Operational Resilience Series
BGBann_Playbook_Crisis Management

[OR] [P2-S4] What is Scenario Testing in Operational Resilience?

Scenario Testing aims to test and exercise the organisation's ability to maintain its critical business services within the approved impact tolerances.

These test scenarios are selected from several severe but plausible disruption scenarios.  It should focus on recovery and response arrangements rather than preventative measures.

The organisation can have assurance that its critical business services' operational resilience or OR capability meets the impact tolerable once it is tested.  The key is to ensure that there is a follow-up to improve its operational resilience effort continuously.

This is the introductory blog [OR-P2-S4] to Stage 4 of the "IMPLEMENT" phase of the OR Planning Methodology.  It is a pre-reading for participants attending the Operational Resilience Implementer/ Expert Implementer course.

Moh Heng Goh
Operational Resilience Certified Planner-Specialist-Expert

New call-to-actionWhat is Scenario Testing?

Scenario Testing aims to test the organisation's ability to remain within impact tolerances in severe but plausible disruption scenarios, focusing on recovery and response arrangements rather than preventative measures.

 

New call-to-actionTraditional Scenario Versus Impact Tolerance Scenario Test

Conventional operational risk scenarios focus on risk prevention and use Key Risk Indicators (KRIs), Keep customers informed (KCIs), and Risk Control Self Assessments (RCSAs) to understand risk and control effectiveness. 

Impact tolerance assumes a service disruption has occurred, so operational resilience scenarios test an organisation’s ability to stay within tolerance and focus on response and recovery actions. 

New call-to-actionWhy Scenario Test?

Testing is crucial to assess an organisation's impact tolerances and determine if its incident response is fit for purpose. This ensures the firm can recover the business service within the defined impact tolerance.

New call-to-actionTesting gives the organisation a clear understanding of the severe but plausible scenarios. This is where an organisation can be sure whether that can or cannot meet the set impact tolerances.

Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur.

What is the Board's Involvement?

BCMPedia Operational Resilience

The Board must be informed of scenarios that may not meet the impact scenario.

They must ascertain whether prioritised investment decisions are required to address findings from scenarios where organisations would breach their impact tolerances.

How to Perform Scenario Testing?

Scenario testing allows organisations to assess their operational resilience by simulating various disruptive events and evaluating their responses.  The following steps outline the process:

Define Scenarios
  • Develop a range of realistic scenarios representing potential operational disruptions.
  • Consider various factors such as cyber-attacks, natural disasters, system failures, supply chain disruptions, and regulatory changes.
Assess Impact
  • Evaluate the potential impact of each scenario on critical business services, systems, processes, and stakeholders.
  • Consider financial, operational, reputational, and customer impacts.
Conduct Testing
  • Simulate each scenario and observe how the organisation's operational resilience measures and response plans perform.
    • This may involve tabletop exercises, simulations, or real-time testing of specific systems or processes.
Evaluate Responses
  • Analyse the organisation's response to each scenario, including the effectiveness of incident management, communication, and recovery strategies.
  • Identify strengths, weaknesses, and areas for improvement.
Document Lessons Learned
  • Document the lessons learned from each scenario test, including successful strategies, areas of improvement, and recommendations for enhancing operational resilience.

 

  Definition Key Activities Definition  
  Scenario Testing Testing helps an organisation understand that it cannot deliver these critical business services within the impact tolerances if these scenarios occur. New call-to-action  
  Document Scenario Test Finding

Organisations should document:

  • Details of their scenario testing
  • Assumptions made about scenario design 
  • Identified risks to the organisation's ability to stay within impact tolerances.

This is needed for the self-assessment and compliance to be discussed in the "Sustain" phase.

   
  Severe but plausible scenarios

Identify the severe but plausible scenarios they use for testing. 

Consider past incidents or near misses within the organisation, industry, and other sectors and jurisdictions when setting scenarios.

New call-to-action  
  Scenario Library

Create scenarios from an existing scenario library based on activities such as operational risk, industry-specific testing exercises, stress testing, or business continuity.

Using the elements of potential impact from the mapping processes and resources exercise, identify scenarios that can be enhanced and tailored to cover specific critical business services.

New call-to-action  
  Type of Test These are the different types of tests.
  • Individual Component Testing/ Exercising
  • Integrated Test
  • Combined Component Testing/ Exercising
New call-to-action  
  Difference between OR and BC Tests and Exercises

Existing testing strategies can be used for scenario testing.  However, it is essential to understand that scenario testing differs from business continuity, disaster recovery or financial stress testing.

An OR end-to-end business service resilience test approach needs to be applied. This approach shifts the focus to determining where the point of intolerable harm is reached in severe but plausible scenarios.

Most BC or DR testing centres around mitigating harm to the organisation. The change is that the regulators require organisations to consider preventing intolerable harm to consumer.

New call-to-action
 
   

 

   
"Implement" Phase of the OR Planning Methodology
Identify Important Business Services Map Processes and Resources

Set Impact Tolerance

Conduct Scenario Testing Improve Lesson Learnt  
New call-to-action

New call-to-action

New call-to-action New call-to-action New call-to-action  

 

More Information About Operational Resilience OR-5000 [BL-OR-5] or OR-300 [BL-OR-3] Course

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More  [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300

If you have any questions, click to contact us.Email to Sales Team [BCM Institute]

FAQ BL-OR-5 OR-5000
OR Implementer Landing Page

New call-to-action

New call-to-action

Comments:

 

More Posts

New Call-to-action