In operational resilience, one of the most critical phases is scenario testing.
Scenario testing is the culmination of our operational resilience efforts. Once we have meticulously mapped our critical business services, processes, and the broader operational landscape, we must test our resilience strategies.
However, scenario testing is not merely another version of BCM or crisis management testing but a unique endeavour.
The scenario testing initiative aims to:
In contrast, operational resilience scenario testing broadens the horizon.
It necessitates the involvement of customers and third-party entities, adding complexity to the testing process.
One key challenge in scenario testing is devising scenarios that meet specific criteria.
Regulators emphasise that scenarios should be high-impact and involve significant disruption.
These criteria are not arbitrary; they are designed to effectively test an organisation’s resilience. A sample of the "impactful" scenarios is appended.
The following scenarios have been developed and categorised to form the foundation of a retail banking scenario testing framework:
|
Category |
Scenario Description |
Critical Business Service Impacted |
|
Cybersecurity Breach |
Simulated ransomware attack on payment systems. |
Payment Processing |
|
Third-Party Failure |
Service outage from a critical vendor affecting loan approvals. |
Loan Management |
|
Natural Disaster |
Flood affecting primary data centres and office locations. |
Core Banking Services |
|
Pandemic Scenario |
High absenteeism due to a health crisis. |
Customer Support |
|
Technology Outage |
Failure of core banking application. |
Account Management |
Regulators are keen to understand why operational resilience scenario testing differs from traditional BCM testing. They may question whether it’s merely a replication of existing exercises.
To address this concern, organisations must ensure that their scenarios are not only high-impact but also unlikely to occur or remain probable.
It requires organisations to envision severe and improbable scenarios, a challenge that sometimes leads to disagreements between regulators and institutions.
Organisations can adopt various strategies to navigate these complexities. One approach combines multiple severe scenarios to create a layered, interconnected exercise.
For instance, an earthquake in one region and a widespread internet outage can test an organisation’s ability to handle multiple crises.
Scenario testing is a critical component of operational resilience, and it is essential for understanding and meeting regulatory expectations.
While the criteria for scenario selection may seem challenging, they serve a vital purpose in assessing an organisation’s ability to withstand severe disruptions.
As you embark on your scenario-testing journey, remember this is an evolving process. Collaboration with regulators, continuous learning, and a commitment to improvement will ultimately lead to more robust and effective operational resilience practices.
|
OR Planning Methodology Phases |
Plan | Implement | Sustain | ||
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.