The Importance of Impact Tolerance in Operational Resilience

Impact tolerance is an important component of an operational resilience strategy. By understanding your impact tolerance, you can better understand the impact single points of failure and vulnerabilities could have on your organization. From there, you can use that information to prioritize what’s most important and then focus on mitigation and remediation.

Yet, many organizations aren’t quite sure exactly what their impact tolerance is or the role it plays in ensuring operational resilience now and in the future.

The Operational Resilience Connection

Before we dive into impact tolerance, it’s important to understand how it’s connected with operational resilience.

At Castellan, we see operational resilience as your organization’s ability to continue to provide business services when faced with adverse operational events by anticipating, preventing, recovering from, and adapting to those events.

And, importantly, learning from those events, by asking:

• What happened we didn’t anticipate?
• What worked?
• What went wrong?
• What can we do better?

As part of your resilience strategy, there are several areas you’ll need to explore before setting your impact tolerance. For example, ensure you’ve:

• Established governance and executive and key stakeholder engagement
• Digitized your business model with a customer focus
• Identified all of your business services and products
• Identified plausible scenarios

From there, it’s time to dive into setting your impact tolerance.

Understanding Impact Tolerance

So, what is impact tolerance and why is it important for your organization?

Defining impact tolerance is difficult. At Castellan, we define impact tolerance as a point in time—or decreased capacity of—an important business service that causes unacceptable harm to a customer, the broader market, or irrevocably threatens your organization’s viability.

Unfortunately, as pointed out in the BC Management BCM Trends Report 2021[MOU1] , 75% of organizations don’t understand program drivers and another 70% have not intentionally developed strategies to recover important business services.

Why is this important? Because of the value proposition of setting good impact tolerances. Doing this well can help your teams, especially your executives, better understand key program drivers and expected outcomes.

When you establish and use impact tolerance properly, it brings a range of resilience benefits. For example, your organization is better poised to:

• Develop a shared understanding of the required resiliency level
• Elevate the level your leaders see as resilience and business continuity activities occur
• Contextualize single points of failure and vulnerabilities
• Bring a sense of urgency to remediation and improvement activities

Tips to Set Impact Tolerance

While there is no magic formula to set impact tolerance, here are some tips that can help get you on the right path. We recommend a five-step framework that looks like:

1. Identify important business services.
   • Consider this a prerequisite.
   • Take into consideration impact to customers, markets, and safety and soundness of your organization.
2. Identify metrics and create baselines (quantitative).
   • These metrics should help you understand important business services scope in areas such as: markets/areas where you deliver services, customer segmentation with percentages and customer types, identification of vulnerable customers, regulatory requirements and other obligations, and your delivery channels.
   • It’s important to note here that each organization’s metrics and baselines will be different depending on your important business services, for example, service revenue, processing volume and capacity, service level agreements (SLAs) and other factors.
3. Develop a rubric to assess harm (qualitative).
   • Here, your goal is to work with teams across your organization, such as service owners and managers, to understand what would happen from business services disruption, with a focus on three segments: customers, internal impact, and market impact.
   • It’s helpful to align your approaches with risk frameworks you’re already using.
4. Set impact tolerance
   • Your different quantitative and qualitative data will lead you to a range of conclusions, so it’s important to establish an impact tolerance timeframe and include other metrics such as capacity.
   • In this step, you should be able to determine why an impact tolerance was set and why not another.
5. Assess appropriateness
   • Focus on validating feasibility, taking into account end-to-end mapping, business continuity, IT, and disaster response data, enterprise risk data, SLAs, and leadership input.
   • While your recovery time objectives (RTOs), SLAs, and risk data are great checks and balances, these should not be the driving factors for your impact tolerance.

The Takeaway

Ideally, as you go through this process, you should be able to look back and have a better understanding of what your impact tolerance is. By defining plausible scenarios and determining your remediation prioritization strategies, your organization should be in a solid position to understand which of your resources, if disrupted, would prevent you from resuming important business services as you’ve aligned them to your impact tolerances. This is a core element of operational resilience.

Want to take a deeper dive into how to establish impact tolerances for your organization? Download our Impact Tolerance Builder or contact a Castellan advisor today.