Setting impact tolerances – design principles

As financial market participants move towards compliance with the Bank of England operational resilience regulations, beginning with initial assessments to be completed by 31 March 2022, one of the critical components of preparation, after identification of the Important Business Services (IBS), is setting impact tolerance.

In this blog, we consider how you can document your financial services organisations impact tolerances at pace, without getting lost in debate and complexity.

The operational resilience regulations presuppose that incidents are inevitable. The regulations do not address likelihood. Rather, firms are required to work on the assumption that inconvenience and harm to stakeholders such as customers, the financial markets, and market participants themselves, will occur as a result from resilience events such as cyber attacks, natural disasters or market shocks. So, when drafting your impact tolerance statements, it is important to retain this assumption: preventative controls are secondary: operational resilience is about response.

You are required to set impact tolerance statements (ITS) for each IBS with your organisation, with ITS being defined as ‘the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption’.

Here are three areas for you to consider when setting impact tolerance statements:

1. Collect some baseline data

Gathering initial data about the IBS will help focus the discussions during the ITS setting process. The focus here should be on metrics, including historical trends and patterns, that demonstrate the ‘business as usual’ operation of the IBS. This should not only include customer/transaction volumes and revenue, but also information on thresholds for regulatory or contractual penalties, loss data (e.g. through fraud) and potential positive and negative external sentiments.

You may find that additional data or refinement of data is required as the ITS setting progresses.

2. De-construction

It is a good idea to consider whether you can deconstruct your impact tolerance statement (ITS) into components. For example, some organisations have taken to writing their ITSs according to a formula whereby each clause can be slightly adjusted according to the severity of the event, the stakeholder experiencing the event, the scale of impact, and any specific features of the stakeholder base, such as vulnerable customers. The formula can then be examined in ITS design sessions with a variety of stakeholders, and later tested.

3. Response, not prevention

Finally, you should consider that the starting point for all operational resilience legislation, including the DORA regulations currently going through the European Parliament, is that negative events happen. An effective response to the legislation is based on mitigation rather than prevention.

If an organisations’ impact tolerance proves to be ineffective during a resilience event, for example because they are set at “too easy” a level, it is likely to suffer reputational damage and regulatory scrutiny, so it’s important to get this right from the start.

If you would like to understand more about operational resilience or would like guidance in setting your impact tolerance statements, then why not get in touch on +44 203 603 4733 or email us at info@three-two-fourcom.

Insight Tags

Sign up for updates!*

Hey there, couldn’t help noticing you’re using Internet Explorer

That’s great and all, and we commend you for pushing through with it. Unfortunately we no longer offer support for IE; it hasn’t received a major update since 2015 and Microsoft are dropping support for it later in the year.

If you’re using Windows 10 and want to stick with a built in browser, please consider switching to Edge. Or, if you really want to enjoy the internet properly we strongly recommend downloading Google Chrome here.