Scenario Testing aims to test the organisation's ability to remain within impact tolerances in severe but plausible disruption scenarios, focusing on recovery and response arrangements rather than preventative measures.
Conventional operational risk scenarios focus on risk prevention and use Key Risk Indicators (KRIs), Keep customers informed (KCIs), and Risk Control Self Assessments (RCSAs) to understand risk and control effectiveness.
Impact tolerance assumes a service disruption has occurred, so operational resilience scenarios test an organisation’s ability to stay within tolerance and focus on response and recovery actions.
Testing is crucial to assess an organisation's impact tolerances and determine if its incident response is fit for purpose. This ensures the firm can recover the business service within the defined impact tolerance.
Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur.
What is the Board's Involvement?
The Board must be informed of scenarios that may not meet the impact scenario.
They must ascertain whether prioritised investment decisions are required to address findings from scenarios where organisations would breach their impact tolerances.
How to Perform Scenario Testing?
Scenario testing allows organisations to assess their operational resilience by simulating various disruptive events and evaluating their responses. The following steps outline the process:
Define Scenarios
- Develop a range of realistic scenarios representing potential operational disruptions.
- Consider various factors such as cyber-attacks, natural disasters, system failures, supply chain disruptions, and regulatory changes.
Assess Impact
- Evaluate the potential impact of each scenario on critical business services, systems, processes, and stakeholders.
- Consider financial, operational, reputational, and customer impacts.
Conduct Testing
- Simulate each scenario and observe how the organisation's operational resilience measures and response plans perform.
- This may involve tabletop exercises, simulations, or real-time testing of specific systems or processes.
Evaluate Responses
- Analyse the organisation's response to each scenario, including the effectiveness of incident management, communication, and recovery strategies.
- Identify strengths, weaknesses, and areas for improvement.
Document Lessons Learned
- Document the lessons learned from each scenario test, including successful strategies, areas of improvement, and recommendations for enhancing operational resilience.
| Definition | Key Activities | Definition | ||
| Scenario Testing | Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur. | |||
| Document Scenario Test Finding |
Organisations should document:
This is needed for the self-assessment and compliance to be discussed in the "Sustain" phase. |
|||
| Severe but plausible scenarios |
Identify the severe but plausible scenarios they use for testing. Consider past incidents or near misses within the organisation, industry, and other sectors and jurisdictions when setting scenarios. |
|||
| Scenario Library |
Create scenarios from an existing scenario library based on activities such as operational risk, industry-specific testing exercises, stress testing, or business continuity. Using the elements of potential impact from the mapping processes and resources exercise, identify scenarios that can be enhanced and tailored to cover specific critical business services. |
|||
| Type of Test | These are the different types of tests.
|
|||
| Difference between OR and BC Tests and Exercises |
Existing testing strategies can be used for scenario testing. However, it is essential to understand that scenario testing differs from business continuity, disaster recovery or financial stress testing. An OR end-to-end business service resilience test approach needs to be applied. This approach shifts the focus to determining where the point of intolerable harm is reached in severe but plausible scenarios. Most BC or DR testing centres around mitigating harm to the organisation. The change is that the regulators require organisations to consider preventing intolerable harm to consumer. |
|
||
|
|
"Implement" Phase of the OR Planning Methodology
| Identify Important Business Services | Map Processes and Resources |
Set Impact Tolerance |
Conduct Scenario Testing | Improve Lesson Learnt | |
|
|
More Information About Operational Resilience OR-5000 [BL-OR-5] or OR-300 [BL-OR-3] Course
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
|