[OR] [BPI] [E3] [CBS] [1] [ST] Perform Scenario Testing

CBS-1 Deposit & Account Services

Introduction

Scenario testing is a cornerstone of operational resilience. It evaluates how well critical business services—such as CBS-1 Deposit and Account Services—can withstand and recover from disruptions. As outlined in the BCM Institute guidance on scenario testing, organisations must simulate severe but plausible scenarios that incorporate operational, cyber, third-party, and systemic risks.

For BPI, this means ensuring that essential services like onboarding, transaction processing, and customer access remain available within acceptable thresholds, even during major disruptions such as cyberattacks, system outages, or third-party failures. BSP Circular No. 1203 further requires banks to demonstrate end-to-end testing, integration of ICT and cyber risks, and evidence of continuous improvement.

Table P6: Perform Scenario Testing for CBS-1

Sub-CBS Code	Sub-CBS	Recommended Scenario Test Themes	Impact / Effect	Evidence of Proactive Risk Management Action
1.1	Customer Onboarding and Account Application	Digital onboarding platform outage due to cloud service failure; cyber disruption affecting online channels	Inability to onboard new customers; revenue loss; reputational damage	Failover to alternate onboarding channels; tested manual onboarding procedures; cloud redundancy validation reports
1.2	Customer Identification and Verification (KYC/CDD)	Third-party KYC provider outage or data integrity breach; cyberattack on identity databases	Delayed account opening; regulatory non-compliance risk	Backup KYC providers; periodic data validation checks; audit logs demonstrating compliance controls
1.3	Account Approval and Opening	Core banking workflow disruption due to system patch failure or insider error	Account opening delays; customer dissatisfaction	Segregation of duties; rollback procedures tested; automated workflow recovery validation
1.4	Initial Funding and Deposit Booking	Payment gateway failure or API disruption; cyber manipulation of transaction values	Incorrect deposit booking; financial loss exposure	Transaction validation controls; reconciliation triggers; real-time monitoring dashboards
1.5	Product Terms Setup and Account Parameter Maintenance	Configuration errors or unauthorised parameter changes (cyber/insider threat)	Incorrect interest/fee application; compliance breach	Change management logs; dual-approval controls; configuration audit trails
1.6	Deposit Transactions Processing	Core banking outage; ransomware attack affecting the transaction engine	Transaction delays or failures; liquidity impact	Active-active data centre failover tests; cyber incident response playbooks; transaction backlog recovery metrics
1.7	Withdrawal and Funds Access Processing	ATM/POS network outage; cyberattack on card systems	Customers unable to access funds; reputational damage	Alternate withdrawal channels (branch/manual); ATM network redundancy testing; fraud monitoring alerts
1.8	Account Servicing and Customer Maintenance	CRM system outage or data corruption due to a cyber incident	Inability to update customer records; service delays	Data backup restoration tests; CRM failover capability; service continuity drills
1.9	Interest, Fees, and Charges Processing	Batch processing failure or data corruption during end-of-day processing	Incorrect charges; customer disputes; financial misstatements	Batch reprocessing procedures; reconciliation checks; exception reporting evidence
1.10	Statement, Passbook, and Balance Reporting	Reporting engine failure or data extraction errors due to system compromise	Inaccurate customer statements; regulatory breach	Data validation scripts, alternate reporting generation, and customer notification protocols
1.11	Digital Account Access and Channel Integration	Mobile/online banking outage due to DDoS attack or API failure	Loss of customer access; surge in complaints	DDoS mitigation testing; API gateway redundancy; uptime monitoring reports
1.12	Reconciliation and Exception Management	Reconciliation system failure or delayed batch processing	Unresolved discrepancies; financial reporting risk	Automated reconciliation tools; manual override procedures; exception tracking dashboards
1.13	Fraud Detection and Transaction Monitoring	Failure of the fraud detection engine due to a cyberattack or AI model drift	Increased fraud losses; delayed detection	Parallel fraud monitoring systems; model validation; incident response evidence
1.14	Regulatory Reporting and Compliance Monitoring	Reporting system outage or inaccurate regulatory submissions	Non-compliance penalties; regulatory sanctions	Regulatory reporting backups; submission validation checks; audit-ready documentation
1.15	Incident Response, Business Continuity, and Recovery	Full-scale disaster (data centre outage, cyber breach, pandemic scenario)	Service disruption across all deposit services	End-to-end BCP testing; recovery time objective (RTO) achievement reports; crisis management exercise records

Integration of Cyber and ICT Risks

The above scenario testing approach aligns with key expectations from BSP:

End-to-End Scenario Testing: Testing must cover entire service chains (e.g., onboarding → KYC → account opening).
Severe but Plausible Scenarios: Includes cyberattacks, ICT outages, and third-party failures.
Impact Tolerance Validation: Tests must confirm services remain within defined tolerances.
Integration of ICT & Cyber Risks: Explicit inclusion of ransomware, DDoS, system compromise, and data integrity risks.
Continuous Improvement: Evidence must show lessons learned and enhancements implemented after each test.

Banner [Summing] [OR] [E3] Perform Scenario Testing

Scenario testing transforms operational resilience from a theoretical framework into a validated, measurable capability.

For BPI, conducting structured, repeatable scenario tests across all Sub-CBS components ensures vulnerabilities are identified before they manifest as real disruptions.

By integrating cyber and ICT risks into every scenario and maintaining clear evidence of proactive risk management actions, BPI not only complies with BSP Circular No. 1203 but also strengthens stakeholder confidence.

Ultimately, the ability to withstand, respond to, and recover from disruptions in deposit and account services defines a truly resilient bank.


eBook 3: Starting Your OR Implementation
CBS-1 Deposit & Account Services
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.