Menu Close

Regulatory expectations for Scenario Testing


regular testing

Firms are required to regularly test their ability to remain within impact tolerances in severe but plausible disruption scenarios. Regulators expect firms to develop a testing plan that details how they will gain assurance that they can remain within impact tolerances for important business services.

severe but plausible scenarios

Firms should identify the severe but plausible scenarios they use for testing. When setting scenarios, firms could consider previous incidents or near misses within the organisation, across the financial sector, and in other sectors and jurisdictions.

documentation

As part of the written self-assessment of Operational Resilience compliance, firms should document details of their scenario testing, including assumptions made in relation to scenario design and any identified risks to the firm’s ability to remain within impact tolerances.

important business services

When considering the important business services to prioritise for testing, firms should consider the relative risk they pose to financial stability (if applicable), safety and soundness, and (in the case of insurers) the appropriate degree of policyholder protection.

PROPORTIONALITY

The nature and frequency of a firm’s testing should be proportionate to the potential impact that disruption could cause and whether the operational resources supporting an important business service have materially changed.

BEYOND SEVERE OR IMPLAUSIBLE

It would not be proportionate to require firms to be able to remain within impact tolerances in circumstances which are beyond severe or implausible. There will be scenarios where firms find they could not deliver a particular important business service within their impact tolerance. For example, if essential infrastructure (such as power, transport, or telecommunications) were unavailable.

RANGE OF SCENARIOS

Firms should test a range of scenarios, including those in which they anticipate exceeding their impact tolerance. Understanding the circumstances where it is impossible to stay within an impact tolerance will provide useful information to firms’ management and to their supervisors. Boards and senior management will need to judge whether failing to remain within the impact tolerance in specific scenarios is acceptable and be able to explain their reasoning to supervisors.

CONTRACTUAL AGREEMENTS

Regulators expect contractual agreements for material outsourcing arrangements to include requirements for both parties to implement and test business contingency plans. For the firm, these should take account of firms’ impact tolerances for important business services. Firms’ business continuity and exit plans for material outsourcing arrangements should align to, support, or even be a component of firms’ scenario testing for operational resilience.

SOPHISTICATION

Firms are expected to develop the sophistication of their scenario testing over time as they develop operational resilience for each important business service. Over time, firms would be expected to test against more severe but plausible scenarios, proportionate to the firm and the degree of operational resilience each important business service has.

Testing frequency

Firms are required to scenario test when:

  • There is a material change to the firm’s business, the important business services identified or impact tolerances
  • Following improvements made by the firm in response to a previous test
  • In any event, on a regular basis.

Have you read our responses behind other key questions in the series?  You can view them by clicking on the links to the pages below: