[OR] [P2-S4] [1] What is Severe but Plausible Scenarios in Operational Resilience

What are "Severe but Plausible Scenarios" in Operational Resilience?

“Severe but Plausible Scenarios” are hypothetical events—framed within operational resilience planning—that are both severe in impact and plausible in occurrence. They represent disruptions that:

1. Threaten to impair or halt critical business services significantly.

2. Extend beyond ordinary recovery expectations and predefined response measures.

3. Are informed by real-world incidents (either actual or near-miss), drawn from the organisation’s history or similar sectors.

4. Evolve, reflecting lessons learned from testing and changes in the threat landscape.

This concept focuses on crafting scenarios that are not merely extreme but meaningfully stress the entity’s resilience capabilities, challenging whether the organisation can still operate within its impact tolerance thresholds.

The goal is to reveal vulnerabilities and strengthen recovery strategies—not to imagine far-fetched catastrophes, but to deliberately push limits in a realistic and effective way.

Understanding Severe but Plausible Scenarios in Operational Resilience

In the evolving landscape of risk management and operational resilience, one term continues to gain prominence: “Severe but Plausible Scenarios.”

At its core, this concept underpins how organisations assess their resilience to extreme disruptions. These are not hypothetical doomsday events with little chance of occurring, nor are they routine incidents easily mitigated.

Instead, severe but plausible scenarios refer to high-impact events that, while rare, remain within the bounds of possibility.

Their role is critical in stress-testing the organisation's ability to remain within its impact tolerance — the maximum level of disruption an organisation can withstand while still delivering its key business services.

Regulators such as the UK’s Financial Conduct Authority (FCA) require firms to define, test, and evidence their ability to operate through such scenarios.

The goal isn’t to predict every disaster but to proactively test operational limits, uncover vulnerabilities, and build confidence in the firm’s ability to continue serving customers, even in the face of crises.

Scenarios might include extended IT outages, targeted cyberattacks, supply chain collapses, or simultaneous multi-site disruptions. For a scenario to be considered “plausible,” it must reflect realistic threats drawn from historical events, emerging risks, and sector-specific vulnerabilities.

For it to be “severe,” it must push the organisation close to or beyond its operational thresholds.

Designing and testing against severe but plausible scenarios allows organisations to assess if their current controls, response strategies, and recovery capabilities are adequate.

More importantly, it helps determine whether impact tolerances can be maintained during such events — a key expectation under most regulatory frameworks.

This process is not merely a compliance exercise but a strategic advantage, enabling organisations to prioritise investments, streamline contingency plans, and safeguard customer trust when it matters most.

Final Thought

Creating  "Severe but Plausible Scenarios" is not about predicting the future, but rather about preparing for volatility.

These scenarios serve as the bridge between operational planning and strategic foresight, ensuring that firms can effectively serve their customers and protect market integrity, even in the face of extreme disruptions.

	Definition	Key Activities	Definition
	Scenario Testing	Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur.
	Document Scenario Test Finding	Organisations should document: Details of their scenario testing Assumptions made about scenario design  Identified risks to the organisation's ability to stay within impact tolerances. This is necessary for discussing self-assessment and compliance in the "Sustain" phase.
	Severe but plausible scenarios	Identify the severe but plausible scenarios they use for testing.  Consider past incidents or near misses within the organisation, industry, and other sectors and jurisdictions when setting scenarios.
	Scenario Library	Create scenarios from an existing scenario library based on activities such as operational risk, industry-specific testing exercises, stress testing, or business continuity. Using the elements of potential impact from the mapping processes and resources exercise, identify scenarios that can be enhanced and tailored to cover specific critical business services.
	Type of Test	These are the different types of tests. Individual Component Testing/ Exercising Integrated Test Combined Component Testing/ Exercising
	Difference between OR and BC Tests and Exercises	Existing testing strategies can be used for scenario testing.  However, it is essential to understand that scenario testing differs from business continuity, disaster recovery or financial stress testing. An end-to-end business service resilience test approach should be applied for OR needs. This approach shifts the focus to determining where the point of intolerable harm is reached in severe but plausible scenarios. Most BC or DR testing centres around mitigating harm to the organisation. The change is that the regulators require organisations to consider preventing intolerable harm to consumer.

"Implement" Phase of the OR Planning Methodology

Identify Important Business Services	Map Processes and Resources	Set Impact Tolerance	Conduct Scenario Testing	Improve Lesson Learnt

More Information About Operational Resilience OR-5000 [BL-OR-5] or OR-300 [BL-OR-3] Course

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.