![BB OR [A] 18](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20A/BB%20OR%20%5BA%5D%2018.jpg?width=2000&height=1333&name=BB%20OR%20%5BA%5D%2018.jpg "BB OR [A] 18")
Chapter 12
Performing Scenario Testing – Stage 4 of the Implement Phase of BSN’s Operational Resilience Planning Methodology
![[OR] [BSN] [E2] [C12] Performing Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/b2e7e3d2-0e92-460f-acdf-9dc193b02589.png)
In an increasingly complex and interconnected banking landscape, scenario testing emerges as a cornerstone of BSN’s operational resilience framework.
As part of the “Implement” phase of the Operational Resilience Planning Methodology, scenario testing enables Bank Simpanan Nasional (BSN) to examine how its critical business services perform under adverse, yet realistic conditions.
Unlike traditional continuity testing, scenario testing focuses on understanding the broader impact of disruptions on customer outcomes, regulatory obligations, and reputational standing.
At its core, this phase challenges the assumptions embedded within BSN’s response and recovery strategies. It bridges the gap between documented plans and real-world execution by assessing the practical resilience of business units, technology infrastructure, supply chains, and communication channels.
Scenario testing also fosters cross-functional learning, enhances crisis coordination, and ensures that impact tolerances—such as maximum tolerable downtime and customer harm thresholds—are not only defined but can be adhered to in practice.
For BSN, this proactive approach aligns with Bank Negara Malaysia's resilience requirements and reinforces public confidence in its services, even amidst turbulence.
Objectives of Scenario Testing
- Validate the resilience of critical business services under stress.
- Identify gaps in existing recovery capabilities and response procedures.
- Assess whether the recovery time objectives (RTOs) and impact tolerances are achievable.
- Strengthen cross-departmental coordination and decision-making processes during crises.
- Ensure alignment with regulatory expectations from Bank Negara Malaysia (BNM) and international resilience standards.
Key Implementation Steps
Step 1: Define Test Scope and Objectives
Begin by identifying the Critical Business Services (CBS) and functions to be tested. For BSN, these include:
- CBS-1 Retail Banking Services
- CBS-2 Government Aid and Disbursement Services
- CBS-3 ATM and Self-Service Banking Infrastructure
- CBS-4 Digital Banking (myBSN Online and Mobile Banking App)
- CBS-5 Loan Disbursement and Repayment Processing
- CBS-6 Agent Banking (BSN Banking Agents)
- CBS-7 Treasury and Liquidity Management
- CBS-8 Core Banking System (CBS Infrastructure)
- CBS-9 Customer Complaint and Dispute Resolution
- CBS-10 Regulatory Reporting and Compliance
Example:
For CBS-2 (Government Aid and Disbursement Services), BSN may set a scenario to test how well it can disburse emergency aid to beneficiaries during a national IT outage.
Step 2: Develop Severe but Plausible Scenarios
Construct realistic yet challenging scenarios that reflect BSN’s operational environment, risk landscape, and customer base. These should be considered:
- Cyberattacks targeting digital banking channels
- Widespread ATM network failure
- Regional data centre outage due to power grid collapse
- Third-party service provider disruption
- Simultaneous pandemic and social unrest
Example:
A coordinated cyberattack brings down both myBSN and ATM services across multiple regions. BSN tests how quickly it can reroute transactions through agent banking and restore digital services.
Step 3: Design the Scenario Exercise Format
Choose the appropriate format for the test:
- Tabletop Exercise (discussion-based simulation)
- Live Simulation/Walkthrough
- Technical Failover Testing
- Cross-functional Crisis Simulation
Example:
BSN conducts a tabletop exercise involving Digital Banking, IT, Customer Service, and Corporate Communications to simulate a ransomware attack affecting CBS-4.
Step 4: Identify Stakeholders and Roles
Ensure involvement from all relevant teams:
- Business Units: Retail, Loans, and Branch Operations
- IT and Cybersecurity
- Crisis Management and Risk Management
- Regulatory Liaison and Compliance
- Corporate Communications
- Vendors/Third-Party Providers (if applicable)
Example:
During a test of CBS-5 (Loan Disbursement), BSN involves system vendors and BNM liaison officers to assess response coordination.
Step 5: Execute the Test
Simulate the selected scenario under controlled conditions. Monitor actions taken, decisions made, and time taken to respond and recover.
Key elements to document include:
- Time to detect the incident
- Activation of crisis response
- Communication flow and escalation
- Recovery of impacted services
- Customer notification processes
Step 6: Observe, Record, and Evaluate
Assign observers to each functional area. Record actual vs. expected response times and note deviations from plans.
Example:
BSN finds that during the ATM disruption test, customer communication was delayed by 45 minutes due to unclear escalation protocols.
Step 7: Conduct Post-Test Debriefing
Hold a structured after-action review with all participants. Identify:
- What went well
- What did not work as intended
- Gaps in procedures, tools, or knowledge
- Immediate corrective actions are required
Step 8: Document Lessons Learned and Update Plans
Incorporate improvements into Business Continuity Plans (BCPs), IT Disaster Recovery Plans (IT DRPs), and Operational Resilience Playbooks.
Example
After testing a myBSN outage, BSN revises its communication SOP to include SMS alerts to customers when the mobile app is down for more than 15 minutes.
Step 9: Report to Management and Regulators
Summarise the outcomes of each test and report to senior management and, where applicable, to BNM. Include:
- Objectives vs. results
- Identified gaps
- Action plans with owners and deadlines
- Updated risk posture and control effectiveness
Table 12-1: Summary of Scenario Testing
|
CBS |
Critical Business Service |
Scenario Description |
Type of Test |
Date Tested |
Participants |
Key Findings |
Impact Tolerance Met? |
Recommendations/Action Items |
|
CBS-1 |
Retail Banking Services |
Sudden nationwide branch network outage due to power grid failure |
Tabletop Simulation |
202X-06-10 |
Branch Ops, IT Infra, Crisis Mgmt, Customer Comms |
Branch contingency plans were delayed due to manual dependencies |
No |
Automate manual override; review branch SOPs |
|
CBS-2 |
Government Aid and Disbursement Services |
Cyberattack delays processing of emergency fund transfers to B40 customers |
Live Simulation |
202X-06-12 |
Digital Ops, Treasury, IT Sec, Gov Liaisons |
Incident escalation was efficient; the Gov agency was not updated timely manner |
Partial |
Integrate Gov channels into comms protocol |
|
CBS-3 |
ATM and Self-Service Banking Infrastructure |
ATM network compromised by malware; 70% devices offline in urban areas |
Technical Failover Testing |
202X-06-14 |
ATM Vendor, IT Sec, Customer Care, Infra Support |
Slow malware detection; response team overwhelmed |
No |
Improve SOC-ATM link; staff specialised response team |
|
CBS-4 |
Digital Banking (myBSN Online & Mobile App) |
App inaccessible due to cloud provider API failure for 6 hours during peak usage |
Tabletop + Technical Drill |
202X-06-16 |
App Dev, Cloud Ops, Helpdesk, Social Media |
Alternate channels activated; push notification delayed |
Yes |
Update app alert system; strengthen vendor SLAs |
|
CBS-5 |
Loan Disbursement and Repayment Processing |
The loan module data was corrupted due to a failed patch rollout |
Technical Walkthrough |
202X-06-18 |
Loans, Core Banking, IT DevOps, QA |
Recovery RTO met, but reconciliation lagged |
Yes |
Automate backup validation checks |
|
CBS-6 |
Agent Banking (BSN Banking Agents) |
Remote agents are unable to sync transactions due to satellite link failure |
Live Simulation |
202X-06-20 |
Agent Network, IT Infra, Customer Support |
Rural coverage was highly impacted; agents had no manual workaround |
No |
Issue paper-based fallback forms to all rural agents |
|
CBS-7 |
Treasury and Liquidity Management |
Liquidity constraints due to the regional payment settlement system outage |
Tabletop Simulation |
202X-06-22 |
Treasury, Finance, Risk, BNM Liaison |
Inadequate fallback arrangements for interbank transfers |
No |
Develop alternative liquidity sourcing procedures |
|
CBS-8 |
Core Banking System (CBS Infrastructure) |
Sudden CBS core system crash during peak load on the salary disbursement day |
Technical Failover Testing |
202X-06-24 |
IT Infra, Core Banking, HR Payroll, Customer Service |
Failover triggered successfully; delays in non-core modules |
Yes |
Isolate module dependencies; update recovery runbook |
|
CBS-9 |
Customer Complaint and Dispute Resolution |
Surge in unresolved complaints due to prolonged digital outage |
Tabletop Exercise |
202X-06-25 |
Customer Experience, Legal, Ombudsman Liaison |
Inadequate staffing for peak surge; no alternative escalation |
No |
Deploy temp complaint hotline; improve triage system |
|
CBS-10 |
Regulatory Reporting and Compliance |
Data integrity compromised during automated reporting to BNM post-cyber incident |
Walkthrough & Document Drill |
202X-06-26 |
Compliance, IT Security, Legal, Reg Affairs |
Incorrect data submitted; delay in regulator notification |
No |
Validate post-incident reporting checklist; auto alerts |
Summing Up ...
Scenario testing is more than a compliance requirement—it is a vital diagnostic tool that reveals the true strength and flexibility of Bank Simpanan Nasional's operational resilience framework.
Through the deliberate application of stress on critical business services, BSN can simulate high-impact events, observe real-time reactions, and validate the robustness of its response capabilities.
Each exercise, regardless of outcome, contributes to a feedback loop that strengthens procedures, enhances staff competencies, and fortifies BSN’s promise to remain reliable, even under stress.
As BSN continues to innovate and expand its service delivery channels—especially in digital and rural agent-based banking—scenario testing must evolve accordingly.
Periodic exercises, incorporating new threat vectors and stakeholder complexities, will ensure that BSN's resilience posture remains aligned with national expectations, international standards, and the expectations of millions of Malaysians who rely on it.
Ultimately, scenario testing is the proving ground for trust—and it is this trust that anchors BSN’s mission in both crisis and continuity.
![[OR] [BSN] [E2] [C8] Five Stages of the "Implement" Phase](https://no-cache.hubspot.com/cta/default/3893111/bccc6742-067a-468a-bdc1-cbb2e1f67000.png)
![[OR] [BSN] [E2] [C9] Identifying Critical Business Services](https://no-cache.hubspot.com/cta/default/3893111/397bed2b-ad4e-4707-812a-3bd747fd4470.png)
![[OR] [BSN] [E2] [C10] Mapping of Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/23518034-ce47-4782-9a05-c9606b02cc91.png)
![[OR] [BSN] [E2] [C13] Improving Lessons Learnt](https://no-cache.hubspot.com/cta/default/3893111/35a4faf2-ffcb-4e5f-9596-d90482e8e1fd.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
