[P2] [S3] Chapter 7
Impact Tolerance Assessment Framework
Introduction
![[OR] [P2] [S3] [ITo] [C7] Impact Tolerance Assessment Framework](https://no-cache.hubspot.com/cta/default/3893111/abf28462-aba4-4970-81be-55cf66dc6147.png)
Once impact tolerances have been defined, organisations must establish a structured framework to assess, document, and evaluate them consistently across all Critical Business Services (CBS).
Without a standardised framework, tolerance setting becomes subjective, inconsistent, and difficult to validate during regulatory reviews or internal audits.
An effective Impact Tolerance Assessment Framework ensures that:
- All CBS and Sub-CBS are assessed using consistent criteria
- Impact tolerances are quantified, comparable, and defensible
- Decision-making is supported by evidence and structured scoring models
- Outputs can be used for scenario testing, governance reporting, and continuous improvement
This chapter introduces practical templates and scoring methodologies that organisations can adopt to operationalise impact tolerance assessment.
Purpose of the Chapter
The purpose of this chapter is to provide:
- A structured template for documenting impact tolerance
- Standardised evaluation criteria for assessing impact severity
- Scoring models for likelihood and consequence
- Practical guidance on using heatmaps and tolerance thresholds
- A consistent approach to comparing resilience across services
Sample Impact Tolerance Assessment Table
A core component of the framework is the Impact Tolerance Assessment Table, which captures key attributes of each Sub-CBS.
Standard Template
|
Sub-CBS Code |
Sub-CBS |
MTD (Maximum Tolerable Downtime) |
MTDL (Maximum Tolerable Data Loss) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
1.1 |
Customer Onboarding & Account Application |
8 hours |
1 hour |
Moderate – delayed onboarding, customer dissatisfaction |
Low – minimal regulatory breach risk |
Operational / Customer |
Adequate |
Improve digital onboarding redundancy |
|
1.6 |
Deposit Transactions Processing |
4 hours |
15 minutes |
High – customers unable to deposit funds |
High – potential breach of service availability expectations |
Customer / Financial / Regulatory |
Weak |
Enhance system failover capability |
|
2.1 |
Payment Initiation |
2 hours |
5 minutes |
High – delayed payments, customer complaints |
High regulatory scrutiny on payment delays |
Customer / Systemic |
Moderate |
Strengthen payment gateway resilience |
|
2.7 |
Clearing and Settlement |
1 hour |
Near-zero |
Very High – systemic disruption across the financial system |
Very High – regulatory breach and systemic risk |
Systemic / Regulatory |
Weak |
Implement real-time backup and alternate routing |
Key Fields Explained
- MTD (Maximum Tolerable Downtime): Maximum acceptable duration of service disruption
- MTDL (Maximum Tolerable Data Loss): Maximum acceptable data loss window
- Customer Impact: Degree of harm to customers
- Regulatory Impact: Likelihood and severity of regulatory breach
- Impact Type: Primary category of impact (Customer, Financial, Systemic, etc.)
- Current Resilience Status: Assessment of current capability (Strong / Adequate / Moderate / Weak)
- Action Required: Remediation measures to meet tolerance
This table forms the baseline artefact for regulatory review and internal governance.
Scoring Model for Impact Severity
To ensure consistency, organisations should adopt a standardised scoring model for impact severity across all Sub-CBS.
Example Impact Severity Scale
|
Score |
Impact Level |
Description |
|
1 |
Low |
Minimal disruption, negligible customer or regulatory impact |
|
2 |
Moderate |
Noticeable disruption, manageable customer impact |
|
3 |
High |
Significant customer disruption, potential regulatory concern |
|
4 |
Very High |
Severe disruption, regulatory breach likely |
|
5 |
Extreme |
Critical failure, systemic impact, major regulatory consequences |
Multi-Dimensional Impact Scoring
Impact severity should be assessed across multiple dimensions:
|
Dimension |
Description |
Score (1–5) |
|
Customer Impact |
Number of customers affected, severity of harm |
|
|
Financial Impact |
Direct and indirect financial loss |
|
|
Regulatory Impact |
Compliance breach, reporting failure |
|
|
Reputational Impact |
Media exposure, public trust erosion |
|
|
Systemic Impact |
Impact on the financial system or market stability |
|
An aggregate score can be derived using:
- Average scoring
- Weighted scoring (e.g., higher weight for customer or systemic impact)
This allows organisations to identify which Sub-CBS carry the highest overall impact risk.
Likelihood vs Consequence Model
Impact tolerance assessment should also consider the likelihood of disruption in addition to impact severity.
Likelihood Scale
|
Score |
Likelihood |
Description |
|
1 |
Vert Low - Rare |
Highly unlikely, historical occurrence is minimal |
|
2 |
Low -Unlikely |
Possible but infrequent |
|
3 |
Moderate - Possible |
Occurs occasionally |
|
4 |
High - Likely |
Occurs regularly |
|
5 |
Very High - Almost Certain |
Expected to occur frequently |
Risk Scoring Matrix
The combination of Likelihood × Consequence (Impact Severity) produces a risk score:
|
Consequence ↓ / Likelihood → |
1 |
2 |
3 |
4 |
5 |
|
5 (Extreme) |
Medium |
High |
Very High |
Extreme |
Extreme |
|
4 (Very High) |
Medium |
High |
High |
Very High |
Extreme |
|
3 (High) |
Low |
Medium |
High |
High |
Very High |
|
2 (Moderate) |
Low |
Low |
Medium |
Medium |
High |
|
1 (Low) |
Low |
Low |
Low |
Medium |
Medium |
This matrix helps organisations:
- Prioritise high-risk Sub-CBS
- Focus resilience investments on critical vulnerabilities
- Align impact tolerance thresholds with risk appetite
Use of Heatmaps
Heatmaps provide a visual representation of risk and resilience gaps.
Example Interpretation
- Green Zone: Within acceptable tolerance
- Amber Zone: Close to tolerance limit – monitoring required
- Red Zone: Exceeds tolerance – immediate action required
Heatmaps can be applied to:
- Impact severity vs time
- Likelihood vs consequence
- Current capability vs required tolerance
Practical Application
For example:
- A Sub-CBS with high impact severity and high likelihood will appear in the red zone
- A Sub-CBS with low likelihood but extreme impact may still require strong controls
- A Sub-CBS operating near tolerance thresholds should be prioritised for improvement
Heatmaps enable senior management to quickly visualise risk concentration across services.
Tolerance Thresholds and Breach Indicators
Impact tolerance is only meaningful if organisations define clear thresholds and breach indicators.
Types of Thresholds
|
Threshold Type |
Example |
|
Time-Based |
Service unavailable for more than 4 hours |
|
Volume-Based |
More than 5,000 failed transactions |
|
Value-Based |
More than SGD 10 million in delayed payments |
|
Customer-Based |
More than 15% of customers affected |
|
Capacity-Based |
Service operating below 70% capacity |
Early Warning Indicators
Organisations should also define leading indicators that signal potential breach:
- Rapid increase in transaction backlog
- Spike in customer complaints
- System performance degradation
- Third-party service instability
- Cyber threat escalation alerts
These indicators allow organisations to take proactive action before tolerance is breached.
Current Resilience Assessment
Each Sub-CBS should be assessed against its defined tolerance to determine its current resilience status.
Example Rating
|
Status |
Description |
|
Strong |
Fully capable of operating within tolerance under stress scenarios |
|
Adequate |
Likely to remain within tolerance with minor gaps |
|
Moderate |
Risk of exceeding tolerance under severe scenarios |
|
Weak |
High likelihood of exceeding tolerance |
This assessment should be supported by:
- Scenario testing results
- Incident history
- Technology performance metrics
- Third-party service level performance
Action Planning and Remediation
Where gaps are identified, organisations must define clear action plans.
Example Actions
|
Gap Identified |
Action Required |
|
System recovery exceeds MTD |
Implement high-availability architecture |
|
Data recovery exceeds MTDL |
Improve backup frequency and replication |
|
Third-party dependency risk |
Introduce an alternate vendor or a failover |
|
Manual processing limitations |
Increase staffing or automation |
|
Lack of monitoring |
Implement real-time dashboards and alerts |
Action plans should include:
- Owner
- Timeline
- Priority
- Expected improvement outcome
Integration with Operational Resilience Lifecycle
The Impact Tolerance Assessment Framework supports multiple stages of the lifecycle:
|
Lifecycle Stage |
Role of Assessment Framework |
|
Identify CBS |
Provides structured evaluation criteria |
|
Map Dependencies |
Links' impact on supporting resources |
|
Set Impact Tolerance |
Defines measurable thresholds |
|
Scenario Testing |
Validates whether tolerance can be maintained |
|
Improve |
Identifies gaps and drives remediation |
Practical Output Summary
|
Component |
Output |
|
Impact Tolerance Table |
Documented tolerance for each Sub-CBS |
|
Impact Scoring Model |
Standardised severity assessment |
|
Likelihood Matrix |
Risk prioritisation |
|
Heatmaps |
Visual risk representation |
|
Threshold Indicators |
Defined tolerance limits and triggers |
|
Resilience Status |
Capability assessment |
|
Action Plan |
Remediation roadmap |
![Banner [Summing] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/5e80e50f-5e3e-44ea-8c43-16bf42d4f3b5.png)
A structured Impact Tolerance Assessment Framework transforms tolerance setting from a conceptual exercise into a measurable, comparable, and actionable discipline. By using standard templates, scoring models, and visual tools such as heatmaps, organisations can ensure that impact tolerances are consistently applied, objectively assessed, and aligned with both regulatory expectations and organisational risk appetite.
More importantly, this framework enables organisations to identify where they are most vulnerable, prioritise remediation efforts, and demonstrate to regulators that resilience is not only defined—but actively measured, tested, and improved.
In the next chapter, we will build on this framework by examining how to apply impact tolerance in real-world scenarios and testing environments, ensuring that defined thresholds are both realistic and achievable under stress conditions.
![[OR] [P2] [S3] [ITo] [C1] Introduction to Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/a2d06a13-c2ac-4e0a-b8ea-c5afcab91844.png)
![[OR] [P2] [S3] [ITo] [C2] Regulatory and Standards Landscape](https://no-cache.hubspot.com/cta/default/3893111/04df8f17-629c-458f-af01-67e3da528b63.png)
![[OR] [P2] [S3] [ITo] [C3] Understanding Impact Tolerance in Context](https://no-cache.hubspot.com/cta/default/3893111/ea66bac0-7b34-4d56-9c93-c33c8f7964bc.png)
![[OR] [P2] [S3] [ITo] [C4] Linking Impact Tolerance to Critical Business Services (CBS)](https://no-cache.hubspot.com/cta/default/3893111/24ceb290-50c2-4af4-be00-41894f00c7cb.png)
![[OR] [P2] [S3] [ITo] [C5] Key Components of Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/6e9d8a15-c0a3-4e28-b9a4-c2dcc3e2081e.png)
![[OR] [P2] [S3] [ITo] [C6] Methodology for Setting Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/77526e47-fc15-4c7b-bf03-cadd672b40db.png)
![[OR] [P2] [S3] [ITo] [C8] Scenario-Based Calibration of Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/23b3a54d-37ce-494b-acb1-33b3cc5e1655.png)
![[OR] [P2] [S3] [ITo] [C9] Role of Dependency Mapping in Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/d35fd8b0-e936-4ab3-9706-4366bfcb8cbe.png)
![[OR] [P2] [S3] [ITo] [C10] Governance, Ownership, and Accountability](https://no-cache.hubspot.com/cta/default/3893111/de12fefd-b6c6-4156-83a9-5d19ca5bc508.png)
![[OR] [P2] [S3] [ITo] [C11] Integration with Operational Resilience Framework](https://no-cache.hubspot.com/cta/default/3893111/84d3d3c4-0647-4ffd-99b4-a20a12526019.png)
![[OR] [P2] [S3] [ITo] [C12] Testing and Validation of Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/9a9cb7eb-1ca3-4790-b39e-f6b0035a1eae.png)
![[OR] [P2] [S3] [ITo] [C13] Monitoring, Metrics, and Continuous Improvement](https://no-cache.hubspot.com/cta/default/3893111/1a32f981-3a16-427a-a63f-5a40ab93ea21.png)
![[OR] [P2] [S3] [ITo] [C14] Common Challenges and Pitfalls](https://no-cache.hubspot.com/cta/default/3893111/8831463d-a357-4203-806b-fb31ef71d615.png)
![[OR] [P2] [S3] [ITo] [C15] Practical Case Study (Banking Sector Example)](https://no-cache.hubspot.com/cta/default/3893111/fef15761-14c6-4e2b-b157-554cceb33d14.png)
![[OR] [P2] [S3] [ITo] [C16] Future Trends in Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/b6a701db-167e-4630-88ad-de0d43deb322.png)
![[OR] [P2] [S3] [ITo] [C17] Key Takeaways and Call to Action](https://no-cache.hubspot.com/cta/default/3893111/bf49e0c2-33a3-48bc-97d2-eb939aed77bd.png)
![[OR] [P2] [S3] [ITo] [C18] Back Cover](https://no-cache.hubspot.com/cta/default/3893111/3623335d-0b26-4ee7-afbf-0d431358b390.png)
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
