Impact Tolerance is a key concept in Operational Resilience, defined as the ability of a firm to

withstand, respond to, and recover from disruptions. According to PRMIA and global regulatory

frameworks (such as the Bank of England's Operational Resilience Framework), impact tolerance is

specifically tied to business services rather than processes.

Step 1: Defining Impact Tolerance

Impact tolerance is the maximum acceptable level of disruption to an important business service,

beyond which there would be intolerable harm to customers, financial markets, or regulatory

obligations.

It is not the same as risk appetite or risk capacity, as those deal with broader organizational risk

exposure.

Step 2: Why Business Services Matter

PRMIA defines business services as end-to-end services delivered to clients and stakeholders, such as

payments processing, trade execution, or loan approvals.

Disruptions to these services directly impact customers and financial stability, making business

service resilience the core focus of impact tolerance.

Step 3: Why the Other Options Are Incorrect

Option A ("tolerance for disruption to a particular business process")

Incorrect because impact tolerance applies to services, not just internal processes.

Option C ("a firm's risk appetite statement")

Incorrect because risk appetite focuses on how much risk a firm is willing to take, while impact

tolerance is about surviving disruptions.

Option D ("a firm's risk capacity statement")

Incorrect because risk capacity is the maximum level of risk a firm can bear, which is broader than

business service disruptions.

PRMIA Risk Reference Used:

PRMIA Operational Resilience Guidelines – Defines impact tolerance as a service-based metric.

Bank of England’s Operational Resilience Framework – Establishes impact tolerance as a limit on

business service disruption.

Final Conclusion:

Impact tolerance focuses on business services, not just internal processes or risk appetite, making

Option B the correct answer.