Many organisations have demonstrated crucial resilience throughout the pandemic and while lessons have been learnt it is important firms do not lose sight of maintaining resilience for future events. This week Lindsey Domingo at Xcina Consulting Limited, looks at the concept of Impact tolerances, mandated by UK Financial Regulators in their respective policy statements in March 2021. We have been working with several firms helping to guide them through the process of setting impact tolerances which should follow once important business services have been identified.
An impact tolerance is the maximum tolerable level of disruption to an important business service and represents the point beyond which the harm caused by a service disruption becomes intolerable. The regulators’ definitions of important business services refer to an intolerable level of harm for consumers, risks to the Firm’s safety and soundness and to UK financial stability. In this context, consumers are regarded as those end-users that are the direct consumers of the firm’s services or in other ways dependent upon them. This includes both retail and wholesale market participants.
The threshold to be met is set quite high. Firms should start by identifying all their business services and then shortlist the ones with a severe impact based on these definitions. Once firms have identified their important business services, they must consider how disruption to these services can impact the regulators’ objectives. This goes beyond the firm’s own business objectives.
Intolerable harm has to be much more severe than harm or inconvenience. The FCA views intolerable harm as an outcome which consumers cannot easily recover from, for instance where, post disruption, a firm is unable to put a client back into a correct financial position, or where there have been serious non-financial impacts that cannot be effectively remedied.
Impact tolerances do not factor in the frequency at which operational disruptions are likely to occur. Rather, they focus on setting the limit of the impact the firm can tolerate from a single disruption.
Firms should set these impact tolerances on the assumption that disruption will occur, and they should not consider the cause or probability of disruption.
Outcomes and Metrics
Impact tolerances are expressed by reference to specific outcomes and metrics. Those impact tolerance metrics need to be clear, specific and measurable. A firm should be able to determine the outcome if the impact tolerances are exceeded.
Firms should set at least one impact tolerance for each important business service identified. Dual-regulated firms are expected to set up two impact tolerances for each important business service in line with each regulator’s statutory objectives.
Metrics should always include the maximum tolerable duration (time-based metric), specifying the length of time for which a disruption to an important business service can be accepted. Firms could also include other considerations such as the volume of disruption (e.g. the number and types of consumers affected) or a measure of data integrity. Where appropriate, firms should use a time-based metric in conjunction with other metrics, including, but not limited to the following:
Using a combination of metrics may be more appropriate for some important business services, for instance where a service could run at a percentage capacity of its full capability for a certain period (time) before causing intolerable harm to consumers or risk to market integrity.
Determining what constitutes intolerable harm
There is no strict definition of intolerable harm to be applied when setting impact tolerances. This differs across sectors and varies between firms, but consideration should be given to certain factors:
Point at which an Impact Tolerance is set
When assessing the point in time where intolerable harm might arise, firms are encouraged to base this assessment on the assumption that no resilience and recovery controls would be available.
In the above example, the impact tolerance threshold would be set at 90 minutes. Scenarios 1 to 4 can be recovered within impact tolerance, whereas Scenario 5 would lead to an intolerable level of harm.
Differing statutory objectives and impact tolerances
There are nuances the regulators’ requirements based on their specific statutory objectives.
Dual-regulated firms must also identify a separate impact tolerance for their important business service (one for each of the regulators’ objective). Regulators expect that, while firms need to set tolerances for each important business service by reference to that authority’s operational resilience rules, such firms will effectively manage the tolerances together.
Firms may set their separate impact tolerances at the same point if they deem it suitable for the purposes of each authority but will need to be able to justify this decision if challenged. Ensuring a firm can remain within the more stringent tolerance would be acceptable if they can demonstrate:
Example of different Impact Tolerances set by a dual-regulated firm for the same important business service
The FCA advised that dual-regulated firms are allowed to set additional sub-tolerances if they find it beneficial. It also commented that it will work collaboratively with the PRA to ensure they supervise tolerances efficiently.
Smaller firms are not required to consider financial stability when setting impact tolerances.
When a firm is using a third-party service provider in the provision of important business services, it should work effectively with that provider to set and remain within impact tolerances.
The requirements to set and remain within impact tolerances remain the firm’s responsibility, regardless of whether it uses external parties for the provision of important business services
Reviewing Impact Tolerances
Regulators require firms to keep impact tolerances under review and relevant, and to consider their continued ability to comply with those if there is a relevant change to their business or to the market in which they operate.
They also require firms to prepare and regularly update a documented self-assessment of their compliance with the Operational Resilience obligations.
Practical considerations when setting an impact tolerance include the following:
Availability of data: Lack of data can be an issue when firms are looking to identify different points of harm and quantify disruption.
Fluctuations in demand: When setting impact tolerances, firms must take account of the fluctuations in demand for their important business services at different times of the day and throughout the year, to ensure that each tolerance is appropriate in the light of peak demands.
Frequency of operational disruptions: Firms must set their impact tolerances with reference to a single disruption to an important business service rather than an aggregation of a number of separate disruptions.
Disruption to multiple important services: Recognising that disruptions to multiple important services could significantly compound the impacts of disruptions, regulators expect firms to take into account the impact of the failure of other related important business services when setting impact tolerances.
Granularity of Impact Tolerance specification: Setting impact tolerances starts with clearly defining important business services. Firms should follow an approach that best suits their business model and consumer base. Firms must tailor it to their own needs and organisational structure in a proportionate fashion given the relative complexity of their business and delivery mechanisms.
Third-party providers: Firms should consider the alignment between their impact tolerances and the standards of resilience offered by their supporting third-party providers. Firms should engage with providers to understand their approach for mitigating the risk and impact of disruption and to document the process followed.
Integrating operational resilience with risk management: Given that impact tolerances are a new concept, it may be less than straightforward to establish how the process for setting these might integrate into a firm’s existing risk management framework.