Operational Resilience

[OR] [P2-S3] What is Impact Tolerance in Operational Resilience?

Written by Moh Heng Goh | Jul 23, 2022 1:41:45 PM

What is Impact Tolerance?

Impact Tolerance is setting the maximum tolerable level of disruption to a critical business service.

What Are the Tasks Required to Set Impact Tolerance?

These are the tasks required to Set Impact Tolerance:

  1. Identify impact types
  2. Set impact tolerances for each type
  3. Link impact tolerances to risk appetite and risk assessment scales
  4. Set appropriate impact tolerances for critical business services

How Do We Set Appropriate Impact Tolerances for Critical Business Services?

Setting impact tolerances helps organisations define acceptable levels of disruption for critical business services.

The following steps guide the process:

 
Define Impact Tolerance Levels
  • Establish impact tolerance levels in collaborative consultation with key stakeholders.
  • Consider the maximum acceptable downtime, data loss, financial losses, and customer impact for each critical service.
Consider Regulatory and Compliance Requirements
  • Consider specific regulatory or compliance requirements that dictate impact tolerances for particular services or industries.
  • Ensure alignment with legal obligations and industry standards.
Document Impact Tolerance Levels
  • Document the agreed-upon impact tolerance levels for each critical service.
  • This documentation will serve as a reference for developing resilience strategies and response plans.
Review and Update

Review and update impact tolerance levels regularly to reflect evolving business needs, technological advancements, and changes in the operating environment.

 

In addition, Impact Tolerance:

  1. Represent the point beyond which the harm caused by an operational disruption to the critical business service becomes intolerable.
  2. Do not factor in the frequency at which operational disruptions are likely to occur.
  3. Focus on limiting the impact the organisation can tolerate from a single disruption.
  4. Differs from the recovery time objective (RTO) and the maximum acceptable outage defined in business continuity planning, which are time-based. 
  5. Focus on outcome-based objectives: how much, when, and for how long.

  Definition Explanation Definition  
  Impact Tolerance is setting the maximum tolerable level of disruption to a critical business service.  
  Maximum Tolerable Level of Disruption is the time following a disruptive event after which an organisation’s viability will be irreversibly impacted if its critical business services are not resumed.  
  Critical Business Services is a business service that, if disrupted, is likely to significantly impact the organisation's safety and soundness, its customers or other organisations (within the financial services institution sector) that depend on the business service.
  
  Important Business Services is a service provided by an organisation, or by another person on behalf of the organisation, to one or more clients which, if disrupted, could:
  • Cause intolerable harm to any one or more of the organisation’s clients or
  • Pose a risk to the soundness, stability or resilience of the financial system or the orderly operation of the financial markets.
  
  Levels of Harm Levels of Harm are the impact on the client when the organisation providing critical business services is disrupted. There are three levels:
  • Intolerable harm
  • Harm
  • Inconvenience
  
  What is the difference between Impact Tolerance and Recovery Time Objective? Impact Tolerance is expressed in terms of specific outcomes and metrics. They differ from the recovery time objective (RTO) and the maximum acceptable outage, as defined in business continuity planning, which are time-based.   
  Impact Types Impact types refer to the various adverse effects or consequences of disruptions in an organization's operations.  This is a list of impact types.    
  Outcome-based objective vs. time-based Impact tolerance focuses on outcome-based objectives: how much, when, and for how long.  
         
"Implement" Phase of OR Planning Methodology
Identify Critical Business Services Map Processes and Resources

Set Impact Tolerance

 Conduct Scenario Testing Improve Lesson Learnt  
 

More Information About Operational Resilience OR-5000 [BL-OR-5] or OR-300 [BL-OR-3] Course

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

View full post