Published on August 20, 2024
Financial institutions need to ensure that their protocols and plans are actually functional and meet the standards set out in regulatory compliance. Creating test scenarios to put to use is one of the most critical functions a company needs to undertake. So, what does a scenario test entail, and how do they help financial institutions and other industries prepare for the worst?
Scenario testing takes real-world scenarios and creates a hypothetical chain of events that could affect an end-user. We write test scenarios to ensure that operational resilience and business continuity plans can overcome any situation that might arise.
The testing process should not be a one-off activity. By analysing previous test cycles and examining what went well and what failed, you should be able to determine whether the current tests in place are strong enough for your business. Further analysis and change might be needed to meet the thresholds established by regulatory bodies such as the UK's Financial Conduct Authority, Prudential Regulation Authority, or the Bank of England.
Drills tend to be used by smaller firms. These tests are normally run internally and tend to be informal and team-based. They usually fall under asset-based testing, meaning that they are testing the resources of the company and what would happen if a crucial resource outage impacted the delivery of an important business service. It can help businesses identify the resilience of their continuity plans and the viability of workarounds they have suggested.
Scenario-based desktop workshops tend to be run by third parties and can be a source of testing that is less resource-intensive than others. They often require staff to walk through a BCP or crisis management plan to see how it aligns with specific impact tolerances.
The Bank of England intends to hold a desktop stress test workshop in 2024.
Simulated stress test scenarios cover responses to severe but likely incidents that might affect business services. They can be run purely internally or can bring in external help.
Internal tests can focus on the reaction of staff and the resources currently under the control of the company. The data gathered from these events can then be used to test the viability of workarounds, and the overall impact on consumers.
External simulated stress tests run in much the same way as internal ones, but will typically involve a third-party provider as part of the procedure. This can also involve coordinating with specific third-party providers to see how a certain outage or incident might affect the partnership as a whole.
During a full live test, a scenario is created and run as if it is a real-time disruption and not a simulation. This is designed to establish whether or not a firm can remain within its impact tolerances (the maximum tolerable level of disruption to an important business service), and whether or not they are resilient enough to continue delivering their most important services despite the disruption.
Full live tests carry a lot of risk since they are designed to interrupt production. Live parallel tests test the firm's contingency arrangements instead, and so inherently carry less risk even though they are also carried out in real-time.
While real-life incidents are not scripted, they should not just be dealt with and then never thought of again. By analysing the data from real incidents, not just test scenarios, firms will gain valuable insights that they can either build into their existing tolerances and resilience plans or in future testing processes. This is especially important when a real-life vulnerability has been identified. The firm needs to ensure that this has either been successfully mitigated or that robust checks are in place to prevent further disruption.
All institutions will establish impact tolerances to help financial institutions combat the stresses that come with their industry. Major disruptions will happen regardless of how many tests or checks are in place, and a firm needs to know how their system is going to be impacted. Whether it is a drop in communication, something unpredictable like a weather disaster, or any other high-level interruption, companies need to know how their processes will hold.
The scenario testing process allows firms to safely test their precautions and resilience plans. No operational resilience process should be put to test first in a genuine incident.
Many regulatory bodies also require firms to submit test results to guarantee that compliance standards are being met. Institutions may find themselves facing large fines and major sanctions for failure to comply.
Operational resilience and business continuity plans need to provide clear guidance when a company is faced with major events that will disrupt standard operations. These protocols must be easy to find and robust enough that they can address multiple vulnerabilities and pressure points.
Any and all policies must be easily accessible to relevant personnel. In the event of a crisis, these personnel should all be notified as quickly as possible so they can put the planned recovery program into action.
C2's Meridian software gives financial firms the power to do exactly that. Our interface is easy to use but allows even complex recovery plans to be logged. The system can invite participants to take part via email in a single click and can handle all communications surrounding your testing, to reduce any administrative burden on your team.
Book a demo today to find out how C2 can revolutionise your approach to scenario testing, operational resilience, and business continuity.
Resilience Manager at Continuity2
With an Honours degree in Risk Management from Glasgow Caledonian University and 6+ years in Business Risk and Resilience, Aimee looks after the design and implementation of Business Continuity Management Systems (BCMS) across all clients. From carrying out successful software deployments to achieving ISO 22301, Aimee helps make companies more resilient and their lives easier in the long run.
Resilience Manager at Continuity2
With an Honours degree in Risk Management from Glasgow Caledonian University and 6+ years in Business Risk and Resilience, Aimee looks after the design and implementation of Business Continuity Management Systems (BCMS) across all clients. From carrying out successful software deployments to achieving ISO 22301, Aimee helps make companies more resilient and their lives easier in the long run.