Setting impact tolerances: how long can a football club survive disruption before real harm occurs?
Ask a club how quickly it would recover from a serious system failure and the honest answer is usually "as fast as possible." That is not an impact tolerance. It is a hope. The discipline that financial services firms were forced to adopt under the FCA's operational resilience framework requires something much harder: a specific, defensible, board-approved limit for how much disruption each critical service can absorb before the harm becomes unacceptable. This article explains how a football club sets one properly, using the club's own most time-critical services as the test case.
This article is the third in our series on Operational Resilience for Football clubs. You can find other articles in this series here.
Why "as fast as possible" is not an answer
Of the four disciplines that make up an operational resilience programme -- identifying important business services, mapping their dependencies, setting tolerances for disruption, and testing against realistic scenarios -- the impact tolerance is the one most likely to be skipped or answered vaguely, because it forces the organisation to commit to a specific number rather than a general intention.
"We would aim to restore the service as quickly as possible" sounds responsible. It is, in the resilience sense, meaningless. It commits to nothing, it cannot be tested against, and it gives no one in the organisation a clear signal for when a disruption has crossed from manageable into serious. An impact tolerance is different in kind, not just in specificity: it is a board-approved statement that says, in effect, if this service is unavailable for longer than X, the harm becomes unacceptable, and we have decided that in advance. That is a genuinely uncomfortable thing for a board to commit to, which is precisely why most organisations, football clubs very much included, have never done it.
What a defensible impact tolerance actually contains
A properly set impact tolerance has three characteristics that a vague aspiration does not. It is specific -- expressed as a concrete metric, most often time, but sometimes volume or another measurable threshold. It is justified -- the club can explain, with evidence, why that particular limit was chosen rather than a stricter or looser one. And it is owned -- approved at board level by someone with the authority and the accountability to have made that judgement, rather than arrived at informally by whoever happens to run the affected department.
The justification requirement is where most attempts at this exercise fall down. It is not enough to assert a number. The club needs to be able to show the reasoning: what specifically happens at the point the tolerance is breached, who is harmed, and why that harm becomes materially worse, or irreversible, beyond that specific point. This is easier to do with genuine operational and legal detail in hand than in the abstract -- which is why the three worked examples below are built from real external constraints, not invented ones.
An impact tolerance is not a target for how quickly the club would like to recover. It is a line the club has decided, in advance and with evidence, that it cannot afford to cross.
Worked example one: matchday ticketing and access control
Consider a club setting an impact tolerance for its ticketing and access-control systems on a matchday. The relevant operational fact, standard across Premier League grounds, is that turnstiles and stadium gates open ninety minutes before kick-off, giving supporters a defined window to enter, be searched, and reach their seats in a controlled and orderly way.
That ninety-minute window is not an arbitrary courtesy. It exists because safe crowd management at scale requires a controlled flow of entry over time; compress that window and the same number of people are being processed through the same physical infrastructure in less time, which is precisely the kind of pressure that safety and crowd-management planning is designed to avoid. A club setting an impact tolerance for this service therefore has a genuine, evidenced basis for its judgement: an access-control outage that resolves within the first thirty minutes of the gates-open window is a serious operational incident, but the remaining hour still allows for a broadly normal, controlled entry process. An outage that is not resolved within roughly forty-five minutes of that window -- leaving less than three-quarters of an hour of degraded entry capacity before kick-off -- crosses from a serious incident into a genuine safety and regulatory concern, because the club can no longer be confident of processing its expected attendance through the remaining time without the kind of crowd build-up that safety certification is specifically designed to prevent.
The impact tolerance in this example, then, is not "restore ticketing as fast as possible." It is something closer to: access-control functionality must be restored, or a fully resourced manual entry process must be operational, within 45 minutes of an outage occurring during the gates-open window, or the club's safety officer must be in a position to advise on delaying kick-off. That is specific, it is time-bound, and the club can explain exactly why 45 minutes rather than 60 or 30 -- because it is derived from the actual structure of the ninety-minute entry window the club already operates within.
Worked example two: player registration during a transfer deadline
The second example is the sharpest illustration of why impact tolerances have to be genuinely realistic rather than aspirational, because the external deadline here does not move for anyone. Premier League transfer deadlines are fixed, and the process that follows them is unforgiving of assumption. Clubs are only permitted to submit a deal sheet, the mechanism that grants extra time to complete paperwork, within a strictly defined window immediately before the deadline itself, and once submitted correctly, they receive a fixed two-hour grace period to complete the full registration. There is no further extension beyond that. International transfers carry an additional, entirely separate constraint: they must also clear FIFA's Transfer Matching System before midnight, regardless of the club's own domestic deadline.
This means the club's internal systems for preparing and submitting registration paperwork, the systems this article's method would identify as an important business service in their own right, have an impact tolerance that is not really a club decision at all. It is set almost entirely by the external process. If a club's registration system fails at any point after the window in which a deal sheet can still be validly submitted, there is, in practical terms, no tolerance left: the transfer either completes before the fixed deadline or it does not happen in that window at all, full stop.
The genuinely useful impact tolerance for a club to set here, therefore, is not framed around the moment of deadline itself, by then it is too late for a tolerance to mean anything, but around the internal preparation window that precedes it. A defensible tolerance looks like: registration paperwork preparation systems must be fully operational, with no unresolved technical issue, no later than two hours before the deadline (to allow the deal sheet mechanism to be used as a safety net) and no later than the point a deal sheet, once submitted, would leave insufficient time to complete the full paperwork within its two-hour grace period. A club that has not mapped its own internal systems against this external, fixed, non-negotiable process has not set an impact tolerance for this service. It has simply hoped the systems hold up on the day.
Worked example three: payroll for players and staff
The third example illustrates a different kind of tolerance: one where the legal position sets a hard floor, but real-world practice creates a meaningful window for genuine recovery before that floor becomes a serious problem. Under the Employment Rights Act 1996, a payment made even a single day later than the date specified in an employment contract is, technically, an unlawful deduction of wages the moment it happens. In that narrow legal sense, there is effectively no tolerance at all, the breach occurs immediately.
But the practical risk profile is more nuanced than that technical position suggests, and a genuinely useful impact tolerance has to reflect both. Employment law commentary is consistent on this point: a payment that is corrected within a few days, where the employer communicates proactively and the delay does not recur, is generally treated as a low-risk, remediable breach rather than one likely to escalate to a tribunal claim or support a constructive dismissal argument. The risk profile changes materially, however, once delay becomes repeated or prolonged, because at that point the employee can reasonably argue that the implied term of mutual trust and confidence, the foundation of the employment relationship itself, has been broken.
A defensible impact tolerance for payroll, then, has to hold two things in view simultaneously: the fact that any delay is technically a breach from the first missed day, and the fact that the genuinely serious escalation risk begins once a delay is not resolved within a small number of days, or once any delay becomes a pattern rather than a one-off. A club's board might reasonably set the tolerance as: any payroll delay must be identified, communicated to affected players and staff, and resolved within 2 business days of the scheduled payment date; any second occurrence within a rolling twelve-month period triggers a full review of payroll system resilience, regardless of how quickly it was resolved. That tolerance does not pretend the first day of delay is harmless. It commits the club to a specific, evidenced standard for how quickly a breach must be cured, and it treats repetition, not just duration, as the point at which the harm becomes serious.
What the three examples have in common
None of the three tolerances above were arrived at by asking ‘how fast could we plausibly fix this?’ All three were built by working backwards from a real, external, evidenced constraint -- the physical structure of a stadium\'s entry process, the fixed and unforgiving mechanics of a transfer deadline, and the specific point at which UK employment law risk escalates from technical breach to serious exposure.
That is the method, and it is transferable to any important business service a club identifies: find the genuine external constraint or threshold the service operates against, and set the tolerance at the point just before that constraint turns disruption into intolerable harm. A tolerance that is not traceable to a real external fact is not a tolerance. It is a guess with a number attached.
Who should set the tolerance, and how often it should be reviewed
Impact tolerances are a governance judgement, not a technical one, and they should be approved at board level for exactly the reason the worked examples above illustrate: setting one properly requires weighing safety, legal, financial and reputational consequences against each other, which is a board-level responsibility even when the underlying service sits within an operations or IT function day to day.
Each tolerance should also be reviewed at least annually, and immediately after any material change to the underlying constraint it was built around. A change to stadium safety certification, a change to the transfer deadline process, or a change to a club's payroll provider are all events that should trigger a fresh look at whether the tolerance set previously is still the right one -- because a tolerance built on a stale assumption is no more defensible than one that was never properly evidenced in the first place.
The next article in this series addresses the discipline that follows naturally from having set genuine tolerances: mapping the specific people, systems, facilities and third parties each important business service actually depends on -- because a tolerance cannot be tested, and cannot ultimately be met, without knowing precisely what stands behind the service when something goes wrong.
Setting a genuine impact tolerance requires the board to make a judgement it cannot make well without the full picture in front of it.
Lagom Sports Compliance works with football clubs across governance, risk, compliance and operational resilience. If your club has not yet set defensible, board-approved impact tolerances for its most critical services, we would welcome a conversation about what that process looks like for your club.
Frequently asked questions: impact tolerances for football clubs
-
An impact tolerance is a specific, board-approved limit for how much disruption an important business service can absorb before the resulting harm becomes unacceptable. It is typically expressed as a time-based metric, though other measurable thresholds can apply. A genuine impact tolerance is specific rather than aspirational, justified with evidence rather than merely asserted, and formally owned by someone with the seniority and accountability to have made that judgement -- as distinct from a general intention such as 'we would aim to fix it as quickly as possible', which commits to nothing and cannot be tested against.
-
'As fast as possible' does not commit the organisation to anything measurable, cannot be used as the basis for testing whether the organisation can actually meet it, and gives no one within the organisation a clear signal for when a disruption has moved from manageable into genuinely serious. A valid impact tolerance is a specific figure -- for example, a defined number of minutes or hours -- that the organisation has determined, in advance and with supporting evidence, represents the point beyond which harm becomes unacceptable.
-
There is no single answer that applies to every stadium, because the correct tolerance depends on that stadium's own gates-open window and safety certification. However, the standard practice across Premier League grounds is for turnstiles and gates to open ninety minutes before kick-off. A club setting an impact tolerance for this service should work backwards from that window: an outage resolved well within the window is a serious incident but manageable; an outage that leaves substantially less than an hour of remaining entry time before kick-off moves into genuine safety and crowd-management risk, because the club can no longer be confident of processing its expected attendance in a controlled way.
-
Premier League transfer deadlines are fixed and unforgiving of technical failure. Clubs may only submit a deal sheet -- the mechanism that grants additional time to complete paperwork -- within a defined window immediately before the deadline, and once submitted, they receive a strict two-hour grace period to complete registration, with no further extension. International transfers must additionally clear FIFA's Transfer Matching System by midnight regardless of the domestic deadline. This means a club's internal impact tolerance for its registration systems has to be set around the preparation window before the deadline, not the deadline itself -- by the time the deadline arrives, there is no meaningful tolerance left to manage.
-
Under the Employment Rights Act 1996, a payment made later than the date specified in an employment contract is technically an unlawful deduction of wages from the moment it occurs -- there is no formal grace period in strict legal terms. In practice, however, employment law commentary is consistent that a payment corrected within a few days, communicated proactively and not repeated, carries relatively low practical risk of escalating to a tribunal claim. The risk increases materially once delay becomes repeated or prolonged, because at that point an employee can more credibly argue that the implied term of mutual trust and confidence has been broken, which can support a constructive dismissal claim. A defensible impact tolerance for payroll should reflect both realities: treating any delay as a breach requiring immediate correction, while treating repetition, not just duration, as the point at which the risk becomes genuinely serious.
-
Impact tolerances should be set and formally approved at board level, because doing so properly requires weighing safety, legal, financial and reputational consequences against each other -- a judgement that sits above the level of any single operational or technical function, even though the underlying service may be managed day to day by operations, IT or another department. Each tolerance should be reviewed at least annually and immediately after any material change to the external constraint it was built around, such as a change to stadium safety certification, a change to transfer deadline processes, or a change of payroll provider.