3
Impact tolerances
Setting an impact tolerance
3.1
The Operational Resilience Parts[10] require firms to set an impact tolerance for each of their important business services. The Operational Resilience Parts define an impact tolerance as the maximum tolerable level of disruption to an important business service as measured by a length of time in addition to any other relevant metrics.
Footnotes
- 10. Operational Resilience 2.2, Insurance – Operational Resilience 2.2.
- 31/03/2022
3.2
The Operational Resilience Parts[11] require firms to set their impact tolerances at the point at which any further disruption to the important business service would pose a risk to the firm’s safety and soundness, and in the case of insurers, policyholder protection, and, if a firm meets the criteria as set out in the Operational Resilience Parts,[12] the financial stability of the UK.
Footnotes
- 11. Operational Resilience 2.3, Insurance – Operational Resilience 2.3.
- 12. Operational Resilience 2.3, Insurance – Operational Resilience 2.3.
- 31/03/2022
3.3
When setting an impact tolerance for an individual important business service, the PRA expects firms to take into account the impact of failure of other related important business services. These may be related because, for example, they share common resources which support the delivery of the important business services or where simultaneous disruption could have compounding impacts on similar external end users. The PRA expects firms to take a proportionate approach in making this assessment, and only to consider extra layers of complexity where there are significant benefits in terms of building operational resilience.
- 31/03/2022
3.4
Impact tolerances provide a standard which boards and senior management should use for prioritising investment and making recovery and response arrangements (see Chapters 4 to 6 of this SS). They may be helpful in informing decision-making during operational disruptions, when they would be considered alongside other information relevant to managing an incident effectively.
- 31/03/2022
3.5
The PRA expects impact tolerances to be set on the assumption that a disruption will occur. Firms should not consider the cause or probability of disruption when setting their impact tolerances.
- 31/03/2022
3.6
An impact tolerance must,[13] in all cases, include a time-based metric to measure the tolerable level of disruption to an important business service. Firms are also required to consider[14] whether time-based impact tolerances should be used in conjunction with additional metrics, such as the volume or value of transactions that the firm can tolerate being interrupted for that period of disruption. See paragraphs 3.10 to 3.16 for more on impact tolerance metrics.
Footnotes
- 13. Operational Resilience 2.4, Insurance – Operational Resilience 2.4.
- 14. Operational Resilience 2.4, Insurance – Operational Resilience 2.4.
- 31/03/2022
3.7
Firms may choose to set their impact tolerances by assuming an important business service is unavailable for a specified period of time and judging the potential impact this would have. If this disruption would not pose a risk to the firm’s safety and soundness, (in the case of insurers) policyholder protection, and (if applicable) the financial stability of the UK, the firm could consider the impact of a longer disruption. If, for example, the firm judges that after an important business service has been unavailable for five days, there would be a risk to the financial stability of the UK, this would be the point within which the firm would set its impact tolerance.
- 31/03/2022
3.8
When judging the point at which safety and soundness, (in the case of insurers) policyholder protection, or (if applicable) the financial stability of the UK is at risk, firms should consider identifying quantitative and qualitative indicators. In identifying indicators, firms should consider the factors identified in paragraph 2.5 of this SS.
- 31/03/2022
3.9
Impact tolerances are defined as the maximum tolerable amount of disruption and should apply at peak times as well as in normal circumstances. As such, when setting impact tolerances, firms may wish to consider different times of the day, different points in the year, or broader factors which may lead to activity within the important business service significantly increasing.
- 31/03/2022
Impact tolerance metrics
3.10
Firms should state their impact tolerances using clear metrics. Firms should set at least one impact tolerance for each important business service they have identified.
- 31/03/2022
3.11
The PRA requires[15] firms to use a time-based metric for all impact tolerances, but, where appropriate, firms should use a time-based metric in conjunction with other metrics. For example, a firm could set its impact tolerance at a certain volume of interrupted transactions due to the disruption of the firm’s important business service, in conjunction with the disruption continuing after a certain number of hours.
Footnotes
- 15. Operational Resilience 2.4, Insurance – Operational Resilience 2.4.
- 31/03/2022
3.12
A time-based metric for an impact tolerance should specify that a particular important business service should not be disrupted beyond a certain period of or point in time, for example after 24 hours or at the end of the day. An impact tolerance that combines time with a volume and/or value metric might state that the firm will not tolerate the business service delivering less than a certain percentage of normal operating capacity for a specified period of time.
- 31/03/2022
3.13
Impact tolerances should not consider the frequency at which operational disruptions are likely to occur. Rather, they should be focused on setting the limit of the impact the firm can tolerate from a single disruption.
- 31/03/2022
3.14
Setting an impact tolerance enables firms to assess the status of, and set resilience requirements for, the necessary people, processes, technology, facilities, and information (the ’resources’) that contribute to the delivery of important business service. These requirements might include capacity specifications, recovery time objectives, and recovery point objectives. These requirements should be set to enable the firm to deliver the important business service within its impact tolerance.
- 31/03/2022
3.15
There may be circumstances when a firm continuing to deliver a service through disruption may have a more adverse impact than suspending it. An example of this is where the firm cannot sufficiently assure the integrity of data underpinning an important business service.
- 31/03/2022
3.16
The PRA’s Fundamental Rules[16] will remain relevant to decision making during operational disruptions, including decisions about when an important business service is suspended or restored. When setting impact tolerances, the PRA expects firms to consider the circumstances that might be prevailing at the time of the disruption to help them make informed recovery and response decisions and when they may decide not to resume the functioning of their important business services within the specified time. The PRA expects firms should not be forced into inappropriate actions because of their impact tolerances in the event of a disruption.
Footnotes
- 16. Fundamental Rules 2, 3, 5, and 6 are particularly relevant for this example.
- 31/03/2022