[OR] [P2-S4] What is Scenario Testing in Operational Resilience?

What is Scenario Testing?

Scenario Testing aims to test the organisation's ability to remain within impact tolerances in severe but plausible disruption scenarios, focusing on recovery and response arrangements rather than preventative measures.

Traditional Scenario Versus Impact Tolerance Scenario Test

Traditional operational risk scenarios focus on risk prevention and use Key Risk Indicators (KRIs), Keep Customer Informed (KCIs), and Risk Control Self Assessments (RCSAs) to understand risk and control effectiveness.

Impact tolerance assumes a service disruption has occurred, so operational resilience scenarios test an organisation’s ability to stay within tolerance and focus on response and recovery actions.

Why Scenario Test?

Testing is crucial to assess an organisation's impact tolerances and determine if its incident response is fit for purpose. This ensures the firm can recover the business service within the defined impact tolerance.

Testing gives the organisation a clear understanding of the severe but plausible scenarios. This is where an organisation can be sure whether that can or cannot meet the set impact tolerances.

Testing helps an organisation better understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur.

What is the Board's Involvement?

The Board needs to be informed of particular scenarios that may not meet the impact scenario.

They must ascertain whether prioritised investment decisions are required to address findings from scenarios where organisations would breach their impact tolerances.

How to Perform Scenario Testing?

Scenario testing allows organisations to assess their operational resilience by simulating various disruptive events and evaluating their responses. The following steps outline the process:

Define Scenarios

Develop a range of realistic scenarios representing potential operational disruptions.
Consider various factors such as cyber-attacks, natural disasters, system failures, supply chain disruptions, and regulatory changes.

Assess Impact

Evaluate the potential impact of each scenario on critical business services, systems, processes, and stakeholders.
Consider financial, operational, reputational, and customer impacts.

Conduct Testing

Simulate each scenario and observe how the organisation's operational resilience measures and response plans perform.
- This may involve tabletop exercises, simulations, or real-time testing of specific systems or processes.

Evaluate Responses

Analyse the organisation's response to each scenario, including the effectiveness of incident management, communication, and recovery strategies.
Identify strengths, weaknesses, and areas for improvement.

Document Lessons Learned

Document the lessons learned from each scenario test, including successful strategies, areas of improvement, and recommendations for enhancing operational resilience.

Definition	Key Activities	Definition
Scenario Testing	Testing helps an organisation better understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur.
Document Scenario Test Finding	Organisations should document: Details of their scenario testing Assumptions made about scenario design Identified risks to the organisation's ability to stay within impact tolerances. This is needed for the self-assessment and compliance to be discussed in the "Sustain" phase.
Severe but plausible scenarios	Identify the severe but plausible scenarios they use for testing. When setting scenarios, consider past incidents or near misses within the organisation, industry, and other sectors and jurisdictions.
Scenario Library	Create scenarios from an existing scenario library based on activities such as operational risk, industry-specific testing exercises, stress testing, or business continuity. Using the elements of potential impact from the mapping processes and resources exercise, identify scenarios that can be enhanced and tailored to cover specific critical business services.
Type of Test	These are the different types of tests. Individual Component Testing/ Exercising Integrated Test Combined Component Testing/ Exercising
Difference between OR and BC Tests and Exercises	Existing testing strategies can be used for scenario testing. However, it is essential to understand that scenario testing differs from business continuity, disaster recovery or financial stress testing. An OR end-to-end business service resilience test approach needs to be applied. It is a shift in focus to determine where the point of intolerable harm is reached in severe but plausible scenarios. Most BC or DR testing centres around mitigating harm to the organisation. The change is that the regulators require organisations to consider preventing intolerable harm to consumer.

"Implement" Phase of the OR Planning Methodology

Identify Important Business Services	Map Processes and Resources	Set Impact Tolerance	Conduct Scenario Testing	Improve Lesson Learnt

More Information About Operational Resilience OR-5000 [BL-OR-5] or OR-300 [BL-OR-3] Course

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.