Practical considerations when setting an impact tolerance include the following:
Availability of data: Lack of data can be an issue when firms are looking to identify different points of harm and quantify disruption.
Fluctuations in demand: When setting impact tolerances, firms must take account of the fluctuations in demand for their important business services at different times of the day and throughout the year, to ensure that each tolerance is appropriate in the light of peak demands.
Frequency of operational disruptions: Firms must set their impact tolerances with reference to a single disruption to an important business service rather than an aggregation of a number of separate disruptions.
Disruption to multiple important services: Recognising that disruptions to multiple important services could significantly compound the impacts of disruptions, regulators expect firms to take into account the impact of the failure of other related important business services when setting impact tolerances.
Granularity of Impact Tolerance specification: Setting impact tolerances starts with clearly defining important business services. Firms should follow an approach that best suits their business model and consumer base. Firms must tailor it to their own needs and organisational structure in a proportionate fashion given the relative complexity of their business and delivery mechanisms.
Third-party providers: Firms should consider the alignment between their impact tolerances and the standards of resilience offered by their supporting third-party providers. Firms should engage with providers to understand their approach for mitigating the risk and impact of disruption and to document the process followed.
Integrating operational resilience with risk management: Given that impact tolerances are a new concept, it may be less than straightforward to establish how the process for setting these might integrate into a firm’s existing risk management framework.