[OR] [P2-S4] [2] Steps to Implement Severe but Plausible Scenarios in Operational Resilience

Steps to Develop “Severe but Plausible Scenarios” in Operational Resilience Implementation

Introduction

Operational resilience is more than just business continuity rebranded — it is a forward-looking discipline that ensures organisations can adapt, respond, and continue delivering critical services amidst disruption.

At the heart of this framework lies the concept of “severe but plausible scenarios” — hypothetical situations designed to test a firm's operational capabilities to their limits.

These are not everyday incidents; instead, they reflect rare but realistic disruptions that could severely impact an organisation’s ability to function.

Developing such scenarios is essential for identifying vulnerabilities, testing impact tolerances, and ensuring that contingency plans are not only documented but also effective under pressure.

This chapter outlines the structured steps organisations should follow to build, validate, and regularly refine these scenarios, enabling a more proactive and robust resilience strategy.

Step 1: Identify Critical Business Services

Begin by defining the organisation’s Critical Business Services (CBS) — the services that, if disrupted, could cause intolerable harm to customers, markets, or the firm itself. Understanding what is truly critical helps narrow the scope of scenario development.

Step 2: Establish

For each IBS, define the impact tolerance, i.e., the maximum acceptable level of disruption (in terms of duration, volume, or scale) before it results in severe consequences. This becomes the benchmark for testing scenarios.

Step 3: Conduct Risk and Threat Mapping

Analyse internal and external risk landscapes, including:

• Historical incident data (e.g., outages, cyberattacks)

• Emerging risks (e.g., geopolitical tensions, climate risks)

• Sector-specific threats (e.g., supply chain reliance, regulatory pressure)
  This analysis should consider low-likelihood but high-impact events that could affect business services.

Step 4: Define Scenario Attributes

Design each scenario by incorporating these core dimensions:

• Trigger event (e.g., ransomware attack, pandemic, data centre fire)

• Scope of impact (e.g., business unit, third parties, entire network)

• Duration and severity (how long, how widespread, how deep)

• Cascading effects (e.g., loss of customer data, reputational damage)

Ensure each scenario is both severe enough to test limits and plausible based on real-world conditions.

Step 5: Validate Scenarios with Stakeholders

Engage cross-functional teams (e.g., operations, IT, legal, risk, compliance) to review and validate the realism and relevance of each scenario. Their insights ensure the scenario reflects actual operating constraints, not theoretical assumptions.

Step 6: Map Scenarios to Critical Business Services

Link each scenario to one or more Critical Business Services. Identify which services would be directly impacted, and how quickly the scenario might breach the service’s impact tolerance.

Step 7: Test Resilience Through Simulation or Tabletop Exercises

Use the scenarios in simulation exercises to evaluate:

• The effectiveness of current controls and response strategies

• The speed and coordination of recovery actions

• Gaps in communication, governance, or technical recovery

Document findings to inform updates to continuity plans and operational improvements.

Step 8: Update Scenarios Regularly

Review and refresh scenarios annually or after material changes, such as:

• Introduction of new technologies or services

• Regulatory updates

• Changes in threat landscape (e.g., AI-based attacks, pandemics)

Scenarios must evolve to remain relevant and reflective of real risks.

Summing Up ...

Severe but plausible scenarios are more than a regulatory expectation — they are a strategic tool for exposing hidden weaknesses and strengthening an organisation’s preparedness posture.

By following a disciplined approach to scenario development, firms can move from reactive crisis management to proactive resilience-building.

Regular testing against these realistic but challenging scenarios ensures that organisations remain within their impact tolerances, even when facing disruptions of significant scale or complexity.

Ultimately, organisations that embed scenario-based thinking into their operational resilience programs gain not only compliance benefits but also a sharper, more confident ability to serve customers, protect stakeholders, and withstand the unexpected.

	Definition	Key Activities	Definition
	Scenario Testing	Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur.
	Document Scenario Test Finding	Organisations should document: Details of their scenario testing Assumptions made about scenario design  Identified risks to the organisation's ability to stay within impact tolerances. This is necessary for discussing self-assessment and compliance in the "Sustain" phase.
	Severe but plausible scenarios	Identify the severe but plausible scenarios they use for testing.  Consider past incidents or near misses within the organisation, industry, and other sectors and jurisdictions when setting scenarios.
	Scenario Library	Create scenarios from an existing scenario library based on activities such as operational risk, industry-specific testing exercises, stress testing, or business continuity. Using the elements of potential impact from the mapping processes and resources exercise, identify scenarios that can be enhanced and tailored to cover specific critical business services.
	Type of Test	These are the different types of tests. Individual Component Testing/ Exercising Integrated Test Combined Component Testing/ Exercising
	Difference between OR and BC Tests and Exercises	Existing testing strategies can be used for scenario testing.  However, it is essential to understand that scenario testing differs from business continuity, disaster recovery or financial stress testing. An end-to-end business service resilience test approach should be applied for OR needs. This approach shifts the focus to determining where the point of intolerable harm is reached in severe but plausible scenarios. Most BC or DR testing centres around mitigating harm to the organisation. The change is that the regulators require organisations to consider preventing intolerable harm to consumer.

"Implement" Phase of the OR Planning Methodology

Identify Important Business Services	Map Processes and Resources	Set Impact Tolerance	Conduct Scenario Testing	Improve Lesson Learnt

More Information About Operational Resilience OR-5000 [BL-OR-5] or OR-300 [BL-OR-3] Course

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.