[P2] [S3] Chapter 6
Methodology for Setting Impact Tolerance
Introduction
![[OR] [P2] [S3] [ITo] [C6] Methodology for Setting Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/77526e47-fc15-4c7b-bf03-cadd672b40db.png)
Setting impact tolerance is one of the most important implementation activities in operational resilience.
It translates the organisation’s resilience ambition into measurable thresholds that define how much disruption to a Critical Business Service (CBS) can be tolerated before customer harm, regulatory breach, financial loss, reputational damage, or systemic impact becomes unacceptable.
Unlike traditional recovery metrics, impact tolerance is not set only by technology teams, business continuity teams, or operational risk teams. It requires a service-wide view that includes business owners, process owners, technology teams, cyber teams, third-party managers, compliance, risk, and senior management.
This chapter provides a practical step-by-step methodology for setting impact tolerances in a structured, repeatable, and evidence-based manner.
Purpose of the Chapter
The purpose of this chapter is to provide a practical methodology that enables organisations to:
- Identify the relevant CBS and Sub-CBS for tolerance setting
- Understand dependencies and resources supporting service delivery
- Define the impact dimensions that matter most
- Assess how the disruption severity increases over time
- Establish maximum tolerable thresholds
- Validate and approve tolerances through governance
- Refine tolerances iteratively as the organisation matures
Step 1: Identify CBS and Sub-CBS
The starting point for setting impact tolerance is the identification of Critical Business Services and their supporting Sub-CBS.
A CBS represents an end-to-end service that delivers value to customers, markets, regulators, or other key stakeholders. A Sub-CBS breaks the service into more specific service components that can be assessed and measured.
For example, a bank may define:
|
CBS Code |
Critical Business Service |
Sub-CBS Examples |
|
CBS-1 |
Deposit and Account Services |
Account opening, deposit transactions, withdrawal processing, and account servicing |
|
CBS-2 |
Payments and Funds Transfer Services |
Payment initiation, authentication, clearing, settlement, notification |
|
CBS-3 |
Lending and Credit Services |
Loan approval, disbursement, repayment processing, and collateral monitoring |
Impact tolerance should be set at the level where disruption can be meaningfully measured. In many cases, this means setting tolerances at both the CBS and Sub-CBS levels.
Step 2: Map Dependencies and Resources
Once the CBS and Sub-CBS have been identified, the organisation must map the dependencies and resources required to deliver each service.
This step links directly to OR-P2-S2: Map Processes and Resources, where organisations identify the people, processes, technology, third parties, facilities, data, and interconnections that support critical service delivery.
A practical mapping table may include:
|
Sub-CBS Code |
Sub-CBS |
Processes |
People |
Technology |
Third Parties |
Upstream / Downstream Dependencies |
|
1.1 |
Customer Onboarding |
Application capture, screening, approval |
Branch staff, onboarding team, compliance |
CRM, core banking, eKYC platform |
eKYC provider, credit bureau |
KYC, account approval, digital access |
|
1.6 |
Deposit Transactions |
Deposit capture, validation, posting |
Operations, branch, digital banking team |
Core banking, ATM switch, mobile app |
ATM network, payment gateway |
Account balance, reporting, and reconciliation |
|
2.7 |
Clearing and Settlement |
Clearing file submission, settlement posting |
Payments operations, treasury |
Payment switch, RTGS interface |
Clearing house, correspondent bank |
Liquidity, reconciliation, customer notification |
Dependency mapping is essential because impact tolerance cannot be set realistically without understanding what enables the CBS to operate.
Step 3: Identify Impact Dimensions
The next step is to define the dimensions of impact that will be assessed during disruption.
Common impact dimensions include:
|
Impact Dimension |
Description |
|
Customer Impact |
Harm to customers, inability to access funds, delayed transactions, and service frustration |
|
Regulatory Impact |
Breach of laws, regulations, reporting obligations, supervisory expectations |
|
Financial Impact |
Direct loss, compensation, penalties, lost revenue, liquidity impact |
|
Reputational Impact |
Loss of public confidence, media exposure, and social media escalation |
|
Operational Impact |
Backlog, manual workaround limits, staffing strain, and control failure |
|
Systemic Impact |
Impact on market stability, payment systems, counterparties, or wider ecosystem |
|
Data Impact |
Loss, corruption, delay, or unavailability of critical data |
These dimensions should be tailored to the organisation’s business model, sector, jurisdiction, and customer base.
For financial institutions, customer harm and systemic impact are especially important because regulators expect impact tolerances to reflect more than internal recovery capability.
Step 4: Define Disruption Scenarios
Impact tolerance must be assessed against realistic and challenging disruption scenarios.
These scenarios should be severe but plausible, meaning they are demanding enough to test the resilience of the service but still credible given the organisation’s operating environment.
Examples include:
|
Scenario Type |
Example |
|
Technology Failure |
Core banking outage affecting deposit and withdrawal services |
|
Cyber Incident |
Ransomware attack disrupting digital payments |
|
Third-Party Failure |
Cloud service provider outage affecting online banking |
|
People Unavailability |
High absenteeism among payments operations staff |
|
Facility Denial |
The main operations centre is inaccessible due to a fire or a security incident |
|
Data Integrity Issue |
Incorrect account balances are displayed to customers |
|
Market-Wide Disruption |
Payment network outage affecting multiple banks |
The purpose of defining scenarios is not to set different tolerances for every possible incident. Instead, scenarios help the organisation understand how quickly harm escalates and whether existing capabilities can keep disruption within acceptable limits.
Step 5: Assess Impact Severity Over Time
Impact tolerance is time-sensitive. A disruption that is tolerable for 30 minutes may become unacceptable after four hours or one business day.
Organisations should assess how the impact severity changes over time.
A typical assessment may use time bands such as:
|
Time Band |
Assessment Focus |
|
0–30 minutes |
Initial disruption, service alerts, and early customer inconvenience |
|
30 minutes–2 hours |
Increased customer calls, transaction delays, and operational backlog |
|
2–4 hours |
Material customer harm, regulatory concern, media attention |
|
4–8 hours |
Significant service disruption, possible breach of tolerance |
|
8–24 hours |
Severe customer, financial, operational, or systemic impact |
|
More than 24 hours |
Potential crisis, prolonged service failure, major regulatory escalation |
For each time band, the organisation should assess impact across the agreed dimensions. This helps identify the point at which disruption becomes unacceptable.
Step 6: Determine Maximum Tolerable Thresholds
The maximum tolerable threshold defines the point beyond which the disruption is no longer acceptable.
Impact tolerances may be expressed using one or more measurable criteria, such as:
|
Tolerance Type |
Example |
|
Time-Based Threshold |
CBS must not be unavailable for more than 4 hours |
|
Volume-Based Threshold |
No more than 5,000 failed transactions |
|
Value-Based Threshold |
No more than SGD 10 million in delayed payments |
|
Customer-Based Threshold |
No more than 10% of active customers affected |
|
Service-Level Threshold |
At least 80% of normal transaction capacity is maintained |
|
Data-Loss Threshold |
No more than 15 minutes of data loss |
|
Backlog Threshold |
Manual backlog must be cleared within one business day |
A strong impact tolerance statement combines measurable thresholds with service context.
Example:
“Payments and Funds Transfer Services must be restored or maintained to a minimum of 80% processing capacity within four hours, with no more than 5,000 delayed customer transactions and no breach of regulatory reporting obligations.”
This statement is more useful than a simple recovery time because it reflects customer impact, operational capacity, and regulatory consequences.
Step 7: Validate with Stakeholders
Impact tolerances must be validated with stakeholders who understand the service, its dependencies, and its consequences.
Key stakeholders include:
|
Stakeholder |
Validation Role |
|
Business Service Owner |
Confirms service criticality and customer impact |
|
Operations Owner |
Confirms practical delivery and manual workaround limits |
|
Technology Owner |
Confirms system recovery capability and infrastructure constraints |
|
Risk Management |
Reviews risk appetite and tolerance alignment |
|
Compliance / Legal |
Reviews regulatory and legal implications |
|
Third-Party Risk Owner |
Confirms vendor dependencies and contractual constraints |
|
Finance |
Reviews financial loss and liquidity implications |
|
Crisis Management / BCM |
Confirms escalation, recovery, and continuity arrangements |
|
Senior Management |
Challenges assumptions and confirms acceptability |
Validation should test whether the tolerance is:
- Realistic
- Measurable
- Defensible
- Aligned to risk appetite
- Supported by current capability
- Acceptable from a customer and regulatory perspective
Step 8: Obtain Governance Approval
Once validated, impact tolerances should be submitted for governance approval.
This ensures that tolerances are formally recognised, owned, and embedded into the organisation’s resilience framework.
Approval should include:
|
Governance Element |
Requirement |
|
Service Ownership |
Named the accountable owner for each CBS |
|
Tolerance Approval |
Senior management or Board-level approval, where appropriate |
|
Evidence Base |
BIA, dependency mapping, scenario analysis, risk assessment |
|
Remediation Actions |
Actions required where the current capability falls short |
|
Review Cycle |
Defined frequency for review and update |
|
Escalation Trigger |
Process for escalation when tolerance is breached or likely to be breached |
Governance approval turns impact tolerance from an analytical output into an organisational commitment.
Integration with BCM Institute’s Plan → Implement Lifecycle
The methodology for setting impact tolerance should be integrated into BCM Institute’s broader operational resilience lifecycle.
|
BCM Institute Lifecycle Stage |
Relevance to Impact Tolerance |
|
Plan |
Establish governance, confirm risk appetite, and define methodology |
|
Implement |
Identify CBS, map dependencies, and set impact tolerances |
|
Test |
Validate tolerances through severe but plausible scenarios |
|
Improve |
Address gaps, refine tolerances, update capabilities |
Within the operational resilience implementation phase, setting impact tolerance sits after CBS identification and dependency mapping, and before scenario testing.
This sequence is important:
- Identify what is critical
- Map what supports it
- Define how much disruption is tolerable
- Test whether the organisation can remain within tolerance
- Improve where gaps are identified
Iterative Refinement Approach
Impact tolerance setting should not be treated as a one-time exercise. It must be refined as the organisation’s services, systems, risks, customers, and regulatory expectations evolve.
Tolerances should be reviewed when there are:
- New or changed CBS
- Major technology changes
- New third-party arrangements
- Regulatory changes
- Lessons from incidents or exercises
- Significant changes in transaction volumes or customer expectations
- Mergers, acquisitions, outsourcing, or cloud migration
A mature organisation improves its tolerance over time by using:
|
Input |
How It Refines Tolerance |
|
Scenario Testing Results |
Confirms whether tolerances are achievable |
|
Incident Data |
Shows actual disruption patterns and weaknesses |
|
Customer Complaints |
Highlights harm thresholds and service pain points |
|
Regulatory Feedback |
Clarifies supervisory expectations |
|
Audit Findings |
Identifies documentation or control gaps |
|
Technology Metrics |
Improves understanding of recovery and capacity limits |
|
Third-Party Performance |
Tests dependency reliability and contractual resilience |
Practical Output: Impact Tolerance Methodology Summary
|
Step |
Activity |
Key Output |
|
1 |
Identify CBS and Sub-CBS |
CBS register |
|
2 |
Map dependencies and resources |
Dependency and resource map |
|
3 |
Identify impact dimensions |
Impact assessment criteria |
|
4 |
Define disruption scenarios |
Severe but plausible scenario set |
|
5 |
Assess impact severity over time |
Time-based impact profile |
|
6 |
Determine maximum tolerable thresholds |
Draft impact tolerance statement |
|
7 |
Validate with stakeholders |
Stakeholder-reviewed tolerance |
|
8 |
Obtain governance approval |
Approved impact tolerance register |
![Banner [Summing] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/5e80e50f-5e3e-44ea-8c43-16bf42d4f3b5.png)
A structured methodology is essential for setting meaningful impact tolerances. Without a disciplined approach, tolerances may become arbitrary, unrealistic, or disconnected from actual service delivery capability.
The methodology outlined in this chapter begins with Critical Business Services, moves through dependency mapping and impact assessment, and concludes with validated and approved tolerance statements. It ensures that impact tolerances are not merely compliance artefacts but practical thresholds that guide resilience investment, scenario testing, incident response, and management decision-making.
Ultimately, impact tolerance setting is an iterative capability. As the organisation’s risk environment changes, its tolerances must be reviewed, challenged, and refined to ensure that critical services remain resilient under severe but plausible disruption.
![[OR] [P2] [S3] [ITo] [C1] Introduction to Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/a2d06a13-c2ac-4e0a-b8ea-c5afcab91844.png)
![[OR] [P2] [S3] [ITo] [C2] Regulatory and Standards Landscape](https://no-cache.hubspot.com/cta/default/3893111/04df8f17-629c-458f-af01-67e3da528b63.png)
![[OR] [P2] [S3] [ITo] [C3] Understanding Impact Tolerance in Context](https://no-cache.hubspot.com/cta/default/3893111/ea66bac0-7b34-4d56-9c93-c33c8f7964bc.png)
![[OR] [P2] [S3] [ITo] [C4] Linking Impact Tolerance to Critical Business Services (CBS)](https://no-cache.hubspot.com/cta/default/3893111/24ceb290-50c2-4af4-be00-41894f00c7cb.png)
![[OR] [P2] [S3] [ITo] [C5] Key Components of Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/6e9d8a15-c0a3-4e28-b9a4-c2dcc3e2081e.png)
![[OR] [P2] [S3] [ITo] [C7] Impact Tolerance Assessment Framework](https://no-cache.hubspot.com/cta/default/3893111/abf28462-aba4-4970-81be-55cf66dc6147.png)
![[OR] [P2] [S3] [ITo] [C8] Scenario-Based Calibration of Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/23b3a54d-37ce-494b-acb1-33b3cc5e1655.png)
![[OR] [P2] [S3] [ITo] [C9] Role of Dependency Mapping in Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/d35fd8b0-e936-4ab3-9706-4366bfcb8cbe.png)
![[OR] [P2] [S3] [ITo] [C10] Governance, Ownership, and Accountability](https://no-cache.hubspot.com/cta/default/3893111/de12fefd-b6c6-4156-83a9-5d19ca5bc508.png)
![[OR] [P2] [S3] [ITo] [C11] Integration with Operational Resilience Framework](https://no-cache.hubspot.com/cta/default/3893111/84d3d3c4-0647-4ffd-99b4-a20a12526019.png)
![[OR] [P2] [S3] [ITo] [C12] Testing and Validation of Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/9a9cb7eb-1ca3-4790-b39e-f6b0035a1eae.png)
![[OR] [P2] [S3] [ITo] [C13] Monitoring, Metrics, and Continuous Improvement](https://no-cache.hubspot.com/cta/default/3893111/1a32f981-3a16-427a-a63f-5a40ab93ea21.png)
![[OR] [P2] [S3] [ITo] [C14] Common Challenges and Pitfalls](https://no-cache.hubspot.com/cta/default/3893111/8831463d-a357-4203-806b-fb31ef71d615.png)
![[OR] [P2] [S3] [ITo] [C15] Practical Case Study (Banking Sector Example)](https://no-cache.hubspot.com/cta/default/3893111/fef15761-14c6-4e2b-b157-554cceb33d14.png)
![[OR] [P2] [S3] [ITo] [C16] Future Trends in Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/b6a701db-167e-4630-88ad-de0d43deb322.png)
![[OR] [P2] [S3] [ITo] [C17] Key Takeaways and Call to Action](https://no-cache.hubspot.com/cta/default/3893111/bf49e0c2-33a3-48bc-97d2-eb939aed77bd.png)
![[OR] [P2] [S3] [ITo] [C18] Back Cover](https://no-cache.hubspot.com/cta/default/3893111/3623335d-0b26-4ee7-afbf-0d431358b390.png)
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
