FCA impact tolerances: setting, testing and reviewing

FCA impact tolerances: setting, testing and reviewing

An impact tolerance is the maximum disruption to an important business service that a firm is prepared to accept. Setting impact tolerances is the most technically demanding element of the FCA’s operational resilience framework under PS21/3 — it requires firms to make a genuine assessment of when disruption crosses the threshold into intolerable harm, to express that assessment in specific measurable terms, and then to demonstrate through testing that they can actually remain within it. The FCA’s supervisory feedback since the March 2025 implementation deadline has been clear that many firms have not yet achieved this.

What an impact tolerance is — and what it is not

Impact tolerances are frequently confused with recovery time objectives (RTOs). An RTO is an internal target — the time within which the firm aims to restore a service following disruption. An impact tolerance is different: it is the maximum tolerable duration of disruption from the perspective of consumer harm, not the firm’s operational preference. A firm might have an RTO of four hours for a payment service but an impact tolerance of twenty-four hours — meaning the firm would aim to restore the service in four hours but accepts that disruption lasting up to twenty-four hours would not cause intolerable harm to consumers. The impact tolerance is a harm-based threshold, not an operational ambition.

This distinction matters because the FCA will assess whether a firm’s impact tolerances have been genuinely set by reference to consumer harm, not simply derived backwards from the firm’s existing disaster recovery targets. An impact tolerance that exactly matches an existing RTO and for which the firm cannot articulate the underlying harm rationale has not been set correctly.

Setting impact tolerances: the harm-based approach

Impact tolerances should be set by asking: at what point in the disruption of this important business service does consumer harm become intolerable? The answer will vary by service, by consumer population, and by context. For a payment service used by retail consumers to access their salary, intolerable harm may arise within hours — consumers relying on those funds for essential expenditure cannot tolerate a multi-day outage. For a portfolio management reporting service used by sophisticated investors, the same level of harm may not arise for several days.

The factors the FCA expects firms to consider when setting impact tolerances include: the number of consumers who would be affected at each point in the disruption; whether those consumers could access the same service from another provider; the vulnerability characteristics of the consumer population; the time-sensitivity of the service (including time of day and day of week effects); and the potential for consumer detriment to compound over time — a firm that cannot restore its payments service by Thursday may cause significantly more harm than one that cannot restore it by Tuesday, because pension and salary payment cycles are concentrated at certain times in the month.

Impact tolerances should be expressed in time, but the FCA also expects firms to consider whether other metrics are relevant — for example, the percentage of transactions that cannot be processed, or the monetary value of client assets affected. For most services, duration is the primary metric, but the supporting metrics help the firm monitor whether it is approaching its tolerance during an actual disruption.

Board approval and governance

Impact tolerances must be approved by the board. This is not a formality — the board’s role is to assess whether the tolerances have been set at the right level from the perspective of the harm the firm is prepared to accept on behalf of its clients. A board that approves impact tolerances without understanding the harm rationale behind them has not met its governance obligation under the framework.

The board’s approval should be documented, with the rationale for each tolerance clearly recorded. When impact tolerances are reviewed or revised, the board must approve the changes and the reasons for any revision should be documented. The FCA expects to see evidence of genuine board engagement with the impact tolerance framework, not simply sign-off on a document produced by the operational resilience or technology team.

Testing: the severe but plausible requirement

Firms must test whether they can remain within their impact tolerances under severe but plausible disruption scenarios. The FCA’s supervisory feedback has identified testing as the area where most firms are falling short. The most common failure is testing scenarios that are neither sufficiently severe nor genuinely plausible — using scenarios that the firm is confident it can manage rather than scenarios that challenge the framework.

The FCA expects testing to cover scenarios that include: a significant technology or system failure affecting the firm’s own infrastructure; a cyberattack targeting the firm’s systems (including ransomware scenarios); the failure of a critical third-party provider — including cloud infrastructure providers, payment processors, and data vendors; the unavailability of key premises; and the unavailability of key staff, including key person dependencies in critical roles.

Testing should be conducted end-to-end — from the point at which the disruption occurs to the point at which the service is restored within the impact tolerance. A firm that tests the restoration of its own systems but not the end-to-end service delivery — including any third-party dependencies — has not tested its impact tolerance, it has tested its IT recovery process.

The FCA also expects testing to examine workarounds — the alternative processes the firm would use to continue delivering the service if its primary systems failed. Workarounds that exist in documentation but have never been exercised in practice should not be relied on as evidence that the firm can remain within its impact tolerance. The workarounds must be tested under conditions that replicate the stress the firm would face during an actual disruption, including the reduced capacity, increased error rates and communication challenges that accompany genuine operational crises.

Common testing failures

The FCA’s supervisory work has identified several recurring testing failures. Firms that conduct tabletop exercises only — where participants discuss what they would do in a scenario without actually doing it — have not demonstrated that they can remain within their impact tolerances. Tabletop exercises are a useful planning tool, but they do not substitute for operational testing.

Testing that isolates individual components of the service — the technology team testing IT recovery, the operations team testing manual processing, the third-party management team reviewing provider SLAs — without testing the integrated end-to-end service is another common failure. Individual component tests may all pass while the integrated service fails to be restored within the impact tolerance because coordination between components breaks down under pressure.

Firms that have identified critical third parties as part of their important business service mapping but have not included third-party failure scenarios in their testing are leaving a significant gap. Many of the most severe and plausible disruption scenarios for financial services firms involve cloud infrastructure providers or critical data vendors — excluding these from testing is not consistent with the severe but plausible requirement.

Reviewing impact tolerances

Impact tolerances must be reviewed at least annually and whenever a material change in the business occurs — the launch of a new product, a significant change to the firm’s technology infrastructure, a change in the third parties on which the firm relies, or a significant change in the firm’s consumer base. The review should assess whether the impact tolerances remain calibrated to the current harm profile of the service, whether the testing evidence remains sufficient to demonstrate the firm can meet them, and whether any lessons from actual disruptions or near-misses should cause the tolerances to be adjusted.

The review should also incorporate lessons from the firm’s own testing. Where testing has identified that the firm cannot reliably remain within an impact tolerance, the firm must either remediate the gap or, in exceptional circumstances, revise the tolerance with a clear rationale and board approval. Revising an impact tolerance upwards — accepting more disruption — should be accompanied by a clear explanation of why consumer harm at the extended duration remains tolerable.

FD Capital places operational resilience professionals who understand the FCA’s framework in depth — not just its formal requirements but the supervisory expectations and common failure modes that distinguish adequate compliance from a framework that will withstand scrutiny.

Related Guides

• Important Business Services: How to Identify Them
• DORA vs FCA Operational Resilience: Comparing the Regimes
• Operational Resilience Guide
• DORA: What UK Firms Need to Know