs, tables, and analysis
• Highlight lessons learned and common considerations

Overview of the Case Study

Bank Profile (Illustrative)

• Mid-to-large retail and commercial bank
• Multi-channel operations (branch, ATM, mobile, online)
• High transaction volumes in deposits and payments
• Heavy reliance on core banking systems and third-party networks

Selected Critical Business Services

Step-by-Step Tolerance Setting

Step 1: Identify Sub-CBS

CBS-1: Deposit Services

CBS-2: Payments Services

Step 2: Map Dependencies (Simplified View)

Step 3: Identify Impact Dimensions

The bank considers:

• Customer access to funds
• Transaction delays
• Regulatory compliance (e.g., payment settlement timelines)
• Financial exposure
• Systemic impact (especially for payments)

Step 4: Define Disruption Scenario

Scenario:

Core banking system outage affecting both deposit and payment services for several hours.

Step 5: Assess Impact Severity Over Time

Step 6: Determine Impact Tolerances

Sample Impact Tolerance Table

Step 7: Validate with Stakeholders

Stakeholders involved:

• Business heads (retail banking, payments)
• Technology teams
• Operations teams
• Risk and compliance
• Senior management

Outcome:

• Agreement that payment services require stricter tolerances than deposit services
• Identification of gaps in clearing and settlement resilience

Step 8: Governance Approval

• Senior Management approves tolerances
• Board reviews critical CBS tolerances (e.g., payments)
• Action plans assigned to responsible owners

Scenario Testing Results

Test Scenario

Simulated 4-hour core banking outage

Results

Key Observations

• ATM network dependency created delays in withdrawal recovery
• The clearing system lacked an alternate routing capability
• Payment backlog escalated rapidly after 2 hours

Analysis of Findings

Strengths

• Deposit services largely within tolerance
• Digital channels recovered faster than expected
• Strong coordination between operations and IT

Weaknesses

• Withdrawal services are heavily dependent on a single infrastructure
• Clearing and settlement lacked redundancy
• Third-party dependencies not fully aligned with tolerance

Root Causes

• Single points of failure in ATM and clearing systems
• Insufficient failover capability
• Limited third-party resilience arrangements

Remediation Actions

Lessons Learned

Service Criticality Matters

• Payment services require stricter tolerances due to systemic impact
• Not all CBS should have the same tolerance thresholds

Dependencies Drive Risk

• Third-party and infrastructure dependencies significantly affect outcomes
• Hidden dependencies can lead to unexpected failures

Scenario Testing Is Essential

• Realistic testing revealed gaps not identified during planning
• Near breaches highlighted areas needing improvement

Tolerances Must Be Evidence-Based

• Initial tolerances required adjustment after testing
• Data-driven refinement improves credibility

Continuous Improvement Is Critical

• Impact tolerance is not static
• Regular testing and updates are necessary

Practical Output Summary

This case study demonstrates how impact tolerance can be applied in a practical banking context.

By following a structured methodology—identifying CBS, mapping dependencies, defining tolerances, and validating through scenario testing—the organisation gains a clear understanding of its resilience capabilities.

The results highlight a key insight: impact tolerance is only as strong as the organisation’s ability to operate within it under stress.

Testing, analysis, and continuous improvement are essential to ensuring that tolerances are realistic, defensible, and aligned with both customer expectations and regulatory requirements.

Ultimately, this approach enables banks to move beyond compliance and build a robust, service-centric operational resilience capability that protects customers, maintains trust, and safeguards financial stability.