[OR] [P2] [S3] [ITo] [C7] Impact Tolerance Assessment Framework

Written by Moh Heng Goh | May 8, 2026 9:46:20 AM

[P2] [S3] Chapter 7

Impact Tolerance Assessment Framework

Introduction

Once impact tolerances have been defined, organisations must establish a structured framework to assess, document, and evaluate them consistently across all Critical Business Services (CBS).

Without a standardised framework, tolerance setting becomes subjective, inconsistent, and difficult to validate during regulatory reviews or internal audits.

An effective Impact Tolerance Assessment Framework ensures that:

All CBS and Sub-CBS are assessed using consistent criteria
Impact tolerances are quantified, comparable, and defensible
Decision-making is supported by evidence and structured scoring models
Outputs can be used for scenario testing, governance reporting, and continuous improvement

This chapter introduces practical templates and scoring methodologies that organisations can adopt to operationalise impact tolerance assessment.

Purpose of the Chapter

The purpose of this chapter is to provide:

A structured template for documenting impact tolerance
Standardised evaluation criteria for assessing impact severity
Scoring models for likelihood and consequence
Practical guidance on using heatmaps and tolerance thresholds
A consistent approach to comparing resilience across services

Sample Impact Tolerance Assessment Table

A core component of the framework is the Impact Tolerance Assessment Table, which captures key attributes of each Sub-CBS.

Standard Template

Sub-CBS Code	Sub-CBS	MTD (Maximum Tolerable Downtime)	MTDL (Maximum Tolerable Data Loss)	Customer Impact	Regulatory Impact	Impact Type	Current Resilience Status	Action Required
1.1	Customer Onboarding & Account Application	8 hours	1 hour	Moderate – delayed onboarding, customer dissatisfaction	Low – minimal regulatory breach risk	Operational / Customer	Adequate	Improve digital onboarding redundancy
1.6	Deposit Transactions Processing	4 hours	15 minutes	High – customers unable to deposit funds	High – potential breach of service availability expectations	Customer / Financial / Regulatory	Weak	Enhance system failover capability
2.1	Payment Initiation	2 hours	5 minutes	High – delayed payments, customer complaints	High regulatory scrutiny on payment delays	Customer / Systemic	Moderate	Strengthen payment gateway resilience
2.7	Clearing and Settlement	1 hour	Near-zero	Very High – systemic disruption across the financial system	Very High – regulatory breach and systemic risk	Systemic / Regulatory	Weak	Implement real-time backup and alternate routing

Key Fields Explained

MTD (Maximum Tolerable Downtime): Maximum acceptable duration of service disruption
MTDL (Maximum Tolerable Data Loss): Maximum acceptable data loss window
Customer Impact: Degree of harm to customers
Regulatory Impact: Likelihood and severity of regulatory breach
Impact Type: Primary category of impact (Customer, Financial, Systemic, etc.)
Current Resilience Status: Assessment of current capability (Strong / Adequate / Moderate / Weak)
Action Required: Remediation measures to meet tolerance

This table forms the baseline artefact for regulatory review and internal governance.

Scoring Model for Impact Severity

To ensure consistency, organisations should adopt a standardised scoring model for impact severity across all Sub-CBS.

Example Impact Severity Scale

Score	Impact Level	Description
1	Low	Minimal disruption, negligible customer or regulatory impact
2	Moderate	Noticeable disruption, manageable customer impact
3	High	Significant customer disruption, potential regulatory concern
4	Very High	Severe disruption, regulatory breach likely
5	Extreme	Critical failure, systemic impact, major regulatory consequences

Multi-Dimensional Impact Scoring

Impact severity should be assessed across multiple dimensions:

Dimension	Description	Score (1–5)
Customer Impact	Number of customers affected, severity of harm
Financial Impact	Direct and indirect financial loss
Regulatory Impact	Compliance breach, reporting failure
Reputational Impact	Media exposure, public trust erosion
Systemic Impact	Impact on the financial system or market stability

An aggregate score can be derived using:

Average scoring
Weighted scoring (e.g., higher weight for customer or systemic impact)

This allows organisations to identify which Sub-CBS carry the highest overall impact risk.

Likelihood vs Consequence Model

Impact tolerance assessment should also consider the likelihood of disruption in addition to impact severity.

Likelihood Scale

Score	Likelihood	Description
1	Vert Low - Rare	Highly unlikely, historical occurrence is minimal
2	Low -Unlikely	Possible but infrequent
3	Moderate - Possible	Occurs occasionally
4	High - Likely	Occurs regularly
5	Very High - Almost Certain	Expected to occur frequently

Risk Scoring Matrix

The combination of Likelihood × Consequence (Impact Severity) produces a risk score:

Consequence ↓ / Likelihood →	1	2	3	4	5
5 (Extreme)	Medium	High	Very High	Extreme	Extreme
4 (Very High)	Medium	High	High	Very High	Extreme
3 (High)	Low	Medium	High	High	Very High
2 (Moderate)	Low	Low	Medium	Medium	High
1 (Low)	Low	Low	Low	Medium	Medium

This matrix helps organisations:

Prioritise high-risk Sub-CBS
Focus resilience investments on critical vulnerabilities
Align impact tolerance thresholds with risk appetite

Use of Heatmaps

Heatmaps provide a visual representation of risk and resilience gaps.

Example Interpretation

Green Zone: Within acceptable tolerance
Amber Zone: Close to tolerance limit – monitoring required
Red Zone: Exceeds tolerance – immediate action required

Heatmaps can be applied to:

Impact severity vs time
Likelihood vs consequence
Current capability vs required tolerance

Practical Application

For example:

A Sub-CBS with high impact severity and high likelihood will appear in the red zone
A Sub-CBS with low likelihood but extreme impact may still require strong controls
A Sub-CBS operating near tolerance thresholds should be prioritised for improvement

Heatmaps enable senior management to quickly visualise risk concentration across services.

Tolerance Thresholds and Breach Indicators

Impact tolerance is only meaningful if organisations define clear thresholds and breach indicators.

Types of Thresholds

Threshold Type	Example
Time-Based	Service unavailable for more than 4 hours
Volume-Based	More than 5,000 failed transactions
Value-Based	More than SGD 10 million in delayed payments
Customer-Based	More than 15% of customers affected
Capacity-Based	Service operating below 70% capacity

Early Warning Indicators

Organisations should also define leading indicators that signal potential breach:

Rapid increase in transaction backlog
Spike in customer complaints
System performance degradation
Third-party service instability
Cyber threat escalation alerts

These indicators allow organisations to take proactive action before tolerance is breached.

Current Resilience Assessment

Each Sub-CBS should be assessed against its defined tolerance to determine its current resilience status.

Example Rating

Status	Description
Strong	Fully capable of operating within tolerance under stress scenarios
Adequate	Likely to remain within tolerance with minor gaps
Moderate	Risk of exceeding tolerance under severe scenarios
Weak	High likelihood of exceeding tolerance

This assessment should be supported by:

Scenario testing results
Incident history
Technology performance metrics
Third-party service level performance

Action Planning and Remediation

Where gaps are identified, organisations must define clear action plans.

Example Actions

Gap Identified	Action Required
System recovery exceeds MTD	Implement high-availability architecture
Data recovery exceeds MTDL	Improve backup frequency and replication
Third-party dependency risk	Introduce an alternate vendor or a failover
Manual processing limitations	Increase staffing or automation
Lack of monitoring	Implement real-time dashboards and alerts

Action plans should include:

Owner
Timeline
Priority
Expected improvement outcome

Integration with Operational Resilience Lifecycle

The Impact Tolerance Assessment Framework supports multiple stages of the lifecycle:

Lifecycle Stage	Role of Assessment Framework
Identify CBS	Provides structured evaluation criteria
Map Dependencies	Links' impact on supporting resources
Set Impact Tolerance	Defines measurable thresholds
Scenario Testing	Validates whether tolerance can be maintained
Improve	Identifies gaps and drives remediation

Practical Output Summary

Component	Output
Impact Tolerance Table	Documented tolerance for each Sub-CBS
Impact Scoring Model	Standardised severity assessment
Likelihood Matrix	Risk prioritisation
Heatmaps	Visual risk representation
Threshold Indicators	Defined tolerance limits and triggers
Resilience Status	Capability assessment
Action Plan	Remediation roadmap

A structured Impact Tolerance Assessment Framework transforms tolerance setting from a conceptual exercise into a measurable, comparable, and actionable discipline. By using standard templates, scoring models, and visual tools such as heatmaps, organisations can ensure that impact tolerances are consistently applied, objectively assessed, and aligned with both regulatory expectations and organisational risk appetite.

More importantly, this framework enables organisations to identify where they are most vulnerable, prioritise remediation efforts, and demonstrate to regulators that resilience is not only defined—but actively measured, tested, and improved.

In the next chapter, we will build on this framework by examining how to apply impact tolerance in real-world scenarios and testing environments, ensuring that defined thresholds are both realistic and achievable under stress conditions.

C1	C2	C3	C4	C5	C6

C7	C8	C9	C10	C11	C12

C13	C14	C15	C16	C17	C18

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

View full post