eBook OR

[OR] [WFP] [E3] [CBS] [1] [ST] Perform Scenario Testing

Written by Moh Heng Goh | Apr 16, 2026 10:21:35 AM

Introduction

Scenario testing is a critical component of operational resilience, as emphasised in BSP Circular No. 1203, which requires financial institutions to assess their ability to remain within impact tolerances under severe but plausible disruptions.

For Wells Fargo Philippines, scenario testing for CBS-1 Payment & Transaction Processing ensures that end-to-end payment flows—from initiation to settlement—remain resilient against operational, cyber, third-party, and liquidity risks.

Aligned with the BCM Institute’s Scenario Testing framework, these tests simulate real-world disruptions, including system outages, cyberattacks, network failures, and data integrity issues.

Each scenario is designed to validate recovery strategies, interdependencies, and decision-making capabilities while demonstrating integration with Cyber and ICT risk management as required by regulators.

Table P6: Perform Scenario Testing for CBS-1

 

Sub-CBS Code

Sub-CBS

Recommended Scenario Test Themes (incl. Cyber & ICT Risk Integration)

Impact / Effect

Evidence of Proactive Risk Management Action

1.1

Payment Initiation and Capture

Digital channel outage (mobile/online banking), API gateway failure, DDoS attack on front-end systems

Inability to initiate payments; customer dissatisfaction

Multi-channel fallback (branch/manual), DDoS protection, and tested channel redundancy

1.2

Customer Authentication and Authorization

IAM system compromise, MFA failure, credential stuffing attack

Unauthorised access or login failure

Strong MFA controls, IAM failover, fraud monitoring alerts, and regular penetration testing

1.3

Payment Validation and Compliance Screening

Sanctions screening engine failure, AML system latency, corrupted watchlist data

Non-compliant payments processed; regulatory breach

Dual screening engines, periodic data validation, and regulatory reporting controls

1.4

Transaction Routing and Network Integration

Payment network outage (e.g., SWIFT disruption), API integration failure, telecom outage

Payment routing delays or failures

Alternate routing paths, SWIFT contingency procedures, and network redundancy

1.5

Funds Availability Check and Reservation

Core banking latency, database inconsistency, and real-time balance sync failure

Incorrect balance checks; overdrafts

Real-time reconciliation checks, database replication, and failover testing

1.6

Payment Processing and Execution

Core payment engine crash, batch job failure, ransomware attack

Payments not executed or delayed

Active-active processing environment, backup execution engine, ransomware recovery drills

1.7

Interbank Clearing and Settlement Processing

Clearing house outage, settlement system delay, liquidity gridlock

Settlement delays; systemic risk exposure

Participation in contingency clearing, liquidity buffers, and central bank coordination

1.8

Cross-Border Payment Processing

FX system outage, correspondent bank failure, geopolitical disruption

Delayed or rejected international payments

Pre-arranged correspondent alternatives, FX hedging strategy, and regulatory compliance checks

1.9

Transaction Monitoring and Fraud Detection

Fraud monitoring system downtime, AI model failure, cyber intrusion

Increased fraud risk; undetected suspicious transactions

Secondary monitoring tools, manual review escalation, and real-time alerts

1.10

Exception Handling and Repair Processing

Workflow system outage, backlog surge due to system failure

Delayed resolution of failed transactions

Automated repair tools, surge staffing plans, prioritisation protocols

1.11

Reconciliation and Ledger Balancing

Ledger mismatch due to data corruption, reconciliation tool failure

Financial misstatements; reporting inaccuracies

Daily reconciliation controls, automated exception detection, and audit trails

1.12

Payment Status Notification and Reporting

Notification system failure (SMS/email), reporting dashboard outage

Customers uninformed; reputational impact

Redundant notification systems, alternate communication channels

1.13

Customer Dispute and Claims Handling

Case management system outage, cyber breach of customer data

Delayed dispute resolution; data privacy breach

Manual claims process fallback, data encryption, and incident response procedures

1.14

Regulatory Reporting and Compliance Monitoring

Regulatory reporting system failure, inaccurate data aggregation

Non-compliance with BSP reporting requirements

Automated reporting validation, compliance dashboards, and audit verification

1.15

Liquidity and Settlement Risk Management

Liquidity stress scenario, intraday funding disruption, market volatility

Inability to settle obligations; financial instability

Liquidity stress testing, contingency funding plans, treasury monitoring

1.16

Third-Party and Correspondent Bank Coordination

Third-party service outage, vendor cyber incident, SLA breach

Dependency failure affecting payment processing

Third-party risk management program, alternate vendors, contractual SLAs

1.17

System Availability and Infrastructure Support

Data centre outage, cloud service failure, cyberattack on infrastructure

End-to-end service disruption

DR site activation, cloud redundancy, and infrastructure resilience testing

1.18

Incident Response and Service Recovery

Delayed incident escalation, ineffective crisis coordination, and cyberattack escalation

Prolonged downtime; breach of impact tolerance

Tested incident response plans, crisis management drills, and recovery time validation

 

Regulatory Alignment (BSP Circular 1203)

The above scenario testing approach aligns with key expectations from BSP Circular No. 1203 (2024), including:

  • Conducting severe but plausible scenario testing across critical business services
  • Ensuring end-to-end mapping of dependencies (people, process, technology, third parties)
  • Demonstrating the ability to remain within defined impact tolerances
  • Integrating Cyber Resilience and ICT Risk Management into operational resilience testing
  • Maintaining evidence of continuous improvement and governance oversight

 

Scenario testing for CBS-1 Payment & Transaction Processing enables Wells Fargo Philippines to validate its resilience across complex, interconnected payment ecosystems.

By simulating disruptions spanning cyber threats, infrastructure failures, liquidity stress, and third-party dependencies, the organisation gains assurance that critical services can continue within acceptable impact thresholds.

More importantly, the structured capture of evidence of proactive risk management actions—such as redundancy, failover capabilities, monitoring systems, and recovery testing—demonstrates regulatory compliance and maturity in operational resilience.

This ensures that Wells Fargo Philippines not only meets the expectations of BSP Circular 1203 but also strengthens stakeholder confidence in its ability to deliver uninterrupted financial services under adverse conditions.

 

eBook 3: Starting Your OR Implementation
CBS-1 Payment & Transaction Processing
CBS-1 DP CBS-1 MD CBS-1 MPR CBS-1 ITo CBS-1 SuPS CBS-1 ST

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

 
View full post