eBook OR

[OR] [ESB] [E3] [CBS] [1] [ST] Perform Scenario Testing

Written by Moh Heng Goh | May 25, 2026 8:04:39 AM

CBS-1 Deposit and Account Services

Scenario testing is a core component of operational resilience because it validates whether a bank can continue to deliver critical business services within defined impact tolerances during severe yet plausible disruptions.

For Equicom Savings Bank, CBS-1 Deposit and Account Services is a foundational service that supports customers onboarding, deposits, withdrawals, digital access, fraud controls, and regulatory obligations.

Scenario testing should therefore move beyond traditional business continuity exercises and examine end-to-end disruptions involving people, processes, technology, facilities, third parties, and cyber dependencies.

The BCM Institute operational resilience guidance highlights scenario testing as a mechanism to assess whether mapped dependencies and impact tolerances remain effective under disruption conditions.

BSP Circular No. 1203 similarly expects banks to identify critical operations, establish disruption tolerances, map interdependencies, and conduct testing against severe but plausible scenarios.

Equicom Savings Bank provides deposit products, online banking, card services, and customer channels that rely heavily on digital platforms, branch operations, and third-party integrations.

As a Philippine thrift bank, it should therefore integrate operational disruptions with cyber and ICT risks, such as ransomware, API failures, identity fraud, network outages, and third-party service disruptions.

Table P6: Perform Scenario Testing for CBS-1

Sub-CBS Code

Sub-CBS

Recommended Scenario Test Themes (including Cyber & ICT Risk Integration)

Impact / Effect

Evidence of Proactive Risk Management Action

1.1

Customer Onboarding and Account Application

Digital onboarding portal outage during high-volume customer applications; web application DDoS attack; branch connectivity failure

Delayed onboarding, customer dissatisfaction, and application backlog

Conduct annual failover testing; maintain alternate onboarding channels; monitor onboarding application response metrics

1.2

Customer Identification and Verification (KYC/CDD)

National ID/KYC API provider unavailable; cyber compromise of identity verification platform

Inability to validate customers; onboarding delays; compliance exposure

Test alternate KYC procedures; maintain offline KYC process; conduct third-party resilience reviews

1.3

Account Approval and Opening

Core banking workflow system failure; privilege escalation cyberattack on the approval engine

Delayed account creation; risk of unauthorised account opening

Execute workflow recovery tests; perform access-control reviews and cyber simulations

1.4

Initial Funding and Deposit Booking

Core banking database corruption or transaction queue failure

Deposit posting delays, customer complaints, and reconciliation discrepancies

Conduct transaction rollback exercises and database recovery tests

1.5

Product Terms Setup and Account Parameter Maintenance

Erroneous system configuration deployment; malicious insider parameter changes

Incorrect product setup, financial losses, and customer disputes

Perform configuration validation testing and maker-checker verification exercises

1.6

Deposit Transactions Processing

Core banking application outage; ransomware attack affecting transaction servers

Deposits unavailable; transaction backlog; liquidity implications

Conduct disaster recovery testing; cyber incident response exercises; alternate processing validation

1.7

Withdrawal and Funds Access Processing

ATM switch outage; card network disruption; cyber compromise of funds transfer services

Customer inability to access funds; reputational impact

Test manual withdrawal procedures and alternate access channels

1.8

Account Servicing and Customer Maintenance

CRM system outage; customer profile corruption event

Service delays; inaccurate customer information

Test backup restoration and customer service continuity procedures

1.9

Interest, Fees, and Charges Processing

Batch processing failure; unauthorised manipulation of the fee calculation engine

Incorrect customer balances; financial loss, disputes

Execute batch recovery testing and parameter validation checks

1.10

Statement, Passbook, and Balance Reporting

Data warehouse outage; report generation platform cyber compromise

Customers are unable to access statements and balances

Conduct reporting continuity testing and alternate statement generation exercises

1.11

Digital Account Access and Channel Integration

Mobile banking application outage; API gateway cyberattack; third-party online banking provider failure

Customers are unable to access digital banking services

Perform API resilience tests; simulate cyber attacks; conduct mobile platform failover testing

1.12

ATM and Card-Based Access Management

ATM network outage; card authorisation system compromise; malware infection

Cash withdrawal disruption; transaction failures

Conduct ATM switch failover testing and ATM malware response exercises

1.13

Account Reconciliation and Exception Handling

Data synchronisation failure between systems; database corruption event

Unreconciled balances and operational losses

Execute reconciliation recovery testing and exception management simulations

1.14

Dormancy, Holds, Restrictions, and Account Control Administration

Unauthorised release of account restrictions through cyber compromise

Fraud exposure and compliance breaches

Conduct access review testing and privilege abuse simulations

1.15

Fraud Monitoring and Transaction Surveillance for Deposit Accounts

Fraud monitoring engine outage; AI model corruption; SIEM platform disruption

Delayed fraud detection; increased financial losses

Conduct cyber red-team exercises and fraud detection continuity tests

1.16

Complaints, Disputes, and Service Recovery

Contact centre platform outage; customer service portal cyberattack

Customer dissatisfaction; regulatory escalation

Test alternate communication channels and manual case handling procedures

1.17

Regulatory Reporting and Compliance Monitoring

Regulatory reporting platform failure; cyber compromise of reporting datasets

Delayed regulatory submissions and compliance penalties

Conduct reporting recovery exercises and data integrity validation testing

 

Regulatory Considerations and Examples for Philippine Banks

BSP Circular No. 1203 expects banks to establish operational resilience capabilities for critical operations by identifying critical services, setting disruption tolerances, mapping dependencies, and conducting scenario testing.

Testing should assume disruptions will occur and validate the institution's ability to continue delivering services under severe yet plausible scenarios. Examples include cyberattacks, ICT failures, third-party outages, pandemics, and infrastructure disruptions.

Examples relevant to Equicom Savings Bank include:

  • Ransomware affecting core deposit systems and online banking.
  • An extended outage of a third-party KYC service provider.
  • Nationwide telecommunications disruption affecting branch and ATM connectivity.
  • An insider cyber compromise is manipulating customer account data.
  • Simultaneous cyber and physical disruptions are impacting customer access channels.

These scenarios align with BSP expectations that banks test resilience to interdependencies and validate that disruptions remain within tolerance thresholds.

 

Scenario testing for CBS-1 Deposit and Account Services should be designed as an enterprise-wide resilience exercise rather than a narrow technology recovery test.

The scenarios above intentionally integrate operational disruptions with cyber and ICT risks because modern banking services increasingly depend on interconnected digital ecosystems, third-party providers, and customer-facing technologies.

By executing these tests regularly, Equicom Savings Bank can validate recovery capabilities, identify weaknesses in dependencies, refine impact tolerances, and demonstrate evidence of proactive risk management to BSP regulators.

Such testing supports the broader objective of ensuring that critical banking services remain available during disruptive events while protecting customers, maintaining trust, and safeguarding financial stability.

eBook 3: Starting Your OR Implementation
CBS-1 Deposit and Account Services
CBS-1 DP CBS-1 MD CBS-1 MPR CBS-1 ITo CBS-1 SbPS CBS-1 ST

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

 
View full post