Operational resilience: a guide to impact tolerance
- Published: Wednesday, 09 November 2022 11:06
Considering, defining, and building consensus around impact tolerances is a vital aspect of operational resilience. This guide, the Impact Tolerance Builder, provides a framework for developing impact tolerances…
What is impact tolerance?
Impact tolerance is The point in time - or decreased capacity of - an important business service that causes unacceptable harm to a customer, the broader market, or irrevocably threatens your organization’s viability.
Having a clear understanding of impact tolerance enables you to identify what a disruption to one or more of your important business services means to your customers, the market, or even your organization’s viability.
This information not only helps enable executive management prioritization and decision-making, but it’s also one of the most valuable resources for achieving a more resilient state. By setting a clear impact tolerance for your most important business services, you’re helping your organization draw a line in the sand and crystalize your resilience objectives.
The impact tolerance framework
The Impact Tolerance Builder sets out a five-step framework to define impact tolerances and prepare to stress test them:
Step one: Identify Important Business Services
Operational resilience starts with the concept of important business services (IBS), which you must identify before you can set impact tolerances.
Step two: Identify Metrics and Create Baselines
Once you have your list of approved important business services and understand how they are delivered, it’s time to identify metrics and baselines that will help with your impact tolerance analysis. There is high-level information that should have been used during important business services identification, but it is worth revisiting it at this stage. The goal of documenting this information is to contextualize where impact of disruption will be felt and by whom.
Step three: Develop Rubric to Assess Harm
Identifying metrics and baselines is a great step, but the reality is that most organizations are not going to find a ‘silver bullet’ from their data that will be sufficient to determine impact tolerances. The best approach is to apply both quantitative and qualitative approaches to triangulate an appropriate impact tolerance and provide necessary justification. Creating a rubric helps provide context and justification for assigning criticality to impact categories over-time. To do this, you should review risk scales and rubrics that may already be in place from business continuity or enterprise risk teams; however, it is critical to understand that impact tolerances are different from internal risk appetite. Risk appetite tends to highlight unacceptable risk to the organization while impact tolerance is more geared to external impact. Developing a rubric will help determine when there will be unacceptable impacts to the safety and soundness of the organization, customers and clients, and the broader market. Assessing important business services requires input from those that understand the value that the service delivers and relevance to the organization. It is essential to engage service owners and leadership in this process.
Step four: Set Impact Tolerances
Setting impact tolerances is an art. An impact tolerance should reflect the timeframe that your organization believes is the point in time following a disruption to an important business service that will likely result in intolerable impacts to your customers, the broader market, or irrevocably threaten your organization’s viability. You will want to leverage both quantitative (metrics) and qualitative (the rubric) data to set an impact tolerance and carefully think through the data points.
Step five: Assess Appropriateness Using Data
The final step is to validate feasibility of the newly defined impact tolerances. This is where business continuity and IT disaster recovery requirements, input from enterprise risk management programs, and data gleaned from end-to-end mapping can be particularly useful. Impact tolerances should never be dictated using business continuity or ERM data, but information from these programs can be extremely useful in sanity checking outcomes.
The Impact Tolerance Builder builds upon and adds more detail to the above framework, as well as providing worksheets to help you work through setting your own impact tolerances. To download it as a PDF, please complete the form below: