[OR] [PTC] [E3] [CBS] [1] [ST] Perform Scenario Testing

Scenario testing is a core component of operational resilience, enabling financial institutions to assess their ability to continue delivering critical business services under severe but plausible disruption scenarios.

In alignment with BSP Circular No. 1203, Philippine Trust Company is required to test its resilience capabilities across people, processes, technology, and third-party dependencies—particularly for critical services such as CBS-1 Deposit and Account Services.

This chapter presents a structured set of scenario testing themes for each Sub-CBS. These scenarios incorporate cyber and ICT risk integration, reflecting increasing regulatory emphasis on cyber resilience, system availability, and third-party risk management.

The table also highlights expected impacts and evidence of proactive risk management actions, ensuring alignment with regulatory expectations for continuous improvement and resilience validation.

Table P6: Perform Scenario Testing for CBS-1

Sub-CBS Code	Sub-CBS	Recommended Scenario Test Themes (Including Cyber & ICT Risks)	Impact / Effect	Evidence of Proactive Risk Management Action
1.1	Customer Onboarding and Account Application	Digital onboarding platform outage; surge in applications during system degradation; cyberattack on onboarding portal	Delayed onboarding, customer dissatisfaction, and revenue loss	Load testing reports; alternate manual onboarding procedures; cybersecurity penetration testing results
1.2	Customer Identification and Verification (KYC/CDD)	Failure of e-KYC systems; third-party identity provider outage; data breach of customer records	Compliance breaches, onboarding delays, and regulatory penalties	KYC fallback procedures; vendor SLA monitoring; data encryption and access logs
1.3	Account Approval and Opening	Workflow system failure; unauthorised access to approval systems	Unauthorised accounts; processing delays	Segregation of duties controls, audit trails, approval matrix, and validation testing
1.4	Initial Funding and Deposit Booking	Core banking system downtime; failed transaction posting; payment gateway outage	Inaccurate balances; failed deposits; reputational impact	Transaction reconciliation logs, backup processing capability, and settlement monitoring
1.5	Product Terms Setup and Account Parameter Maintenance	Misconfiguration of product parameters; system patch failure	Incorrect interest/fees; customer complaints	Change management records; system validation testing; maker-checker controls
1.6	Deposit Transactions Processing	Core banking outage; batch processing failure; ransomware attack on transaction servers	Inability to process deposits; financial losses	Disaster recovery (DR) test results; backup systems; transaction rollback procedures
1.7	Withdrawal and Funds Access Processing	ATM/POS network outage; liquidity constraints; cyberattack on payment switch	Customers unable to access funds; operational disruption	ATM network monitoring; liquidity contingency plans; fraud detection alerts
1.8	Account Servicing and Customer Maintenance	CRM system downtime; unauthorised changes to customer data	Service delays; data integrity issues	Access control logs, customer request tracking, and periodic audits
1.9	Interest, Fees, and Charges Processing	Batch job failure; incorrect interest calculation due to a system error	Financial misstatements; customer disputes	Reconciliation reports; automated validation checks; exception reporting
1.10	Statement, Passbook, and Balance Reporting	Statement generation failure; data corruption; cyberattack on the reporting system	Inaccurate reporting; customer dissatisfaction	Data integrity checks, backup reporting systems, and audit logs
1.11	Digital Account Access and Channel Integration	Mobile/online banking outage; DDoS attack; API integration failure	Loss of digital access; customer churn	DDoS mitigation controls; API monitoring dashboards; uptime reports
1.12	ATM and Card-Based Access Management	ATM network failure; card system compromise; skimming attacks	Inability to withdraw funds; fraud losses	ATM monitoring; card fraud detection systems; EMV controls
1.13	Account Reconciliation and Exception Handling	Reconciliation system failure; delayed exception resolution	Financial discrepancies; reporting errors	Daily reconciliation reports; exception tracking logs; escalation procedures
1.14	Dormancy, Holds, Restrictions, and Account Control Administration	Incorrect account restrictions; system failure in status updates	Customer inconvenience; compliance breaches	Audit trails; periodic account review; control validation
1.15	Fraud Monitoring and Transaction Surveillance for Deposit Accounts	Failure of the fraud detection system; advanced persistent cyber threats	Increased fraud losses; regulatory scrutiny	Real-time monitoring dashboards; incident response drills; threat intelligence integration
1.16	Complaints, Disputes, and Service Recovery	Contact centre outage; ticketing system failure; surge in complaints during crisis	Poor customer experience; regulatory complaints	Call centre DR tests, complaint resolution SLAs, service recovery plans
1.17	Regulatory Reporting and Compliance Monitoring	Failure of reporting systems, inaccurate regulatory submissions, and data breaches	Regulatory sanctions; reputational damage	Regulatory reporting validation; compliance reviews; secure data transmission controls
1.18	Incident Response, Business Continuity, and Recovery	Cyberattack (ransomware); data center outage; third-party service disruption	Prolonged service outage; systemic failure	BCP and DR test results; crisis management exercises; recovery time objective (RTO) validation

Scenario testing provides Philippine Trust Company with a structured and forward-looking approach to validating its operational resilience posture.

By simulating severe but plausible disruptions—including cyber threats, system failures, and third-party outages—the bank can identify vulnerabilities and strengthen its response capabilities across all Sub-CBS within CBS-1 Deposit and Account Services.

In line with BSP Circular No. 1203, integrating cyber and ICT risks into scenario testing ensures that resilience is not only operational but also technology- and security-focused.

The evidence of proactive risk management demonstrates the institution’s commitment to continuous improvement, regulatory compliance, and the sustained delivery of critical services, even under adverse conditions.

PTC PH Title Banner

eBook 3: Starting Your OR Implementation
CBS-1 Deposit & Account Services
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

From Risk to Resilience: A Strategic Operational Resilience Framework for Philippine Trust Company

[OR] [PTC] [E3] [CBS] [1] [ST] Perform Scenario Testing

Operational Resilience Certified Planner-Specialist-Expert

Table P6: Perform Scenario Testing for CBS-1

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Comments:

From Risk to Resilience: A Strategic Operational Resilience Framework for Philippine Trust Company

[OR] [PTC] [E3] [CBS] [1] [ST] Perform Scenario Testing

Operational Resilience Certified Planner-Specialist-Expert

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '7c430549-26ff-4b42-bdb6-332f54f85759', {"useNewLoader":"true","region":"na1"});

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '3c32e9b3-ea88-44c3-9182-fa3e6a9aadee', {"useNewLoader":"true","region":"na1"});

Table P6: Perform Scenario Testing for CBS-1

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Comments: