| Key Takeaways |
| Impact tolerances define the maximum tolerable disruption to an important business service before intolerable harm occurs to consumers, markets, or financial stability. |
| The PRA and FCA required UK firms to remain within impact tolerances by 31 March 2025; DORA imposes similar expectations across the EU from January 2025. |
| A robust methodology uses five steps: identify important business services, map dependencies, define harm thresholds, calibrate tolerances, and test against severe-but-plausible scenarios. |
| Tolerances must go beyond a single time metric; best practice includes financial thresholds, customer volumes, data-integrity limits, and reputational triggers. |
| Calibration should anchor to consumer harm data, complaint volumes, and regulatory expectations rather than internal recovery convenience. |
| Scenario testing must incrementally increase in severity until the organisation can no longer stay within tolerance, revealing true vulnerability points. |
| Board ownership and annual recalibration are non-negotiable; tolerances are governance artefacts, not technical settings. |
The FCA’s 2025 Insights and Observations report flagged a persistent weakness across regulated firms: impact tolerances that rely on a single time-based metric with limited rationale for why that threshold represents the point of intolerable harm.
Too many organisations set a number that feels comfortable rather than one that reflects genuine consumer or market consequences.
That gap matters. Since 31 March 2025, every PRA- and FCA-regulated firm must demonstrate it can remain within impact tolerances for each important business service under severe-but-plausible scenarios.
The EU’s DORA regulation, enforceable since January 2025, drives similar expectations for digital operational resilience across 27 member states.
This methodology guide gives you a repeatable, five-step process for setting, calibrating, and testing impact tolerances.
Every step includes tables, worked examples, and templates you can adapt directly. The approach aligns with ISO 22301 recovery concepts and the broader operational resilience vs business continuity framework that underpins modern resilience programmes.
What Is an Impact Tolerance?
An impact tolerance is the maximum tolerable level of disruption to an important business service, measured by duration and any other relevant metrics.
The PRA defines it as the point at which disruption would pose a risk to a firm’s safety and soundness or to financial stability. The FCA frames it as the point of intolerable consumer harm or risk to market integrity.
These definitions drive every decision in the calibration process. Understanding this concept is fundamental to your wider business continuity management and enterprise risk management framework.
Impact Tolerance vs RTO vs Risk Appetite
| Concept | Definition | Set By | Purpose |
| Impact Tolerance | Maximum tolerable disruption before intolerable harm to consumers/markets | Board / service owner | Drives resilience investment and scenario testing |
| RTO (Recovery Time Objective) | Target time to restore a process after disruption | BCM team (via BIA) | Drives recovery plan design and DR infrastructure |
| RPO (Recovery Point Objective) | Maximum acceptable data loss measured in time | IT / BCM team | Drives backup frequency and replication strategy |
| Risk Appetite | Aggregate amount and type of risk the board is willing to accept | Board / risk committee | Sets boundaries for strategic risk-taking |
| MTPD | Maximum tolerable period of disruption before viability is threatened | Senior management | Triggers escalation to crisis management |
The critical insight: an impact tolerance looks outward from the customer or market perspective, while RTOs and RPOs look inward at recovery capability.
A firm can meet every RTO and still breach its impact tolerance if the customer experience degrades beyond acceptable limits. This distinction is what separates operational resilience from traditional business continuity.
Step 1: Identify Important Business Services
Before setting any tolerance, you must define what matters. The PRA and FCA require firms to identify their “important business services” (IBS) — services delivered to external end-users where disruption could cause intolerable harm.
This is not the same as a business impact analysis process list; IBS are defined from the customer and market perspective, not the internal process perspective.
IBS Identification Criteria
| Criterion | Description | Example Questions |
| Consumer dependency | Service is essential for consumers to access financial products or manage their affairs | Can customers access their money? Can they make payments? Can they view their balances? |
| Market significance | Disruption would affect the orderly functioning of financial markets | Does the service support price discovery, clearing, or settlement? |
| Financial stability | Service failure could pose systemic risk | Does the service underpin critical financial infrastructure? |
| Regulatory obligation | Service is tied to a specific regulatory requirement or licence condition | Is the service a condition of the firm’s authorisation? |
| Third-party provision | Service is delivered through or depends heavily on third parties | Do external providers handle key processing, hosting, or data? |
Step 2: Map Dependencies and Resources
Once you have identified your important business services, map the people, processes, technology, facilities, information, and third-party providers that support each service end-to-end.
The FCA has been clear that mapping must be comprehensive enough to identify single points of failure and concentration risks. This feeds directly into your risk register and dependency analysis.
Dependency Mapping Template
| IBS Name | People | Technology | Data | Third Parties | Facilities |
| Customer Payments | Payments ops team (12 FTE); on-call rota | Core banking system; SWIFT gateway; API layer | Transaction records; customer auth data; AML screening | Payment processor (Vendor A); cloud host (Vendor B) | Primary DC (London); DR site (Manchester) |
| Client Onboarding | KYC team (8 FTE); compliance analysts | CRM; ID verification platform; document mgmt | PII; KYC/AML data; beneficial ownership records | ID verification provider; credit reference agency | Head office; remote-capable |
| Investment Trading | Trading desk (20 FTE); risk analysts | Order management system; market data feeds; FIX connectivity | Trade data; position records; market data | Exchange connectivity; prime broker; clearing house | Trading floor; DR trading room |
Step 3: Define Harm Thresholds and Metrics
This is where most firms struggle. The FCA flagged that firms use a narrow range of metrics and lack the rationale connecting those metrics to genuine harm.
Best practice requires multiple harm dimensions, each with a measurable threshold that represents the tipping point from tolerable to intolerable disruption. These thresholds connect to your key risk indicators and risk appetite statement.
Harm Dimensions and Metric Examples
| Harm Dimension | Metric | Threshold Example (Payments) | Data Source |
| Duration | Hours/days of service unavailability | Maximum 4 hours total outage in any 24-hour period | Incident management system |
| Consumer volume | Number of customers unable to access the service | No more than 50,000 customers affected simultaneously | Transaction monitoring; call centre data |
| Financial loss | Cumulative financial impact to consumers or firm | No more than £25 million cumulative consumer financial impact | Finance systems; claims data |
| Data integrity | Records corrupted, lost, or compromised | Zero tolerance for irrecoverable loss of transaction records | Database integrity checks; reconciliation logs |
| Market impact | Effect on market functioning or price discovery | No disruption exceeding 30 minutes during market hours | Exchange connectivity monitoring |
| Reputational | Media coverage, complaint volumes, NPS impact | Fewer than 500 formal complaints within 48 hours of disruption | Complaints register; social media monitoring |
Each harm dimension should have a documented rationale explaining why that threshold represents the point of intolerable harm.
The rationale is not optional; the FCA explicitly requires it as part of the firm’s self-assessment and it supports your broader compliance risk assessment programme.
Step 4: Calibrate Impact Tolerances
Calibration converts your harm thresholds into a single, board-approved impact tolerance for each important business service. The tolerance is set at the most conservative (binding) constraint across all harm dimensions.
This means if consumer volume harm triggers at 4 hours but financial loss triggers at 6 hours, the impact tolerance is 4 hours. The calibration must reflect regulatory expectations, not internal convenience.
Calibration Decision Matrix
| IBS | Duration Limit | Consumer Volume | Financial Cap | Data Integrity | Calibrated Tolerance |
| Customer Payments | 4 hours | 50,000 customers | £25m cumulative | Zero irrecoverable loss | 4 hours (binding: duration + consumer volume) |
| Client Onboarding | 24 hours | 5,000 applications | £5m cumulative | Zero PII loss | 24 hours (binding: duration) |
| Investment Trading | 30 minutes (market hours) | All trading clients | £50m market exposure | Zero trade record loss | 30 minutes during market hours (binding: market impact) |
| Claims Processing | 48 hours | 10,000 claimants | £10m delayed payments | Zero claim record loss | 48 hours (binding: consumer financial harm) |
Calibration Governance Checklist
| Governance Requirement | Evidence Required |
| Board approval of each tolerance | Board minutes recording approval with named owner per IBS |
| Documented rationale per harm dimension | Written explanation linking threshold to consumer/market harm |
| Alignment with risk appetite statement | Cross-reference showing tolerance sits within board risk appetite |
| Regulatory benchmarking | Comparison with sector peers, regulatory guidance, and supervisory feedback |
| Annual review and recalibration trigger | Policy requiring review at minimum annually or after material change |
| Self-assessment documentation | Annual self-assessment per PRA SS1/21 and FCA PS21/3 requirements |
Step 5: Test, Validate, and Refine
Setting a tolerance is meaningless without testing it.
The PRA requires firms to use “severe but plausible” scenarios that vary in nature, severity, and duration, testing incrementally until the firm can no longer stay within tolerance.
This reveals the true gap between aspiration and capability. Testing methodology feeds into your scenario analysis programme and aligns with your disaster recovery plan exercises.
Scenario Testing Framework
| Scenario Type | Description | Severity Level | Testing Method |
| Cyber attack | Ransomware encrypts core systems; data exfiltration detected | High | Simulated attack with isolated environment; communication exercise |
| Third-party failure | Critical vendor experiences prolonged outage (>72 hours) | Medium-High | Tabletop with vendor representatives; switchover drill |
| Pandemic / people risk | 40% of key staff unavailable for 2+ weeks | Medium | Remote-working stress test; cross-training validation |
| Facility loss | Primary data centre or office destroyed | High | Full DR failover exercise; alternative site activation |
| Combined scenario | Cyber attack during peak trading period with concurrent vendor failure | Severe | Full-scale simulation combining multiple failure modes |
Testing Outcomes and Actions
| Test Result | Interpretation | Required Action | Reporting |
| Within tolerance | Service maintained within all harm thresholds under scenario | Document result; schedule next test cycle | Green status in board dashboard |
| Near-breach (within 80-100%) | Service approached but did not exceed tolerance | Prioritise remediation of identified weaknesses; retest within 90 days | Amber status; escalate to risk committee |
| Tolerance breached | Service exceeded one or more harm thresholds | Mandatory remediation plan with owner, deadline, and investment case | Red status; board escalation; regulatory notification consideration |
| Untestable | Insufficient data, tooling, or access to run meaningful test | Invest in monitoring, tooling, or mapping before next test window | Gap flagged in self-assessment |
Key Risk Indicators for Impact Tolerance Monitoring
Once tolerances are live, continuous monitoring is essential. The KRIs below provide early warning that a service is drifting toward a tolerance breach.
These supplement your existing KRI dashboard and connect to the leading vs lagging KRI framework.
| KRI | Type | Green | Amber | Red | Data Source |
| Service availability (%) | Leading | >99.9% | 99.5-99.9% | <99.5% | Real-time monitoring platform |
| Incident count per IBS (monthly) | Lagging | 0-1 | 2-3 | >3 | Incident management system |
| Mean time to detect (MTTD) | Leading | <15 min | 15-60 min | >60 min | SIEM / monitoring tools |
| Mean time to recover (MTTR) | Lagging | <50% of tolerance | 50-80% of tolerance | >80% of tolerance | Incident records |
| Third-party SLA adherence (%) | Leading | >98% | 95-98% | <95% | Vendor performance reports |
| Overdue remediation actions | Leading | 0 | 1-3 | >3 | Issues register |
| Days since last scenario test | Leading | <90 days | 90-180 days | >180 days | Testing calendar |
| Customer complaints post-incident | Lagging | <50 | 50-200 | >200 | Complaints register |
90-Day Implementation Roadmap
This roadmap takes you from initial assessment through to board-reported, tested impact tolerances.
Each phase produces artefacts that satisfy both PRA/FCA and DORA expectations. The approach aligns with your risk management lifecycle and risk management process steps.
| Phase | Actions | Deliverables | Success Metrics |
| Days 1-30: Identify & Map | Review and confirm IBS register; conduct dependency mapping workshops for top 5 services; gather historical incident, complaint, and financial loss data; benchmark against regulatory guidance and peer practices | Validated IBS register; end-to-end dependency maps; historical harm data pack; regulatory gap analysis | 100% of IBS confirmed by exec committee; maps completed for top 5 services; data pack covers 3+ years |
| Days 31-60: Calibrate & Govern | Define harm dimensions and thresholds per IBS; run calibration workshops with service owners; draft board paper with proposed tolerances; secure board approval; document rationale per tolerance | Board-approved impact tolerances; calibration rationale documents; governance framework (RACI, review triggers); updated risk appetite statement cross-reference | All IBS have multi-metric tolerances; board minutes record approval; rationale documents pass peer review |
| Days 61-90: Test & Report | Design and execute first scenario tests per IBS; document test results and gap analysis; produce self-assessment report; brief board on tolerance compliance status; plan Year 2 testing programme | Scenario test reports; remediation plan for any breaches; self-assessment report; board resilience dashboard; Year 2 testing calendar | All IBS tested against at least one severe-but-plausible scenario; remediation plans owned and funded; self-assessment submitted |
Common Pitfalls and How to Avoid Them
Based on FCA supervisory observations and practitioner experience, these are the mistakes that repeatedly undermine impact tolerance programmes.
Awareness of these pitfalls should be built into your RCSA process and internal audit risk assessment scope.
| Pitfall | Root Cause | Remedy |
| Single time-based metric only | Legacy BCM thinking carries over to OR | Adopt multi-dimensional harm metrics: duration + volume + financial + data integrity + reputational |
| Tolerances set for internal comfort | Desire to avoid breaches rather than reflect real consumer harm | Anchor to external data: complaint volumes, financial loss history, regulatory thresholds |
| No documented rationale | Tolerance treated as a technical setting rather than a governance artefact | Require written justification per harm dimension linking threshold to specific consumer/market harm |
| Mapping stops at first-tier dependencies | Third-party risk function operates separately from OR team | Mandate nth-party mapping for critical services; include sub-contractors and cloud providers |
| Scenario testing is superficial | Tests designed to pass rather than to stress | Use PRA’s severe-but-plausible standard; increment severity until breach; test combined failure modes |
| Board receives tolerances but does not own them | Tolerance-setting delegated to operational teams | Name a board member as sponsor for each IBS; include tolerance status in board risk dashboard |
| No recalibration trigger | Tolerances set once and forgotten | Define triggers: material incident, regulatory feedback, business change, annual review cycle |
Looking Ahead: Trends for 2025-2027
The impact tolerance discipline is maturing fast. BCI research shows that over 70% of organisations now run formal operational resilience programmes, up from under 40% five years ago, and tolerance-setting is at the heart of that growth.
Practitioners working across operational risk management and GRC frameworks should track three developments.
First, regulators will scrutinise rationale quality. The FCA’s 2025 observations explicitly called out weak rationale.
Expect supervisory deep-dives into how firms derived their numbers, with firms that simply benchmarked peers facing challenge. The data-driven, harm-anchored approach in this guide is the direction of travel.
Second, dynamic tolerances will emerge. Static, annual-review tolerances will give way to tolerances that flex based on real-time service health data, seasonal demand patterns, and threat intelligence feeds.
Firms investing in KRI automation and continuous monitoring will lead this shift.
Third, cross-border convergence will accelerate. DORA, the UK regime, MAS guidelines, and Basel BCBS principles are converging on similar expectations.
Multinational firms that build a single tolerance methodology adaptable across jurisdictions will avoid duplicative work and inconsistent standards. Staying aligned with the three lines model ensures governance consistency across geographies.
Ready to set your impact tolerances? Download templates, calibration tools, and consulting support at riskpublishing.com. Need a guided workshop for your board or executive team? Contact us to discuss your programme.
References
1. PRA PS6/21: Operational Resilience — Impact Tolerances for Important Business Services — PRA policy statement on impact tolerances.
2. FCA PS21/3: Building Operational Resilience — FCA final rules on operational resilience.
3. FCA Operational Resilience: Insights and Observations — FCA supervisory findings on firm readiness.
4. EU Digital Operational Resilience Act (DORA) — EU regulation on digital operational resilience.
5. Sidley Austin: UK Operational Resilience Rules — Are You Ready for 31 March 2025? — Legal analysis of compliance deadline.
6. The Investment Association: Impact Tolerances — Appetite for Disruption — Sector guidance on tolerance calibration.
7. WTW: How Are You Determining Your Impact Tolerances? — Practitioner guidance on tolerance methodology.
8. Sunando Roy: Impact Tolerance Metrics and Operational Resilience — Academic perspective on multi-metric tolerances.
9. Everbridge: Impact Tolerance in Operational Resilience — Industry guide on tolerance setting.
10. BCI: Growing Global Momentum Behind Operational Resilience — 70%+ OR programme adoption data.
11. CMORG: Guidance for Firm Operational Resilience v3 (April 2025) — Capital markets sector guidance.
12. Addleshaw Goddard: Operational Resilience Deadline — Legal briefing on March 2025 compliance.
13. Beyond Blue: Impact Tolerances — Beyond Time-Based Metrics — Multi-dimensional tolerance approach.
14. ISO 22301:2019 Business Continuity Management Systems — International BCM standard.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.