![BB OR [D] 6](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20D/BB%20OR%20%5BD%5D%206.jpg?width=2000&height=1333&name=BB%20OR%20%5BD%5D%206.jpg "BB OR [D] 6")
eBook 4: Chapter 6
Scenario Testing for Third-Party Failures
Introduction
As organisations become increasingly dependent on third parties, the ability to withstand and recover from third-party failures becomes a defining element of Operational Resilience.
Scenario testing is a critical tool that enables financial institutions to simulate disruptions and assess whether their Critical Business Services (CBS) can continue operating within defined impact tolerances.
Regulators such as the Bangko Sentral ng Pilipinas (BSP) and Bank Negara Malaysia (BNM) require financial institutions to conduct severe but plausible scenario testing, including scenarios involving third-party failures.
These tests must validate whether the organisation can continue to deliver essential services despite disruptions to outsourced or externally supported operations.
Purpose of This Chapter
This chapter provides structured approaches and CBS-aligned templates for conducting scenario testing focused on third-party failures. By the end of this chapter, readers will:
- Understand the role of scenario testing in TPRM and Operational Resilience
- Develop third-party failure scenarios aligned to CBS
- Use standardised templates for scenario testing
- Evaluate resilience against impact tolerances (MTD, MTDL)
- Strengthen recovery and response strategies
Types of Third-Party Failure Scenarios
Third-party failure scenarios should reflect realistic and severe disruptions, including:
- Vendor system outage (cloud, core banking, payment gateway)
- Cyberattack on third-party provider
- Third-party financial failure or insolvency
- Supply chain disruption (fourth-party failure)
- Data breach or data loss
- Service performance degradation
- Regulatory non-compliance by the vendor
Scenario Testing Framework
Key Components of Scenario Testing
|
Component |
Description |
|
Scenario Definition |
Description of disruption |
|
CBS Impact |
Critical services affected |
|
Dependencies |
Third parties involved |
|
Impact Tolerance |
MTD, MTDL thresholds |
|
Response Actions |
Steps to mitigate impact |
|
Recovery Strategy |
Restoration approach |
|
Lessons Learned |
Improvement actions |
Section 1: CBS-Level Scenario Testing Table
Template: Scenario Testing for CBS (High-Level)
|
CBS |
Scenario |
Third Party |
Impact Description |
MTD |
MTDL |
Response Strategy |
Recovery Strategy |
Outcome |
Remarks |
Example: CBS-1 Deposit and Account Services
|
CBS |
Scenario |
Third Party |
Impact Description |
MTD |
MTDL |
Response Strategy |
Recovery Strategy |
Outcome |
Remarks |
|
CBS-1 |
Core banking system outage |
Core Banking Vendor |
Customers are unable to access their accounts |
4 hrs |
0 data loss |
Activate the DR site |
Switch to the backup system |
Within tolerance |
Tested annually |
|
CBS-1 |
Data breach at cloud provider |
Cloud Vendor |
Exposure of customer data |
Immediate |
Minimal |
Incident response activation |
Data recovery & containment |
Partial breach |
Improve controls |
Section 2: Sub-CBS Scenario Testing (Detailed Processes)
Template: Scenario Testing for Sub-CBS
|
Sub-CBS Code |
Sub-CBS |
Scenario |
Third Party |
Impact |
MTD |
Response Action |
Recovery Action |
Status |
Example: CBS-1 Detailed Processes
|
Sub-CBS Code |
Sub-CBS |
Scenario |
Third Party |
Impact |
MTD |
Response Action |
Recovery Action |
Status |
|
1.1 |
Customer Onboarding |
KYC system failure |
KYC Vendor |
Delayed onboarding |
24 hrs |
Manual onboarding |
Restore system |
Within tolerance |
|
1.6 |
Deposit Transactions |
Payment processor outage |
Payment Vendor |
Transactions fail |
2 hrs |
Queue transactions |
Switch provider |
Exceeded tolerance |
|
1.11 |
Digital Access |
Mobile app outage |
Cloud Provider |
Customers are unable to log in |
1 hr |
Notify customers |
Failover to DR |
Within tolerance |
Section 3: Severe but Plausible Scenarios
Template: Severe Scenario Testing
|
Scenario ID |
Scenario Description |
Type (Cyber/Operational/etc.) |
CBS Impacted |
Third Party |
Severity |
Likelihood |
Overall Risk |
Remarks |
Example Scenarios
|
Scenario ID |
Scenario Description |
Type |
CBS Impacted |
Third Party |
Severity |
Likelihood |
Overall Risk |
Remarks |
|
S1 |
Cloud provider regional outage |
Operational |
CBS-1, CBS-2 |
Cloud Vendor |
High |
Medium |
High |
Multi-CBS impact |
|
S2 |
Ransomware attack on vendor |
Cyber |
CBS-1 |
IT Vendor |
Critical |
Medium |
Critical |
Data risk |
|
S3 |
Vendor insolvency |
Financial |
CBS-2 |
Payment Vendor |
High |
Low |
Medium |
Replace vendor |
Section 4: Scenario Testing Evaluation Template
Template: Test Results and Evaluation
|
Scenario |
CBS |
Test Objective |
Result |
Within Tolerance (Y/N) |
Gaps Identified |
Action Plan |
Owner |
Timeline |
Example
|
Scenario |
CBS |
Test Objective |
Result |
Within Tolerance |
Gaps Identified |
Action Plan |
Owner |
Timeline |
|
Cloud outage |
CBS-1 |
Validate DR capability |
Success |
Y |
None |
Maintain readiness |
IT |
Ongoing |
|
Payment failure |
CBS-2 |
Ensure continuity |
Failed |
N |
No backup vendor |
Add redundancy |
Ops |
3 months |
Section 5: Integration with Operational Resilience
Mapping Scenario Testing to OR Framework
|
OR Component |
Scenario Testing Role |
|
CBS |
Identify impacted services |
|
BIA |
Define impact tolerance |
|
TPRM |
Identify third-party dependencies |
|
Crisis Management |
Execute response |
|
Recovery Planning |
Validate recovery strategies |
Section 6: Best Practices for Scenario Testing
1. Use Severe but Plausible Scenarios
Focus on realistic disruptions with significant impact.
2. Include Third and Fourth Parties
Test extended supply chain dependencies.
3. Align with Impact Tolerance
Validate against MTD and MTDL thresholds.
4. Conduct Regular Testing
At least annually for critical vendors.
5. Involve Cross-Functional Teams
Include IT, Risk, Business Units, and Vendors.
6. Capture Lessons Learned
Continuously improve resilience strategies.
Section 7: Implementation Roadmap
Step-by-Step Approach
|
Step |
Action |
|
1 |
Identify CBS and supporting vendors |
|
2 |
Define impact tolerances (MTD/MTDL) |
|
3 |
Develop scenarios |
|
4 |
Execute tests |
|
5 |
Evaluate results |
|
6 |
Identify gaps |
|
7 |
Implement improvements |
Key Takeaways
- Scenario testing validates real-world resilience capability
- Third-party failures must be explicitly tested
- CBS alignment ensures business-focused resilience
- Severe scenarios reveal hidden vulnerabilities
- Continuous testing improves preparedness and response
Scenario testing is a critical component of Third-Party Risk Management and Operational Resilience. It transforms theoretical risk assessments into practical insights by simulating real-world disruptions and evaluating organisational readiness.
By aligning scenario testing with Critical Business Services and incorporating third-party failure scenarios, financial institutions can ensure that they are prepared not only for internal disruptions but also for failures across their extended ecosystem.
This capability is essential for meeting regulatory expectations under BSP Circular No. 1203 and BNM guidelines, and for maintaining customer trust and service continuity in an increasingly interconnected world.
![[Pillar] [3_4] [Banner] [C4] Third-Party Risk Management](https://no-cache.hubspot.com/cta/default/3893111/1ab1982e-100b-41e9-b830-23583eeb5b97.png)
| C1 | C2 | C3 | C4 |
![[OR] [Pillar] [E4] [C1] Introduction to TPRM](https://no-cache.hubspot.com/cta/default/3893111/82945f27-604a-406d-83f2-9df0180e126f.png) |
![[OR] [Pillar] [E4] [C2] Types of Third-Party Risks](https://no-cache.hubspot.com/cta/default/3893111/714cfc41-261a-42e0-9c2d-f517bd787323.png) |
![[OR] [Pillar] [E4] [C3] Framework and Lifecycle](https://no-cache.hubspot.com/cta/default/3893111/e8b02e92-416f-4ab2-bb4e-0499db349f40.png) |
![[OR] [Pillar] [E4] [C4] Governance and Operating Model](https://no-cache.hubspot.com/cta/default/3893111/34bdac31-acb4-4daa-8d16-ff1b5ab43747.png) |
| C5 | C6 | C7 | C8 |
![[OR] [Pillar] [E4] [C5] Tools, Templates and Scoring Models](https://no-cache.hubspot.com/cta/default/3893111/453d5c46-1981-4519-bfee-4d9e4aa32d21.png) |
![[OR] [Pillar] [E4] [C6] Scenario Testing for Third-Party Failures](https://no-cache.hubspot.com/cta/default/3893111/dc829fbf-e80f-45bb-bfbd-fa660f70095b.png) |
![[OR] [Pillar] [E4] [C7] Regulatory Compliance Checklist](https://no-cache.hubspot.com/cta/default/3893111/7e12ff2a-59e6-40cc-ac60-e0b17bcfd00e.png) |
![[OR] [Pillar] [E4] [C8] Case Study_ Implementation in Banking](https://no-cache.hubspot.com/cta/default/3893111/51d31b0f-dbf9-44ef-a127-999420c9fbd4.png) |
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
