Regulatory expectations for Scenario Testing
Firms are required to regularly test their ability to remain within impact tolerances in severe but plausible disruption scenarios. Regulators expect firms to develop a testing plan that details how they will gain assurance that they can remain within impact tolerances for important business services.
severe but plausible scenarios
Firms should identify the severe but plausible scenarios they use for testing. When setting scenarios, firms could consider previous incidents or near misses within the organisation, across the financial sector, and in other sectors and jurisdictions.
As part of the written self-assessment of Operational Resilience compliance, firms should document details of their scenario testing, including assumptions made in relation to scenario design and any identified risks to the firm’s ability to remain within impact tolerances.
important business services
When considering the important business services to prioritise for testing, firms should consider the relative risk they pose to financial stability (if applicable), safety and soundness, and (in the case of insurers) the appropriate degree of policyholder protection.
The nature and frequency of a firm’s testing should be proportionate to the potential impact that disruption could cause and whether the operational resources supporting an important business service have materially changed.
BEYOND SEVERE OR IMPLAUSIBLE
It would not be proportionate to require firms to be able to remain within impact tolerances in circumstances which are beyond severe or implausible. There will be scenarios where firms find they could not deliver a particular important business service within their impact tolerance. For example, if essential infrastructure (such as power, transport, or telecommunications) were unavailable.
RANGE OF SCENARIOS
Firms should test a range of scenarios, including those in which they anticipate exceeding their impact tolerance. Understanding the circumstances where it is impossible to stay within an impact tolerance will provide useful information to firms’ management and to their supervisors. Boards and senior management will need to judge whether failing to remain within the impact tolerance in specific scenarios is acceptable and be able to explain their reasoning to supervisors.
Regulators expect contractual agreements for material outsourcing arrangements to include requirements for both parties to implement and test business contingency plans. For the firm, these should take account of firms’ impact tolerances for important business services. Firms’ business continuity and exit plans for material outsourcing arrangements should align to, support, or even be a component of firms’ scenario testing for operational resilience.
Firms are expected to develop the sophistication of their scenario testing over time as they develop operational resilience for each important business service. Over time, firms would be expected to test against more severe but plausible scenarios, proportionate to the firm and the degree of operational resilience each important business service has.
Firms are required to scenario test when:
- There is a material change to the firm’s business, the important business services identified or impact tolerances
- Following improvements made by the firm in response to a previous test
- In any event, on a regular basis.