[OR] [P2] [S4] [ST] [C6] Designing Severe but Plausible Scenarios

[P2] [S4] Chapter 6

Designing Severe but Plausible Scenarios

Introduction

The effectiveness of scenario testing in operational resilience depends fundamentally on the quality of the scenarios being tested.

Poorly designed scenarios—whether too mild, unrealistic, or disconnected from critical services—fail to provide meaningful insights.

Conversely, well-designed scenarios challenge the organisation in a way that reveals vulnerabilities, tests limits, and drives improvement.

At the heart of this process is the concept of Severe but Plausible Scenarios (SuPS).

These scenarios strike a careful balance: they must be sufficiently extreme to stress the organisation’s resilience capabilities, yet credible enough to reflect real-world risks.

Designing such scenarios requires a structured, risk-based approach grounded in operational realities, data, and emerging threat landscapes.

Purpose of the Chapter

The purpose of this chapter is to guide the development of meaningful and effective severe but plausible scenarios that can be used to rigorously test an organisation’s ability to deliver Critical Business Services (CBS) within defined impact tolerances.

Definition of “Severe but Plausible”

A severe but plausible scenario is a disruption event or series of events that:

• Severe:
• Stretches the organisation’s resilience capabilities
• Has the potential to significantly disrupt Critical Business Services
• Tests the upper limits of impact tolerance

• Plausible:
• Could reasonably occur based on current or emerging risk conditions
• Is supported by historical data, industry trends, or credible threat intelligence
• Reflects realistic operational constraints and dependencies

This definition ensures that scenario testing is neither overly optimistic nor excessively hypothetical.

The objective is not to test “black swan” events with no grounding in reality, but to evaluate how the organisation would perform under credible, high-impact disruptions.

Scenario Design Principles

Designing effective scenarios requires adherence to a set of core principles to ensure relevance, realism, and value.

Realistic Yet Extreme

Scenarios must push the organisation beyond normal operating conditions while remaining believable.

• Avoid overly simplistic disruptions (e.g., single system failure with immediate recovery)
• Incorporate stress factors such as prolonged outages, simultaneous failures, or resource constraints
• Reflect real-world limitations (e.g., limited staff availability, delayed vendor response)

The goal is to simulate conditions where resilience capabilities are genuinely tested, not merely confirmed.

Relevant to Critical Business Services (CBS)

All scenarios must be anchored to the organisation’s Critical Business Services.

This involves:

• Identifying which CBS is being tested
• Ensuring the scenario directly impacts the end-to-end delivery of that service
• Aligning the scenario with customer, regulatory, and business outcomes

Scenarios that are not CBS-aligned risk becoming technical or operational exercises without strategic relevance.

Data-Driven and Risk-Based

Scenario design should be informed by data and structured risk analysis rather than assumptions.

Key inputs include:

• Risk assessments and threat analysis
• Incident and loss data
• Key Risk Indicators (KRIs) and trends
• Industry intelligence and regulatory insights

A data-driven approach ensures that scenarios:

• Reflect actual risk exposure
• Prioritise high-impact and high-likelihood events
• Support defensible decision-making and regulatory expectations

Sources of Scenarios

Developing a robust set of scenarios requires drawing from multiple sources to ensure coverage of both known and emerging risks.

Historical Incidents

Past incidents provide valuable insights into how disruptions occur and evolve.

Examples include:

• Previous internal incidents (system outages, operational failures)
• Industry-wide disruptions (e.g., payment system outages, cyber breaches)
• Global events (pandemics, financial crises, infrastructure failures)

Using historical data allows organisations to:

• Learn from real-world failures
• Identify recurring patterns and vulnerabilities
• Ground scenarios in proven risk events

Emerging Risks

In addition to historical events, organisations must consider forward-looking risks that may not yet have fully materialised.

Key categories include:

• Cyber Risks:
• Ransomware attacks
• Data breaches
• Distributed denial-of-service (DDoS) attacks

• Climate and Environmental Risks:
• Flooding, extreme weather events
• Infrastructure disruptions
• Long-term environmental impacts

• Geopolitical Risks:
• Trade disruptions
• Regulatory changes
• Political instability affecting operations or supply chains

• Technology Risks:
• Cloud service provider outages
• Systemic technology failures
• AI-related risks and automation failures

Incorporating emerging risks ensures that scenario testing remains future-oriented and adaptive to evolving threat landscapes.

Scenario Variables

To enhance realism and complexity, scenarios should be designed with multiple variables that influence how disruptions unfold.

Duration

• Short-term disruptions (minutes to hours)
• Medium-term disruptions (hours to days)
• Prolonged outages (days to weeks)

Longer durations typically introduce additional stress factors, such as resource depletion and customer impact escalation.

Scale

• Localised disruptions affecting a single unit or system
• Enterprise-wide disruptions impacting multiple functions
• Industry-wide or systemic disruptions

Scaling scenarios help assess whether resilience capabilities are proportionate to the magnitude of disruption.

Complexity

• Single-event scenarios (e.g., system failure)
• Multi-event scenarios (e.g., cyberattack combined with third-party outage)
• Dynamic scenarios with evolving conditions and multiple injects

Higher complexity scenarios better reflect real-world conditions, where disruptions rarely occur in isolation.

Cascading Effects

One of the most critical aspects of scenario design is the inclusion of cascading impacts.

Examples include:

• Technology failure leading to operational disruption
• Third-party outage affecting multiple CBS
• Cyber incidents triggering reputational and regulatory consequences

Cascading effects help organisations understand:

• Interdependencies across systems and functions
• How disruptions propagate through the organisation
• The potential for small failures to escalate into major incidents

Designing severe but plausible scenarios is both an art and a science.

It requires balancing realism with severity, leveraging data and experience, and incorporating a wide range of variables to reflect the complexity of modern operational environments.

Well-designed scenarios are critical to the success of scenario testing.

They ensure that testing activities are meaningful, challenging, and aligned with real-world risks and organisational priorities.

By grounding scenarios in Critical Business Services, informed risk analysis, and evolving threat landscapes, organisations can create testing environments that truly stress resilience capabilities and reveal actionable insights.

Ultimately, the strength of an organisation’s operational resilience is only as good as the scenarios it tests against.

Investing in robust scenario design is therefore essential to building a resilient, adaptive, and future-ready organisation.