What do impact tolerances and narwhals have in common?
02 March 2020
One is fascinating, mythical, mysterious and its shape and very existence is debated across the land. The other eats fish and lives in the sea.
It may seem incredulous to link a sea creature first discovered in the 1600s with delivering effective operational resilience but hear me out...
Impact tolerances have been on the scene since 2018, referring to a standard of operational resilience applied to a firm’s important business services. The papers published by the regulators before Christmas reinforced how central this concept is to their future framework. Most of the questions we heard from firms in 2019 on the regulatory approach to operational resilience were around how to develop impact tolerances. In response, we’ve published our recommended approach.
But the mood music is changing. As firms start to experiment with the regulatory proposals there are signs of scepticism around how this can work effectively in practice. The more detailed explanation in the consultation papers combined with the proposed implementation timeline have focused minds to come up with an answer. We sense firms are on the hunt for any peers who are willing to share what they’ve done so far to prove that impact tolerances can actually work. Finding an evidential approach to define one - or in some cases two - and to work out how to plumb your impact tolerances into existing risk management frameworks, appears as elusive as finding a real life unicorn.
By comparing impact tolerances to another creature, the narwhal, I may be letting my imagination run wild but it is not as far-fetched a venture as it may seem. The first similarity between narwhals and impact tolerances is that, without any clear evidence, most thoughtful individuals have shown scepticism about their existence. Just as the Arctic explorers would have faced pressure to present real evidence of a whale with a tusk, firms and regulators alike now need to demonstrate what impact tolerances will look like in practice and how they will operate, to prove they are not reincarnations of related disciplines.
Which takes us neatly on to the second similarity: they both appear to have been formed by splicing together existing concepts. A crude description of a narwhal is the offspring of a whale and a walrus. Impact tolerances could be seen as a blend of recovery time objectives (relating to the time within which a business process must be restored after a disaster), risk tolerance (the aggregate level of acceptable risk, by risk type, which a firm can manage within), and the need to understand customer value chains.
The last similarity is their scarcity. Just as narwhal populations are famous for their rarity, so impact tolerances are likely to be required for the most important business services in a fraction of the overall population of firms (around 2,000 of nearly 60,000 firms). That reduces the number of skilled people trying to come up with a solution, though it is, of course, the better-resourced firms which are tasked with doing so.
Moving from theory to practice will give both firms and regulators the confidence that the new regime will genuinely drive greater resilience of individual firms and the system as a whole. This requires those firms which are advanced in their thinking to be open with regulators and their peers on what they have learned so far, and for the family of regulators to give a clear response about whether this hits the mark.
Like a real life polar expedition, the regulatory consultation must come to an end (3 April 2020), so let's hope the search for real life examples of impact tolerances bears fruit and helps the whole industry to make progress on this.