[OR] [P2] [S4] [ST] [C17] Practical Case Study (Banking Sector Example)

[P2] [S4] Chapter 17

Practical Case Study (Banking Sector Example)

Introduction

While frameworks and methodologies provide structure, the true value of scenario testing is best understood through real-world application.

In the banking sector—where services are highly interconnected and time-sensitive—scenario testing plays a critical role in validating the ability to maintain critical services under disruption.

This chapter presents a practical case study focused on CBS-2: Payments & Funds Transfer Services, illustrating how scenario testing is designed, executed, evaluated, and translated into actionable improvements.

Purpose of the Chapter

The purpose of this chapter is to illustrate the real-world application of scenario testing. It provides a detailed walkthrough of a banking scenario involving a cyberattack on a payment processing system, covering scenario design, execution, results, gaps identified, and key lessons learned.

Case Study Overview

Critical Business Service (CBS-2)

CBS-2: Payments & Funds Transfer Services typically include:

• Payment initiation (retail and corporate)
• Authentication and authorisation
• Funds availability checks
• Payment routing and clearing
• Settlement and posting
• Customer notification

This CBS is highly critical due to:

• High transaction volumes
• Immediate customer impact
• Regulatory and systemic importance

Scenario Description

Scenario: Cyberattack on payment processing system

A ransomware attack compromises the bank’s core payment processing platform, resulting in:

• Inability to process outbound payments
• Delays in interbank settlement
• Potential data integrity concerns
• Increased customer complaints and regulatory scrutiny

Scenario Objectives

The scenario aims to:

• Test the bank’s ability to maintain payments within impact tolerance
• Validate incident detection and escalation processes
• Assess crisis management and decision-making
• Evaluate recovery and failover capabilities
• Test coordination with third-party providers (e.g., payment networks)

Scenario Design

Scope of Testing

• Level: Enterprise-wide with selected third-party participation
• CBS in Scope: CBS-2 Payments & Funds Transfer Services
• Sub-CBS Tested:
• Payment processing engine
• Fraud detection and monitoring
• Interbank clearing interface
• Customer notification systems

Impact Tolerance Defined

Key Assumptions

• Backup systems are available but require manual activation
• Cyberattack spreads progressively across systems
• Third-party clearing systems remain operational
• Customer transaction demand remains high

Scenario Injects

Key injects were designed to simulate escalation:

1. Initial system slowdown and alert triggered
2. Detection of ransomware activity
3. Payment processing halted
4. Surge in customer complaints and social media activity
5. Regulator inquiry on service disruption
6. Data integrity concerns raised

Scenario Execution

Participants

• Payments Operations Team
• IT and Cybersecurity Teams
• Risk and Compliance
• Crisis Management Team (CMT)
• Customer Service
• External payment network representative (observer role)

Execution Timeline

Phase 1: Detection and Initial Response

• Alerts triggered by system anomalies 
• IT team investigates and identifies potential cyber threats
• Incident escalated to senior management

Phase 2: Escalation and Crisis Activation

• The payment processing system becomes unavailable
• CMT is activated after the threshold breach risk is identified
• Internal communication initiated

Phase 3: Response and Recovery

• Decision made to switch to backup processing system
• Manual processes activated for critical transactions
• Customer communication issued

Phase 4: Stabilisation

• Partial service restored through alternate channels
• Monitoring continues for residual threats
• Coordination with regulators maintained

Results and Performance Evaluation

Quantitative Results

Qualitative Assessment

Decision-Making:

• Initial hesitation in declaring a crisis
• Delayed decision to activate the backup system

Communication:

• Internal communication effective
• External communication delayed, leading to customer dissatisfaction

Coordination:

• Strong collaboration between IT and operations
• Gaps in coordination with customer service teams

Gaps Identified

Technology Gaps

• Backup system activation was not automated
• Limited capacity of the alternate processing environment

Process Gaps

• Unclear escalation thresholds for crisis declaration
• Lack of predefined procedures for manual payment processing

People and Capability Gaps

• Limited training on cyber incident response
• Uncertainty in roles during escalation

Third-Party Gaps

• Insufficient coordination protocols with the payment network
• Lack of clarity on fallback arrangements

Root Cause Analysis

Key Lessons Learned

Strengthen Cyber Resilience Integration

• Enhance detection and response capabilities
• Integrate cyber scenarios more frequently into testing

Improve Backup and Recovery Mechanisms

• Automate failover processes
• Increase the capacity of alternate systems

Clarify Escalation and Decision-Making

• Define clear thresholds for crisis activation
• Empower decision-makers with clear authority

Enhance Customer Communication

• Develop pre-approved communication templates
• Ensure timely updates to customers and stakeholders

Strengthen Third-Party Coordination

• Establish clear protocols with payment networks
• Conduct joint scenario testing with key vendors

Remediation Actions

This case study demonstrates how scenario testing provides a realistic and comprehensive assessment of operational resilience in the banking sector. By simulating a cyberattack on payment systems, the organisation was able to identify critical gaps in technology, processes, and decision-making that would not have been evident through theoretical analysis alone.

The insights gained enabled targeted improvements in recovery capabilities, communication, and governance. Most importantly, the exercise reinforced the importance of aligning scenario testing with impact tolerance and conducting end-to-end testing of Critical Business Services.

Ultimately, practical scenario testing—when executed effectively—serves as a powerful tool for strengthening resilience and ensuring that banks can continue to deliver critical services even in the face of severe disruptions.

C1	C2	C3	C4	C5
C6	C7	C8	C9	C10
C11	C12	C13	C14	C15
C16	C17	C18	C19	C20

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer and OR-5000 Operational Resilience Expert Implementer courses.

	If you have any questions, click to contact us.