Operational Resilience

[OR] [P2-S3] What is Impact Tolerance in Operational Resilience?

Written by Moh Heng Goh | Jul 23, 2022 1:41:45 PM

What is Impact Tolerance?

Impact Tolerance is setting the maximum tolerable level of disruption to a critical business service.

What Are the Tasks Required to Set Impact Tolerance?

These are the tasks required to Set Impact Tolerance:

  1. Identify impact types
  2. Set impact tolerances for each type
  3. Link impact tolerances to risk appetite and risk assessment scales
  4. Set appropriate impact tolerances for critical business services

How to set appropriate impact tolerances for critical business services?

Setting impact tolerances helps organisations define acceptable levels of disruption for critical business services.

The following steps guide the process:

Define Impact Tolerance Levels

Collaboratively establish impact tolerance levels in consultation with key stakeholders. Consider each critical service's maximum acceptable downtime, data loss, financial losses, and customer impact.

Consider Regulatory and Compliance Requirements

Consider specific regulatory or compliance requirements that dictate impact tolerances for particular services or industries. Ensure alignment with legal obligations and industry standards.

Document Impact Tolerance Levels

Document each critical service's agreed-upon impact tolerance levels. This documentation will be a reference point for developing resilience strategies and response plans.

Review and Update

Review and update impact tolerance levels regularly to reflect evolving business needs, technological advancements, and changes in the operating environment.

In addition, Impact Tolerance:
  1. Represent the point beyond which the harm caused by an operational disruption to the critical business service becomes intolerable.
  2. Do not factor in the frequency at which operational disruptions are likely to occur.
  3. Focus on limiting the impact the organisation can tolerate from a single disruption.
  4. Is different from the recovery time objective (RTO) and the maximum acceptable outage as defined in business continuity planning, as these are time-based. 
  5. Focus on outcome-based objectives: how much, when, and for how long.

  Definition Explanation Definition  
  Impact Tolerance is setting the maximum tolerable level of disruption to a critical business service.  
  Maximum Tolerable Level of Disruption is the time following a disruptive event after which an organisation’s viability will be irreversibly impacted if its critical business services are not resumed.  
  Important Business Service is a service provided by an organisation, or by another person on behalf of the organisation, to one or more clients which, if disrupted, could:
  • cause intolerable harm to any one or more of the organisation’s clients or
  • pose a risk to the soundness, stability or resilience of the financial system or the orderly operation of the financial markets.
  
  Levels of Harm Levels of Harm are the impact or level of harm to the client when the organisation providing critical business services is disrupted. There are three levels:
  • Intolerable harm
  • Harm
  • Inconvenience
  
  What is the difference between Impact Tolerance and Recovery Time Objective? Impact Tolerance is expressed by reference to specific outcomes and metrics. They differ from the recovery time objective (RTO) and the maximum acceptable outage as defined in business continuity planning, as these are time-based.   
  Impact Types Impact types refer to the various negative effects or consequences of disruptions in an organization's operations.  This is a list of impact types.    
  Outcome-based objective Vs Time-based Impact tolerance focuses on outcome-based objectives, which are about how much, when, and for how long.  
         
"Implement" Phase of OR Planning Methodology
Identify Important Business Services Map Processes and Resources

Set Impact Tolerance

 Conduct Scenario Testing Improve Lesson Learnt  
 

More Information About Blended Learning OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

 
View full post