In an age when disruptions—ranging from cyberattacks to third-party failures—can halt business operations overnight, operational resilience has evolved from a compliance exercise to a strategic necessity. At the centre of this shift lies the concept of impact tolerance—the quantifiable limit of disruption an organization can withstand before experiencing intolerable harm to customers, market integrity, or financial stability.
While traditional continuity metrics such as RTO (Recovery Time Objective) and RPO (Recovery Point Objective)focus on systems recovery and data restoration, impact tolerance metrics extend beyond these to consider business service continuity, customer harm, and systemic stability. This article demystifies impact tolerance, explains its relationship to RTO/RPO, and outlines how firms can embed it into their resilience framework.
What Is Impact Tolerance?
According to the Bank of England and Financial Conduct Authority (FCA), impact tolerance represents “the maximum tolerable level of disruption to an important business service before causing intolerable harm to consumers or risk to market integrity.” (Bank of England, 2022)
Unlike risk appetite, which weighs probabilities, impact tolerance assumes that disruption has already occurred. It answers the question: “How much disruption can we endure before harm becomes unacceptable?”
This makes it a cornerstone of operational resilience under the UK regulatory framework, requiring firms to set, test, and evidence their tolerances by 31 March 2025 (FCA, 2022).
Going Beyond RTO and RPO
Traditional disaster recovery metrics—RTO (Recovery Time Objective) and RPO (Recovery Point Objective)—measure how quickly systems or data can be restored after an incident. However, these metrics are technology-centric, focusing on IT systems rather than customer-facing business services.
| Dimension | RTO (Recovery Time Objective) | RPO (Recovery Point Objective) | Impact Tolerance |
| Definition | Maximum acceptable downtime before systems are restored. | Maximum acceptable data loss measured in time (e.g., 15 minutes). | Maximum level of disruption to an important business service before causing intolerable harm. |
| Focus Area | IT systems and processes. | Data recovery and integrity. | Business services, customers, market stability. |
| Perspective | Internal (system restoration). | Internal (data replication). | External (service continuity, customer outcomes). |
| Harm Measured By | Lost productivity, IT downtime. | Lost transactions or data. | Customer harm, financial loss, regulatory breach, reputational damage. |
| Example Metric | “Restore trading system within 4 hours.” | “Recover data to within 15 minutes of failure.” | “Maintain at least 80% transaction volume; restore full service within 24 hours.” |
| Regulatory Expectation | As per regulatory resilience frameworks. | Institution Specific | Mandated by BoE/FCA; must be tested and evidenced by 2025. |
Impact tolerance therefore builds on and transcends RTO/RPO by encompassing the entire business service delivery chain, including people, processes, third parties, and technology—not just systems or data. A firm could technically meet its RTO and RPO but still fail its impact tolerance if customers experience unacceptable delays or financial harm.
Implementing Impact Tolerance Metrics
- Identify Important Business Services (IBS)
Focus on external services where disruption could cause significant harm—for example, payment processing, claims handling, or online trading. - Set Impact Tolerances
Define quantifiable thresholds—usually in time, but also in volume or value. For example:- “Online trading platform unavailable for no more than 24 hours.”
- “Maintain at least 80% of normal transaction volumes.”
- “No more than £25 million cumulative financial impact.”
- Map Dependencies
Identify people, processes, technology, and third-party relationships underpinning each IBS to reveal potential single points of failure. - Scenario Testing
Conduct “severe but plausible” tests—cyberattack, data centre failure, supplier collapse—to validate whether tolerances can be maintained. - Governance and Review
Boards must approve and review tolerances annually, integrating findings into self-assessments and remediation plans.
Practical Examples
| Sector | Important Business Service | Impact Tolerance Metric | Outcome of Testing |
| Retail Banking | ATM cash withdrawals | ≤ 24 hours outage; ≥ 90% uptime maintained | Confirmed: Cash reserves sufficient; third-party dependency mapped. |
| Asset Management | Client web portal access | ≤ 48 hours disruption; cumulative cost < £30 million | Gaps found in cloud provider redundancy; remediation initiated. |
| Insurance | Policyholder claims processing | ≤ 5 days backlog; < 10% increase in complaints | Tolerance breached in simulated ransomware event; improvement plan implemented. |
Why It Matters
Impact tolerance metrics:
- Operationalize resilience—turning qualitative statements into measurable limits.
- Embed accountability—requiring board approval and oversight.
- Bridge gaps between IT recovery and customer protection—linking RTO/RPO performance to real-world outcomes.
- Enable regulatory compliance—meeting BoE, PRA, and FCA standards.
In essence, impact tolerance is the “so what” of continuity planning—it focuses on the harm to consumers and markets, not just systems or servers. They challenge organizations to think beyond IT restoration and toward end-to-end business service continuity.By combining quantitative thresholds, cross-functional testing, and board-level accountability, firms can meet regulatory expectations and—more importantly—maintain trust through disruption.
References
- Bank of England. Supervisory Statement SS1/21: Operational Resilience—Impact Tolerances for Important Business Services. March 2022. https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2021/ss121-march-22.pdf
- Financial Conduct Authority. PS21/3: Building Operational Resilience. March 2022. https://www.fca.org.uk/publications/policy-statements/ps21-3-building-operational-resilience
- PwC. Operational Resilience: How to Set and Test Impact Tolerances. February 2020. https://www.pwc.co.uk/forensic-services/assets/documents/white-paper-on-impact-tolerances-feb-2020.pdf
- The Investment Association. Severe but Plausible Scenarios in Operational Resilience. March 2024. https://www.theia.org/sites/default/files/2024-03/SEVERE~4.PDF
Leave a Reply