A bridge over troubled water - how to navigate impact tolerances
01 October 2019
The UK supervisory authorities’ discussion paper on operational resilience in 2018 brought much-needed focus to what was previously a disparate discipline for firms. Of course, while managing disruption may not be new, the discussion paper did introduce some new concepts and terminology in the quest for consistency across the industry. After all, this is vitally important in helping the regulators themselves understand what is happening within many different firms, and where systemic risks may lie.
As a reminder, the discussion paper is looking for a shift in approach in some key areas. This means:
- Promoting the assumption that failure is inevitable and therefore firms need to invest resources in understanding and improving their response as well as their prevention strategy
- A move towards measuring the value of a firm by the quality of the services it delivers to its customers and therefore maintaining a thorough understanding of how the firm delivers those services; and
- Assessing the volume of disruption a business can withstand and implementing a robust testing programme to ensure that the business can stay within those parameters.
This last point covers the concept of "impact tolerances", which is perhaps where firms are looking for the most support. The individual words look familiar, but how do you define what the collective term means? PwC will soon publish a white paper outlining our suggested approach for firms in defining their impact tolerances.
To establish a common understanding of impact tolerance, we have found that introducing an abstract analogy can help in unpicking the concepts presented in the discussion paper. From our discussions with regulators and firms, we see how important it is to find a way to connect with people from across different functions and throughout the firm’s hierarchy, from technical experts up to executives and non-executive directors. For instance, you may have read our previous blog (‘Can you tolerate being punched in the face?’) which use a boxing analogy to distinguish between an ‘appetite’ and a ‘tolerance’ for something.
If we want to broader suite of regulatory concepts relating to operational resilience we need a slightly more sophisticated example.
Consider, then, the service of crossing a river using a bridge.
Let’s say that a firm owns a one-way bridge across a river to enable people to drive from one side to the other. The firm identifies an important business service it provides as: crossing the river.
Each vehicle crossing the bridge represents a transaction, and they pay a fee (a toll) to do so.
The capacity of the business service is limited to four lanes and is represented by how many vehicles can cross over at a given time. Disruption can force the firm to close one or more lanes which impacts the capacity of vehicles able to cross.
We can start to dissect this analogy further by looking at what resources (i.e. premises, technology, third parties and people) are in place to allow the firm to deliver the service, and how stressing these can cause disruption.
The firm sets its impact tolerance as the maximum duration or volume of disruption it can tolerate. In this example, the firm could use measures such as: delayed journeys or those not completed; lost revenue to firm; longer term economic impact in the area due to lost trade; and potential Government intervention.
Ultimately, firms will find that the steps to define impact tolerances look familiar but that does not mean that they are easy. PwC can help navigate this journey with you. Our experience in helping clients on this topic dates back to the first Dear Chairman exercise in 2012, and we have remained at the forefront of thought leadership, sharing insight with our clients, regulators and policy makers, and government. Access our white paper on impact tolerances.