Operational resilience has become a defining priority for organizations in sectors like finance and insurance, especially in the UK and Europe. Although there are some differences between the FCA and PRA operational resilience frameworks and DORA (digital Operational Resilience) there are many overlaps and best practices which will slowly be adopted by other industries if it proves to be effective. The concepts within operational resilience have merit even in pharmaceutical, healthcare, and manufacturing. With increasing disruptions caused by cyberattacks, supply chain issues, and evolving regulations, businesses need robust frameworks to protect critical services and maintain customer trust.
From the framework defined by the Bank of England a key component of defining metrics around important business services is “impact tolerance”—an essential concept that offers some tangible goals to determine how much disruption a business can tolerate before its operations, the consumers, the company or even the market are jeopardized.
This guide explores what impact tolerance means in the context of operational resilience, why it matters, and how businesses can effectively design and track their thresholds to strengthen resilience. The concepts in this can be applied to any industry, even if not regulated by FCA/PRA or DORA.
What are impact tolerances in operational resilience?
Defining impact tolerance
Impact tolerance commonly is defined as the maximum tolerable level of disruption that an organization can endure without causing unacceptable harm to its operations, stakeholders, or customers. There are many metrics that can be used to measure what could or would cause harm and unlike broader risk management strategies, which aim to prevent disruptions entirely, impact tolerances acknowledge that incidents are inevitable. Instead, they focus on defining clear limits for disruption and ensuring the organization is prepared to recover before these thresholds are breached.
For example, an impact tolerance might represent the maximum system downtime a business can allow before reputational harm or financial losses escalate. An impact tolerance could also be measured as a threshold of impacted customers, a financial loss threshold, an unacceptable wait time, a dropping NPS score or breach of SLAs.
Impact tolerance vs. risk appetite and recovery time objectives
While related, impact tolerance differs significantly from concepts like risk appetite or recovery time objectives (RTO). Risk appetite reflects the level of risk an organization is willing to take across its operations, while recovery time objectives set specific targets for restoring functions after an incident.
Impact tolerance, on the other hand, takes a broader and more dynamic perspective. It considers the level of pain an operation endures during a disruption, focusing on more than just whether the system is operational. By continuously monitoring and responding to this “pain level,” organizations can adapt on the fly—potentially avoiding full-scale interruption. Impact tolerance can also be used proactively, if a threshold is monitored, then potentially warnings can trigger alarms to indicate a escalating situation or pending disaster.
Examples of impact tolerance metrics
Common metrics to define impact tolerance include:
- System downtime: Maximum allowable hours of service unavailability.
- Financial thresholds: Dollar values representing unacceptable costs from disruptions.
- Customer impact levels: Number of clients affected before customer trust is compromised.
- Supply chain delays: Maximum tolerable delays in delivery or procurement processes.
- SLA levels: Breach or approaching breach of SLAs
- Customer complaints: This can be NPS scores, dropping renewals, customer complaint increases and levels of response time or customer satisfaction changes.
- Larger impacts: Larger impacts to the company or market.
Why are impact tolerances critical for resilience?
Safeguarding critical business services
Impact tolerance ensures important critical business services—those essential for delivering customer value or meeting regulatory obligations—are protected during disruptions. It challenges businesses to predefine acceptable levels of disruption, enabling faster, coordinated responses and minimizing downtime.
Aligning with regulatory expectations
Global regulatory frameworks increasingly demand that organizations define and maintain impact tolerances to demonstrate operational resilience. For example, financial services regulators like the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) in the United Kingdom mandate impact tolerance assessments as part of operational resilience programs. While Impact Tolerances are not necessarily part of Digital Operational Resilience Act (DORA) as a regulatory requirement, the importance of outlining services and their dependance on technology, supply chain, functions and CTPS (Critical Third Party Services) still align with concept of impact tolerance.
Practical benefits
Impact tolerances support resilience by improving decision-making and fostering stakeholder confidence and having a better understanding of triggers, thresholds and warnings surrounding a company’s important business services. Furthermore, they help allocate resources better by focusing investments where they matter most.
The cost of disruptions
Operational disruptions have direct consequences for businesses, with financial and reputational costs rising every year. According to IBM, the average cost of a data breach alone globally was $4.88 million in 2024. Organizations with robust resilience frameworks, including impact tolerance thresholds, not only reduce the frequency of incidents but also mitigate their cost.
Steps to set effective impact tolerances
1. Identify critical business services
Pinpoint the services essential to achieving your organizational goals, meeting regulatory requirements, and serving customer needs. Examples include payment processing in financial services or supply chain coordination in manufacturing.
2. Identify critical dependencies
Identify dependencies on information and communication technology, functions/processes, supply chain and critical third parties.
3. Assess risks and threat scenarios
Evaluate the risks that pose the greatest threat to your critical services, such as cyberattacks, power outages, or pandemic-related disruptions. Prioritize risks with the highest likelihood and potential impact on your operations. Treat the risks with controls and risk methodology.
4. Determine impact tolerance thresholds
Define your organization’s limits for tolerable disruption based on financial, operational, and reputational factors.
- Example Case: A bank might determine its payment processing service cannot afford downtime exceeding 2 hours, as this would result in significant customer dissatisfaction and regulatory scrutiny.
Use financial modeling, stakeholder insights, and historical data to set realistic and achievable thresholds.
5. Test the impact tolerances in scenarios
Create scenarios to test the impact tolerances, document the results, report any issues or action items and update recovery strategies and tolerances to adapt.
6. Document and align with stakeholders
Work with leadership, departmental heads, and external regulators to ensure your impact tolerances align with organizational objectives and compliance standards.
Challenges in setting and tracking impact tolerances
Common obstacles
- Lack of clear data: Defining thresholds can be difficult without reliable metrics or historical data.
- Misaligned priorities: Different departments may have conflicting views regarding what qualifies as “critical.”
- Rigid approaches: Using inflexible methodologies can undermine efforts to adapt to evolving risks.
- Technology gap: Leveraging tools that do not effectively automate risk management can increase the negative impact of threats.
Overcoming challenges
- Implement cross-department collaboration to align on priorities.
- Leverage third-party experts to conduct unbiased impact tolerance analyses.
- Automate data collection, analysis and communication with cutting-edge tools, such as software solutions.
Strengthening operational resilience
Establishing and tracking impact tolerances is essential for building a resilient organization. By following the steps outlined above, businesses can ensure continuity during disruptions, maintain regulatory compliance, and protect their reputation.
To succeed, embed impact tolerance strategies within a broader risk management and business continuity framework. Aligning these efforts with regulatory standards and customer expectations will position your organization as both adaptable and forward-thinking.
For more actionable insights on resilience strategies, consult our operational resilience page and consider leveraging specialized resilience solutions designed for your industry.