Impact Tolerance: Definition and Use in Compliance

What is Impact Tolerance?

Impact tolerance is the maximum disruption a firm decides it can take to a critical business service before customers, the market, or the firm itself suffers intolerable harm. It's a hard line, set in advance, expressed in measurable terms.

Most firms express it as time. A retail bank might say its faster payments service can be down for no more than two hours before harm becomes intolerable. Others add metrics: the number of customers affected, transaction volume blocked, or direct financial loss. The point is precision. A vague statement like "we aim for high availability" fails the test. A regulator wants a number the board has agreed to and can defend.

Here's the distinction that trips people up. Impact tolerance is not risk appetite. Risk appetite asks how much risk you'll accept to pursue a goal. Impact tolerance assumes the bad thing already happened and asks how far it can go before it's unacceptable. One is about prevention probability; the other is about surviving the hit.

Consider a mid-size lender. Its mortgage origination service might tolerate a full day of downtime, since a delayed application rarely causes lasting harm. But its card authorization service, which customers depend on at the point of sale, might tolerate only 30 minutes. Same firm, very different tolerances, because the harm profile differs.

Setting the tolerance is a board responsibility. It can't be delegated to IT as a technical recovery target. The board owns the judgment about what level of customer harm the firm is prepared to accept, and that judgment shapes everything that follows: mapping, testing, and investment.

How is Impact Tolerance used in practice?

Teams use impact tolerance as the organizing principle for resilience work. The sequence is consistent across firms, even if the details differ.

First, identify important business services. These are services that, if disrupted, would harm customers or threaten market integrity. Payments, settlement, deposit access, and fraud screening usually make the list. Internal functions like HR generally don't.

Second, set a tolerance for each one and get board sign-off. Third, map the full chain that delivers the service: staff, applications, data, facilities, and suppliers. This mapping is where firms find surprises. A "simple" payments service often depends on a dozen vendors, several of which the business never tracked.

Then comes testing. Firms run severe but plausible scenarios and measure recovery against the tolerance. A common scenario is a critical supplier going dark. If the firm relies on a single cloud region or a single screening provider, recovery often blows past tolerance, which exposes concentration risk the firm has to address.

Take a real pattern we've seen. A bank set a four-hour tolerance for its sanctions screening service. Testing revealed that if its sole sanctions screening vendor failed, manual review would take three days, far outside tolerance. The fix was a documented fallback process and a secondary data feed. Without the tolerance forcing the test, the gap would have stayed hidden until a live outage caused a backlog of unreviewed alerts and missed filings.

The output is a self-assessment document, maintained continuously, that the firm can hand to a supervisor on request.

Impact Tolerance in regulatory context

The UK regime is the clearest source. In March 2021 the Bank of England, PRA, and FCA published coordinated policy requiring firms to set impact tolerances for important business services, with full compliance expected by March 2025. The rules apply to banks, building societies, PRA-designated investment firms, insurers, and certain payment and e-money institutions.

The supervisory expectation is specific. By the end of the transition window, firms must be able to remain within their impact tolerances through severe but plausible disruption. A firm that can't is expected to invest until it can. Supervisors review self-assessments and challenge tolerances that look too generous or testing that looks too soft.

Internationally, the Basel Committee's 2021 Principles for Operational Resilience pushed the same logic to a global audience, asking banks to set "tolerance for disruption" for critical operations. The EU went further with the Digital Operational Resilience Act, which applies from January 2025 and imposes detailed requirements on ICT risk and third-party oversight, with strong overlap to the UK's mapping and testing duties.

These regimes connect to existing obligations. A firm's business continuity plan and disaster recovery arrangements feed directly into whether it can stay within tolerance. Impact tolerance gives those plans a measurable target rather than a generic recovery objective.

One practical consequence: financial crime services count. A prolonged transaction monitoring outage can mean missed suspicious activity and late regulatory filings, so many firms now set explicit tolerances for AML and fraud detection systems, treating them as important business services in their own right.

Common challenges and how to address them

The first challenge is setting tolerances that mean something. Boards under pressure tend to set tolerances that flatter current capability rather than reflect real customer harm. The fix is to start from the customer outcome, not the existing recovery time. Ask how long customers can lose access before genuine damage occurs, then set the tolerance there, even if current systems can't meet it. The gap is the point.

The second challenge is mapping depth. Firms map the obvious dependencies and stop. But outages usually come from the layer below: a fourth-party risk you never knew existed, a subcontractor your vendor relies on. Address this by mapping to the point where you can prove resilience, and by demanding supplier transparency in contracts.

The third challenge is testing realism. Tabletop exercises that assume tidy recovery are worthless. A tabletop exercise should assume things fail at the worst time, that staff are unavailable, and that two problems hit at once. Severe but plausible means uncomfortable.

The fourth is keeping it current. A tolerance set in 2022 and never revisited is a liability. Services change, vendors change, customer volumes grow. We've seen firms breach tolerance simply because transaction volume doubled and nobody re-tested. Build an annual review and trigger re-testing after any material change.

A concrete example: a payments firm passed its initial test, then migrated to a new core platform without re-running the scenarios. A later incident revealed the new architecture had a single point of failure the old one lacked. The lesson is that impact tolerance is a living control tied to a strong control environment, not a one-time compliance exercise.

Related terms and concepts

Impact tolerance lives inside a cluster of operational resilience ideas, and understanding the neighbors helps.

Operational resilience is the parent concept: a firm's ability to prevent, adapt to, respond to, recover from, and learn from operational disruption. Impact tolerance is the measurable target that gives operational resilience teeth.

Critical business service is the unit you set a tolerance for. You don't set tolerances for the whole firm; you set them service by service, which is why accurate service identification matters so much.

Several risk concepts sit close by. Concentration risk often drives tolerance breaches, because reliance on a single vendor or region creates a single point of failure. Third-party risk management is the discipline that addresses it, and modern resilience work increasingly treats supplier oversight as the core problem.

On the governance side, impact tolerance interacts with the three lines of defense model. The first line owns the service and its delivery, the second line challenges the tolerance and testing, and internal audit provides independent assurance.

It also connects to capital and recovery planning. The discipline of stress-testing against severe scenarios mirrors the logic of the Internal Capital Adequacy Assessment Process, and the standard incident management process is what kicks in when a disruption threatens to push a service past its tolerance.

Read together, these terms describe a single system: identify what matters, decide how much harm is acceptable, map the chain, and prove you can stay inside the line.