[OR] [P2] [S4] [ST] [C2] Regulatory and Standards Context

[P2] [S4] Chapter 2

Regulatory and Standards Context

Introduction

Scenario testing has become a central expectation in operational resilience frameworks globally.

Regulators and standard-setting bodies increasingly require organisations to move beyond policy documentation and demonstrate, through structured testing, their ability to withstand and recover from disruption while maintaining critical services.

Across jurisdictions, there is a clear and consistent shift toward outcome-based supervision, where organisations must provide evidence that their Critical Business Services (CBS) can operate within defined impact tolerances under severe but plausible scenarios.

This shift is reinforced by international standards such as ISO 22301 and ISO 22361, which emphasise testing, exercising, and continuous improvement.

This chapter provides an overview of key regulatory expectations and standards relevant to scenario testing, highlighting the convergence of global practices and the growing emphasis on end-to-end service validation.

Purpose of the Chapter

The purpose of this chapter is to provide regulatory grounding for scenario testing by outlining global expectations, aligning with international standards, and explaining the increasing supervisory focus on scenario-based validation of operational resilience.

Overview of Global Regulatory Expectations

Regulators across major financial jurisdictions have introduced or enhanced operational resilience requirements, with scenario testing as a core component.

Singapore – Monetary Authority of Singapore (MAS)

The Monetary Authority of Singapore (MAS) has established comprehensive expectations for operational resilience through its guidance on Achieving Operational Resilience for Financial Institutions in Singapore.

Key expectations include:

• Identification of Critical Business Services (CBS)
• Establishment of impact tolerances
• Conduct scenario testing to validate resilience capabilities
• Integration with existing frameworks such as BCM, Technology Risk Management (TRM), and Operational Risk Management (ORM)

MAS places strong emphasis on:

• End-to-end testing of CBS
• Testing under severe but plausible scenarios
• Demonstrating resilience through evidence-based outcomes

Philippines – BSP Circular No. 1203

The Bangko Sentral ng Pilipinas (BSP), through Circular No. 1203 (2024), has formalised operational resilience requirements for financial institutions.

Key elements include:

• Mandatory identification of critical operations/services
• Requirement to define and monitor impact tolerances
• Expectation to conduct scenario testing to assess resilience
• Integration of resilience across risk management, BCM, and ICT frameworks

BSP emphasises:

• Practical validation of resilience capabilities
• Testing of interdependencies and third-party risks
• Continuous improvement based on testing outcomes

Malaysia – Bank Negara Malaysia (BNM)

The Bank Negara Malaysia (BNM) incorporates scenario testing within its broader resilience and BCM expectations, including:

• Business Continuity Management Policy (PD-BCM)
• Risk Management in Technology (RMiT)
• Operational Resilience Discussion Paper (2025)

BNM highlights:

• The need for regular testing and exercising
• Integration of technology and cyber resilience testing
• Consideration of third-party and systemic risks

Scenario testing is viewed as a mechanism to:

• Validate resilience strategies
• Ensure readiness for operational disruptions
• Strengthen governance and oversight

United Kingdom – PRA and FCA

The Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have introduced one of the most advanced operational resilience frameworks globally.

Key requirements include:

• Identification of Important Business Services (IBS)
• Setting of impact tolerances
• Conduct of mapping and scenario testing

Regulators explicitly require:

• Testing against severe but plausible scenarios
• Evidence that firms can remain within impact tolerances
• Use of scenario testing to identify vulnerabilities and improve resilience

The UK framework strongly reinforces:

• Service-centric testing
• End-to-end validation across dependencies
• Continuous improvement based on testing results

Alignment with ISO Standards

In addition to regulatory requirements, international standards provide a structured foundation for scenario testing.

ISO 22301 – Business Continuity Management

The ISO 22301 standard requires organisations to:

• Establish, implement, and maintain a BCM system
• Conduct testing and exercising programmes
• Validate the effectiveness of continuity strategies and plans

Key principles relevant to scenario testing:

• Regular and structured exercise programmes
• Evaluation of response and recovery capabilities
• Continuous improvement through lessons learned

While ISO 22301 focuses on BCM, its testing requirements form a foundation for operational resilience scenario testing.

ISO 22361 – Crisis Management

The ISO 22361 standard guides on:

• Crisis management frameworks
• Leadership and decision-making during crises
• Communication and coordination

In the context of scenario testing:

• Supports crisis management exercises
• Emphasises strategic response validation
• Enhances governance and leadership readiness

Together, ISO 22301 and ISO 22361 provide a complementary framework for testing operational and crisis response capabilities.

Supervisory Focus on Scenario Testing as Evidence of Resilience

A defining feature of modern regulatory frameworks is the emphasis on demonstrable resilience.

From Policy to Evidence

Regulators now expect organisations to:

• Provide evidence of testing activities
• Demonstrate outcomes against impact tolerances
• Show how testing results inform improvements

Scenario testing serves as:

• A validation mechanism for resilience frameworks
• A source of evidence for supervisory reviews
• A tool for governance and assurance

Key Regulatory Expectations

Across jurisdictions, regulators consistently expect:

• Testing of critical services under stress conditions
• Inclusion of severe but plausible scenarios
• Consideration of interdependencies and third-party risks
• Documentation of results, gaps, and remediation actions

Failure to conduct meaningful scenario testing may result in:

• Regulatory findings or enforcement actions
• Increased supervisory scrutiny
• Reputational and operational risks

Role in Governance and Oversight

Scenario testing outputs are expected to be:

• Reported to senior management and the Board
• Integrated into risk management frameworks
• Used to inform strategic decisions and investments

This elevates scenario testing from an operational activity to a strategic governance tool.

Increasing Emphasis on End-to-End Service Testing

One of the most significant developments in operational resilience is the shift toward end-to-end service testing.

From Component Testing to Service Testing

Traditional approaches focused on:

• Individual systems or processes
• Isolated recovery capabilities

Modern expectations require:

• Testing of complete service delivery chains
• Inclusion of all supporting dependencies
• Evaluation of customer and stakeholder impact

Integration Across Resilience Pillars

End-to-end testing requires integration of:

• Operational Risk Management
• Business Continuity Management
• Crisis Management
• Cyber and Technology Resilience
• Third-Party Risk Management

This ensures that scenario testing reflects:

• Real-world complexity
• Interconnected risks
• Holistic resilience capabilities

Ecosystem and Systemic Considerations

Regulators increasingly expect organisations to:

• Consider ecosystem-wide dependencies
• Participate in industry-wide testing exercises
• Assess systemic risks and interconnections

This expands the scope of scenario testing beyond the organisation to the broader financial system.

The regulatory and standards landscape for scenario testing reflects a clear and consistent global direction: organisations must demonstrate their ability to maintain critical services under disruption through structured, evidence-based testing.

Across jurisdictions—including MAS, BSP, BNM, and UK regulators—scenario testing is no longer optional. It is a core requirement for validating operational resilience.

Complemented by international standards such as ISO 22301 and ISO 22361, these expectations provide a robust framework for designing and executing effective testing programmes.

The increasing emphasis on end-to-end service testing, interdependencies, and continuous improvement highlights the need for organisations to adopt a holistic and integrated approach.

Scenario testing is no longer just a compliance exercise—it is a strategic capability that underpins resilience, governance, and long-term sustainability.

As regulatory expectations continue to evolve, organisations that embed scenario testing into their operational resilience frameworks will be better positioned to anticipate disruptions, respond effectively, and maintain the trust of customers, regulators, and stakeholders.