Building an Operational Resilience Framework - Setting Impact Tolerances with OpRes
Published by Ben Saunders - OpRes Founder
Roughly a 5-minute read
Introduction:
Last Thursday, we published our most recent Vlog which covered the Operational Resilience Hub, within OpRes. Over the course of that publication, we spoke about how we apply a scoring framework to ascertain how conformant a firm is with its baselined impact tolerances.
If you are not familiar with the recent operational resilience policy updates published by the Financial Conduct Authority (FCA) and (Prudential Regulatory Authority (PRA), then the term “impact tolerance” may well be a new concept to you. In their joint publication, the PRA and FCA define an impact tolerance as “The maximum acceptable tolerable level of disruption to an important business service or an important group of business services as measured by a length of time in addition to any other relevant metrics”. Firms have until March 2022 to set these initial impact tolerances. So the clock is ticking!
At OpRes, we use a model whereby the suppliers and systems which underpin a firm's business service either Match, Meet or Exceed their baselined impact tolerances. We apply this framework, as we believe this is not a simple black or white question for firms to address. There is very much a shade of grey that firms need to consider! Let us explain what we mean, by outlining three example scenarios below.
Impact Tolerance Scenarios:
Match Impact Tolerance: Firm A has set a baseline Service Level Agreement target of 99.99% for their Faster Payments Service. They have 10 suppliers underpinning the service. All of the suppliers have agreed to match the 99.99% availability target in their contractual agreements with the firm. This means all the baselines match, which is a good thing...assuming the actual service level agreements are being obligated in production!
Meet Impact Tolerance: Firm B has set a baseline Service Level Agreement target of 99.99% for their Faster Payments Service. They have 10 suppliers underpinning the service. 7 of the suppliers have agreed to match the 99.99% availability target in their contractual agreements with the firm. Whilst 3 have agreed to a baseline of 99.95%. The firm has set a 99.95% tolerance threshold for its suppliers to operate within.
This means 7 of the baselines match, whilst 3 of the baselined impact tolerances are operating within acceptable thresholds for the firms. This means the firm and its suppliers are meeting their impact tolerances.
Exceed Impact Tolerance: Firm C has set a baseline Service Level Agreement target of 99.99% for their Faster Payments Service. They have 10 suppliers underpinning the service. 3 of the suppliers have agreed to match the 99.99% availability target in their contractual agreements with the firm. Whilst 3 have agreed to a baseline of 99.95%. The final 4 suppliers have agreed to meet an SLA target of 99%. This means 3 of the baselines match, whilst 3 of the baselined impact tolerances are operating within acceptable thresholds for the firms. The final 4 impact tolerances exceed the firm's risk appetite and may require remedial action.
As you can see this is not a black and white answer for many firms when setting impact tolerances. More often than not, an important business service and its target availability can only be as available as its lowest common denominator. As such, we have created a “Supplier Conformance Score” within OpRes. This applies a weighted scoring mechanism against a supplier when it underpins an important business service.
For example, if a supplier matches the target impact tolerance, they will be rewarded with a maximum available score. Conversely, we then apply a sliding score if they either meet or exceed the impact tolerance target set by the firm. We have posted a snapshot of what this looks like in OpRes below.
Supplier Conformance with Impact Tolerances
Out of The Box Impact Tolerances with OpRes:
To support firms in their quest to set an initial baseline of their impact tolerances, we have created a Likert Scale framework in OpRes. Users can set a percentage or time-based measurement to indicate the level of tolerance they are prepared to accept in the event of a system/supplier disruption causing intolerable harm to normal operations. Users can also document their justifications for setting these impact tolerances and provide them as evidence when reporting their operational resilience efforts back to regulators.
Setting Impact Tolerances with OpRes
As part of our Alpha release, firms will be able to set baselines for important business service performance targets across the following areas:
Service Level Agreements
Service Level Objectives
Service Level Indicators
Recovery Time Objective
Recovery Point Objective
Incident Notification Timeframes
Incident Restoration Timeframes
We can then correlate these targets against actual service agreements with the firm's internal service providers. As well as their 3rd and 4th party suppliers. We have used this initial set of key resilience indicators as they align with the PRA & FCA guidelines of measuring the impact of an outage against time-based metrics. Over time we will look to expand this baseline ruleset by considering elements such as:
Transaction load and peak-volume requirements over a defined period.
Time-based considerations that may impact key financial activities. For instance, end of day reconciliations in a trading environment. Or month-end batch processing needs that support salary payments from businesses to their employees.
Exotic or vanilla product considerations and their financial impact on the firm and the wider market. For example, does a firm carry a bigger material risk to the market if they are the largest trader of a specific asset class that cannot execute, settle or clear trades because of an unplanned outage.
The volume of customers impacted and the material knock-on effect to customers.
In Conclusion:
In this blog, we have explained the PRA and FCA’s expectations on firms to set impact tolerances for their important business services. We have also discussed how this is not a simple undertaking for firms. There are multiple hand-offs and dependencies to consider in order for a firm to match the baselined targets for their impact tolerances. However, by applying our Likert Scale model in OpRes, firms have an out-of-the-box capability across key time-based indicators. This allows them to jump-start the baselining of impact tolerances and meets the impending deadline of March 2022 with a scalable and automated framework that can be applied over their 3-year remedial efforts into 2025.
