[OR] [P2-S4] What is Scenario Testing in Operational Resilience?

What is Scenario Testing?

Scenario Testing aims to assess the organisation's ability to remain within impact tolerances during severe but plausible disruption scenarios, focusing on recovery and response arrangements rather than on preventive measures.

Traditional Scenario Versus Impact Tolerance Scenario Test

Conventional operational risk scenarios focus on risk prevention and use Key Risk Indicators (KRIs), Keep Customers Informed (KCIs), and Risk Control Self-Assessments (RCSAs) to assess risk and control effectiveness. 

Impact tolerance assumes a service disruption has occurred; operational resilience scenarios test an organisation’s ability to remain within tolerance and focus on response and recovery actions. 

Why Scenario Test?

Testing is crucial to assess an organisation's impact tolerances and determine if its incident response is fit for purpose. This ensures the firm can recover the business service within the defined impact tolerance.

Testing provides the organisation with a clear understanding of severe but plausible scenarios.

This is where an organisation can determine whether it can or cannot meet the set impact tolerances.

Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur.

What is the Board's Involvement?

The Board must be informed of scenarios that may not meet the impact scenario.

They must determine whether prioritised investment decisions are required to address findings from scenarios in which organisations would breach their impact tolerances.

How to Perform Scenario Testing?

Scenario testing enables organisations to assess operational resilience by simulating disruptive events and evaluating their responses.  The following steps outline the process:

Define Scenarios

• Develop a range of realistic scenarios representing potential operational disruptions.
• Consider various factors such as cyber-attacks, natural disasters, system failures, supply chain disruptions, and regulatory changes.

Assess Impact

• Evaluate the potential impact of each scenario on critical business services, systems, processes, and stakeholders.
• Consider financial, operational, reputational, and customer impacts.

Conduct Testing

• Simulate each scenario and observe how the organisation's operational resilience measures and response plans perform.
  • This may involve tabletop exercises, simulations, or real-time testing of specific systems or processes.

Evaluate Responses

• Analyse the organisation's response to each scenario, including the effectiveness of incident management, communication, and recovery strategies.
• Identify strengths, weaknesses, and areas for improvement.

Document Lessons Learned

• Document the lessons learned from each scenario test, including successful strategies, areas of improvement, and recommendations for enhancing operational resilience.

	Definition	Key Activities	Definition
	Scenario Testing	Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur.
	Document Scenario Test Finding	Organisations should document: Details of their scenario testing Assumptions made about scenario design  Identified risks to the organisation's ability to stay within impact tolerances. This is needed to discuss self-assessment and compliance in the "Sustain" phase.
	Severe but plausible scenarios	Identify the severe but plausible scenarios they use for testing.  Consider past incidents or near misses within the organisation, across the industry, and in other sectors and jurisdictions when setting scenarios.
	Scenario Library	Create scenarios from an existing scenario library based on activities such as operational risk, industry-specific testing exercises, stress testing, or business continuity. Using the elements of potential impact from the mapping processes and resources exercise, identify scenarios that can be enhanced and tailored to cover specific critical business services.
	Type of Test	These are the different types of tests. Individual Component Testing/ Exercising Integrated Test Combined Component Testing/ Exercising
	Difference between OR and BC Tests and Exercises	Existing testing strategies can be used for scenario testing.  However, it is essential to understand that scenario testing differs from business continuity, disaster recovery or financial stress testing. An OR end-to-end business service resilience test approach needs to be applied. This approach shifts the focus to determining where the point of intolerable harm is reached in severe but plausible scenarios. Most BC or DR testing centres around mitigating harm to the organisation. The change is that the regulators require organisations to consider preventing intolerable harm to consumer.

"Implement" Phase of the OR Planning Methodology

Identify Important Business Services	Map Processes and Resources	Set Impact Tolerance	Conduct Scenario Testing	Improve Lesson Learnt

More Information About Operational Resilience OR-5000 [BL-OR-5] or OR-300 [BL-OR-3] Course

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.