Among the United Kingdom supervisory authorities’ proposals and expectations for building operational resilience, the rules on “impact tolerance” have generated substantial debate and confusion. In the absence of guidance around how to compute impact tolerance, one serious method that has emerged is the FAIR (Factor Analysis of Information Risk) methodology, first introduced in the book, “Measuring and Managing Information Risk” by Jack Jones and Jack Freund, and now chosen by The Open Group as the international standard information risk management model.

This article explains how the FAIR methodology can help organizations determine what actions they can take to remain within impact tolerance.