ORA [Implement] Questionnaires: Set Impact Tolerance

Set Impact Tolerance

What is Impact Tolerance?

Impact Tolerance is setting the maximum tolerable level of disruption to a critical business service.

This section is the "Implement" phase of the Operational Resilience Planning Methodology. It is the third stage of the Implement phase: Set Impact Tolerance.

Audit Checklist for Identifying and Setting Impact Tolerance

1. Understanding Critical Business Services

Verify the documentation of critical business services and their dependencies.
How well does the organization understand the interdependencies and dependencies of critical business services?
Are the definitions and boundaries of critical business services clearly defined?

Checklist

Verify the documentation of critical business services and their dependencies.
How well does the organization understand the interdependencies and dependencies of critical business services?
Are the definitions and boundaries of critical business services clearly defined?

2. Impact Tolerance Framework

Does the organization have an impact tolerance framework or policy in place?
Are there predefined thresholds for various impacts (financial, operational, reputational, regulatory)?
How well does the impact tolerance framework align with the organization's risk appetite and strategic objectives?

Checklist

Verify the existence of an impact tolerance framework or policy within the operational resilience program.
Evaluate if the impact tolerance framework includes specific thresholds for different types of impacts.
Assess the alignment between the impact tolerance framework and the organization's risk appetite and strategic objectives.

3. Identification of Impact Tolerances

What is the process for identifying impact tolerances for each critical business service?
Were critical stakeholders involved in determining the impact tolerances?
Are the impact tolerances based on a thorough analysis of potential impacts, considering various scenarios and threat vectors?

Checklist

Review the methodology and approach to determine impact tolerances for critical business services.
Assess relevant stakeholders' level of involvement and engagement in setting impact tolerances.
Evaluate the robustness and comprehensiveness of the analysis conducted to establish impact tolerances.

4. Quantitative and Qualitative Measures

Does the organisation use quantitative and qualitative measures to set impact tolerances?
Are specific quantitative measures, such as recovery time (RTOs) and recovery point objectives (RPOs), included in the impact tolerances?
How are qualitative factors, such as customer perception and brand reputation, incorporated into setting impact tolerances?

Checklist

Verify whether measurable and subjective criteria are considered in setting impact tolerances.
Assess if the impact tolerances include measurable criteria for recovery time and recovery point objectives.
Evaluate if subjective factors are adequately considered in the establishment of impact tolerances.

5. Documentation and Communication

Are the impact tolerances for critical business services adequately documented?
How precise and accessible are the documented impact tolerances?
How are the impact tolerances communicated to relevant stakeholders, including management, operational teams, and third-party vendors?

Checklist

Verify the existence and completeness of documentation for the established impact tolerances.
Assess the clarity and availability of the documented impact tolerances to relevant stakeholders.
Evaluate the communication process and mechanisms disseminating impact tolerances to relevant parties.

6. Alignment with Business Continuity Plans

How well do the impact tolerances align with the organization's business continuity (BC) plans?
Do the BC plans address the identified impact tolerances for each critical business service?
Is there evidence of testing the BC plans against the impact tolerances?

Checklist

Assess the alignment between the established impact tolerances and the corresponding measures in the BCPs.
Verify if the BCPs incorporate specific provisions to address the established impact tolerances.
Assess if the BCPs have been tested to ensure their effectiveness in meeting the impact tolerances.

7. Monitoring and Reporting

How is the performance of critical business services against the impact tolerances monitored?
Are regular assessments and measurements conducted to track adherence to the impact tolerances?
How are the results of impact tolerance monitoring communicated to relevant stakeholders?

Checklist

Evaluate the mechanisms and processes in place for monitoring the performance of critical business services.
Assess the frequency and comprehensiveness of assessments to evaluate adherence to the impact tolerances.
Evaluate the reporting framework for sharing the outcomes of impact tolerance monitoring with relevant stakeholders.

8. Continuous Review and Adjustments

How often are impact tolerances reviewed and adjusted?
What triggers a review or adjustment of impact tolerances?
Are there mechanisms to capture lessons learned from incidents and near misses to inform adjustments to impact tolerances?

Checklist

Assess the frequency and timeliness of reviews and adjustments to impact tolerances.
Determine the circumstances or factors that prompt a review or adjustment of impact tolerances.
Evaluate if there are processes to incorporate insights from incidents and near misses into adjusting impact tolerances.

Some steps may overlap with the other "Implement" phase stages.


Questionnaires and Checklist "Implement" Phase	Identify Critical Business Services	Map Processes and Resources	Set Impact Tolerance	Conduct Scenario Testing	Improve Lesson Learnt