Operational Resilience Update - Impact Tolerances

Under Operational Resilience, firms must set impact tolerances for important business services and regularly review them. The FCA findings recently highlighted a variety of impact tolerances with limited rationale on what constitutes intolerable consumer harm or risks to market integrity, necessitating further clarification. Including the full rationale in self-assessments ensures that the board (and others including regulators) understands these tolerances properly.

Most firms have set time-bound impact tolerances, but should also use other metrics, such as customer types, transaction values, and estimated losses. In the Asset Management world, perhaps it is this last one (a financial loss to the customer) that meets the definition of “intolerable harm.”

If recovery within a time-based impact tolerance is not feasible, consider mitigating actions in response plans to stay within tolerance. Remember, impact tolerances differ from recovery time objectives (RTOs); RTOs are the maximum time to recover services, while impact tolerances often require processing beyond recovery to prevent harm. Thus, RTOs are typically set well within impact tolerances to ensure compliance.