An operational resilience framework is only effective if it works under pressure. Firms should conduct regular scenario testing to put their framework to the test and ensure they comply with regulatory expectations, such as the UK FCA’s PS21/3 Building Operational Resilience rules. The process of simulating severe but plausible scenarios is the best way to identify vulnerabilities and validate the firm’s impact tolerance thresholds. Scenario testing demonstrates the firm’s ability to withstand a major disruption and is required by policies.
How Can Firms Utilise Severe But Plausible Scenarios?
Firms must develop a robust scenario testing plan that is directly linked to their stated impact tolerances. This involves identifying a number of severe but plausible scenarios that cover various circumstances, including different levels of severity, duration and type of disruption. For these outcomes to be categorised as severe, they must be likely to have a devastating impact on the firm if not managed properly and cause disruption. Firms can align their scenario planning to target specific vulnerabilities that they have identified through mapping processes, and the FCA suggest a range of typical scenarios that can be used as a foundation to build upon. The outcome of these scenario planning exercises should be the collection of empirical data gathered from several testing formats. According to the FCA, firms are expected to evolve beyond simple, desk-based exercises to include more rigorous tests such as penetration tests, disaster recovery and failover tests, simulations and lessons learned from real scenarios. This data will provide clear evidence of the firm’s resilience capabilities in the event of any of these scenarios. To maintain the efficacy of this process, firms should regularly update their scenario testing in line with impact tolerances, lessons learned and in response to emerging threats.
Resilience Testing for Scenario Planning
There are several testing methods that firms can use to build up a comprehensive overview of their resilience capabilities. A mature testing programme will use an incremental approach, starting with the simpler tests, such as desk-based walkthroughs. This involves stakeholders in a workshop setting, simulating several scenarios with organised, strategic conversations where they consider a range of potential outcomes. This form of exercise can provide useful insights without disrupting day-to-day operations, and before developing more complex simulations. Once the desk-based walkthrough has been completed, the next step will be to evolve to controlled technical simulations. This could involve simulating the shutting down of access to a backup centre or losing critical functions while operating. For cyber threats, Threat-Led Penetration Testing (TLPT) can be used to simulate a cyber attack. These tests must also assess the resilience of critical third parties to ensure the entire supply chain has sufficient capabilities to support the firm in remaining within its impact tolerance levels and that no situation becomes intolerable.
Building Resilient Outcomes from Scenario Planning
The goal of scenario planning and conducting realistic simulations is to pre-empt any future adverse conditions and ensure that the firm can tolerate and minimise such disruptions. For this reason, firms should formalise the lessons learned through these simulations by documenting every pass or fail and creating a comprehensive inventory of what worked to resolve the situation. Firms must then assign ownership of each vulnerability identified and create detailed remediation plans with clear ownership and accountability. The results of all testing and updates on remedial plans should be included in governance reports for the board and senior management, providing them with an accurate view of the firm’s operational resilience capabilities. Resilience testing and scenario planning are central to an effective operational resilience framework. Through simulating severe but plausible scenarios, firms can collect the empirical evidence needed to identify gaps and vulnerabilities. The lessons learned from these exercises must then be formalised into robust remediation plans to ensure that the firm continuously strengthens its resilience for future major disruptions. Is your resilience framework ready for a real-world crisis?
Speak to our experts today to run severe-but-plausible simulations and identify vulnerabilities before disruption strikes.
