Operational resilience is more than just business continuity rebranded — it is a forward-looking discipline that ensures organisations can adapt, respond, and continue delivering critical services amidst disruption.
These are not everyday incidents; instead, they reflect rare but realistic disruptions that could severely impact an organisation’s ability to function.
Developing such scenarios is essential for identifying vulnerabilities, testing impact tolerances, and ensuring that contingency plans are not only documented but also effective under pressure.
This chapter outlines the structured steps organisations should follow to build, validate, and regularly refine these scenarios, enabling a more proactive and robust resilience strategy.
For each IBS, define the impact tolerance, i.e., the maximum acceptable level of disruption (in terms of duration, volume, or scale) before it results in severe consequences. This becomes the benchmark for testing scenarios.
Analyse internal and external risk landscapes, including:
Historical incident data (e.g., outages, cyberattacks)
Emerging risks (e.g., geopolitical tensions, climate risks)
Sector-specific threats (e.g., supply chain reliance, regulatory pressure)
This analysis should consider low-likelihood but high-impact events that could affect business services.
Design each scenario by incorporating these core dimensions:
Trigger event (e.g., ransomware attack, pandemic, data centre fire)
Scope of impact (e.g., business unit, third parties, entire network)
Duration and severity (how long, how widespread, how deep)
Cascading effects (e.g., loss of customer data, reputational damage)
Ensure each scenario is both severe enough to test limits and plausible based on real-world conditions.
Engage cross-functional teams (e.g., operations, IT, legal, risk, compliance) to review and validate the realism and relevance of each scenario. Their insights ensure the scenario reflects actual operating constraints, not theoretical assumptions.
Link each scenario to one or more Critical Business Services. Identify which services would be directly impacted, and how quickly the scenario might breach the service’s impact tolerance.
Use the scenarios in simulation exercises to evaluate:
The effectiveness of current controls and response strategies
The speed and coordination of recovery actions
Gaps in communication, governance, or technical recovery
Document findings to inform updates to continuity plans and operational improvements.
Review and refresh scenarios annually or after material changes, such as:
Introduction of new technologies or services
Regulatory updates
Changes in threat landscape (e.g., AI-based attacks, pandemics)
Scenarios must evolve to remain relevant and reflective of real risks.
Severe but plausible scenarios are more than a regulatory expectation — they are a strategic tool for exposing hidden weaknesses and strengthening an organisation’s preparedness posture.
By following a disciplined approach to scenario development, firms can move from reactive crisis management to proactive resilience-building.
Regular testing against these realistic but challenging scenarios ensures that organisations remain within their impact tolerances, even when facing disruptions of significant scale or complexity.
Ultimately, organisations that embed scenario-based thinking into their operational resilience programs gain not only compliance benefits but also a sharper, more confident ability to serve customers, protect stakeholders, and withstand the unexpected.
| Definition | Key Activities | Definition | ||
| Scenario Testing | Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur. | |||
| Document Scenario Test Finding |
Organisations should document:
This is necessary for discussing self-assessment and compliance in the "Sustain" phase. |
|||
| Severe but plausible scenarios |
Identify the severe but plausible scenarios they use for testing. Consider past incidents or near misses within the organisation, industry, and other sectors and jurisdictions when setting scenarios. |
|||
| Scenario Library |
Create scenarios from an existing scenario library based on activities such as operational risk, industry-specific testing exercises, stress testing, or business continuity. Using the elements of potential impact from the mapping processes and resources exercise, identify scenarios that can be enhanced and tailored to cover specific critical business services. |
|||
| Type of Test | These are the different types of tests.
|
|||
| Difference between OR and BC Tests and Exercises |
Existing testing strategies can be used for scenario testing. However, it is essential to understand that scenario testing differs from business continuity, disaster recovery or financial stress testing. An end-to-end business service resilience test approach should be applied for OR needs. This approach shifts the focus to determining where the point of intolerable harm is reached in severe but plausible scenarios. Most BC or DR testing centres around mitigating harm to the organisation. The change is that the regulators require organisations to consider preventing intolerable harm to consumer. |
|
||
|
|
| Identify Important Business Services | Map Processes and Resources |
Set Impact Tolerance |
Conduct Scenario Testing | Improve Lesson Learnt | |
|
|
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
|