[OR] [SBC] [E3] [CBS] [1] [ST] Perform Scenario Testing

CBS-1 Retail Deposit & Account Services

Introduction

Scenario testing is a critical component of operational resilience, as outlined in the BSP Circular No. 1203 Series of 2024. It enables banks to assess their ability to remain within defined impact tolerances during severe but plausible disruptions.

For Security Bank Corporation, scenario testing for CBS-1 Retail Deposit and Account Services ensures that essential customer-facing services—such as account access, deposits, withdrawals, and reporting—can continue or be recovered within acceptable thresholds despite disruptions involving cyber threats, ICT failures, third-party outages, or operational breakdowns.

This chapter presents recommended scenario testing themes aligned with regulatory expectations and industry practices, including integration with cyber resilience, ICT risk management, and third-party risk considerations.

It also highlights evidence of proactive risk management, demonstrating the bank’s preparedness and commitment to continuous improvement.

Table P6: Perform Scenario Testing for CBS-1

Sub-CBS Code	Sub-CBS	Recommended Scenario Test Themes	Impact / Effect	Evidence of Proactive Risk Management Action
1.1	Customer Onboarding and Account Application	Digital onboarding platform outage due to cloud service failure *(Cyber/ICT)*	Customers unable to submit applications; onboarding delays	Regular failover testing to the backup onboarding platform; alternate manual onboarding procedures documented
1.2	Customer Identification and Verification (KYC/ CDD)	Third-party KYC utility service disruption *(Third-party + ICT risk)*	Inability to verify customer identity; compliance breach risk	Periodic vendor resilience testing; fallback to manual KYC verification procedures
1.3	Account Approval and Opening	Core banking approval workflow system failure *(ICT system failure)*	Delayed account activation; customer dissatisfaction	DR site activation testing; automated workflow recovery drills
1.4	Initial Funding and Deposit Booking	Payment gateway failure during initial funding *(Cyber/ICT + external dependency)*	Failed or delayed funding transactions	Integration testing with alternate payment channels; reconciliation controls for failed transactions
1.5	Product Terms Setup and Account Parameter Maintenance	Configuration errors or system patch failure *(ICT change risk)*	Incorrect account settings are impacting interest/fees	Pre-deployment testing and rollback procedures; configuration audit controls
1.6	Deposit Transactions Processing	Core banking system outage or batch processing failure *(ICT failure)*	Deposits not processed or delayed posting	High-availability architecture testing; batch recovery and replay testing
1.7	Withdrawal and Funds Access Processing	ATM network outage or cyberattack *(Cyber resilience)*	Customers unable to withdraw funds; reputational impact	ATM network resilience testing; cyberattack simulation exercises; cash contingency planning
1.8	Account Servicing and Customer Maintenance	CRM system outage or data corruption *(ICT/data risk)*	Inability to update customer records; service delays	Data backup restoration testing; alternate servicing channels (branch/manual)
1.9	Interest, Fees, and Charges Processing	End-of-day processing failure *(ICT batch processing risk)*	Incorrect interest/fee calculations; financial impact	Recalculation and adjustment procedures tested; automated reconciliation checks
1.10	Statement, Passbook, and Balance Reporting	Statement generation system failure *(ICT system failure)*	Customers are unable to access account statements	Alternate digital statement channels tested; manual statement generation procedures
1.11	Digital Account Access and Channel Integration	Mobile/online banking outage due to DDoS attack *(Cyber risk)*	Customers are unable to access accounts digitally	DDoS simulation testing, traffic rerouting and WAF activation drills
1.12	Reconciliation and Exception Management	Reconciliation system failure or data mismatch *(ICT/data integrity risk)*	Unresolved discrepancies; financial reporting inaccuracies	Automated reconciliation fallback procedures; exception handling drills
1.13	Fraud Detection and Transaction Monitoring	Fraud monitoring system downtime *(Cyber/ICT risk)*	Increased fraud exposure; delayed alerts	Manual monitoring procedures tested; AI/ML model fallback and alert escalation drills
1.14	Regulatory Reporting and Compliance Monitoring	Regulatory reporting system outage *(ICT + compliance risk)*	Delayed or inaccurate regulatory submissions	Regulatory reporting contingency procedures; manual reporting capability tested
1.15	Incident Response, Business Continuity, and Recovery	Major data centre outage or ransomware attack *(Cyber + ICT + BCP)*	Multiple service disruptions across CBS-1	Full-scale BCP and DR simulation exercises; crisis management and communication drills

Banner [Summing] [OR] [E3] Perform Scenario Testing

Scenario testing for CBS-1 Retail Deposit and Account Services enables Security Bank Corporation to validate its resilience capabilities against a wide range of severe but plausible disruptions.

By integrating cyber resilience, ICT risk management, and third-party dependencies into testing scenarios, the bank ensures alignment with the expectations of BSP Circular No. 1203 Series of 2024.

The structured approach to testing—supported by documented evidence, including failover exercises, cyberattack simulations, and manual fallback procedures—demonstrates proactive risk management.

Ultimately, these efforts strengthen the bank’s ability to maintain critical services within defined impact tolerances, safeguard customer trust, and ensure regulatory compliance in an increasingly complex risk environment.

eBook 3: Starting Your OR Implementation
CBS-1 Retail Deposit & Account Services
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.