How should firms determine and set impact tolerances
Outcomes and Metrics
Impact tolerances are expressed by reference to specific outcomes and metrics. Those impact tolerance metrics need to be clear, specific and measurable. A firm should be able to determine the outcome if the impact tolerances are exceeded.
Firms should set at least one impact tolerance for each important business service identified. Dual-regulated firms are expected to set up two impact tolerances for each important business service in line with each regulator’s statutory objectives.
Metrics should always include the maximum tolerable duration (time-based metric), specifying the length of time for which a disruption to an important business service can be accepted. Firms could also include other considerations such as the volume of disruption (e.g. the number and types of consumers affected) or a measure of data integrity. Where appropriate, firms should use a time-based metric in conjunction with other metrics, including, but not limited to the following:
Using a combination of metrics may be more appropriate for some important business services, for instance where a service could run at a percentage capacity of its full capability for a certain period (time) before causing intolerable harm to consumers or risk to market integrity.
Determining what constitutes intolerable harm
There is no strict definition of intolerable harm to be applied when setting impact tolerances. This differs across sectors and varies between firms, but consideration should be given to certain factors:
Point at which an Impact Tolerance is set
When assessing the point in time where intolerable harm might arise, firms are encouraged to base this assessment on the assumption that no resilience and recovery controls would be available.
In the above example, the impact tolerance threshold would be set at 90 minutes. Scenarios 1 to 4 can be recovered within impact tolerance, whereas Scenario 5 would lead to an intolerable level of harm.