Operational Resilience: Scenario Testing

How should firms be preparing themselves?

Operational Resilience has been highlighted as a key issue by the FCA and the PRA since the discussion and consultation papers in 2018 and 2019. The new rules will be effective from 31 March 2022 for all in-scope firms.

Regulatory priorities and expectations are clear, but plans have been met with several challenges for many institutions.

This edition focuses on the requirements for scenario testing. With two weeks to go, the first operational resilience deadline is upon us.

Organisations need to take practical steps to demonstrate their readiness including:

Timeline

Purpose of Scenario Testing

The purpose of Scenario Testing is to test the Firm’s ability to remain within impact tolerances in a range of severe but plausible disruption scenarios, focusing on recovery and response arrangements (rather than preventative measures). This should enable them to obtain assurance on the resilience of their important business services and identify where they might need to act to increase their operational resilience.

It is not necessarily the objective of scenario testing to try and prove that, regardless of the scenario, an important business service can always be maintained within tolerance; but rather to understand under which scenarios a firm would not be able to deliver its important business services.

These are the scenarios which would particularly need to be discussed with the Board and Senior Managers to determine whether it would be acceptable or not, in their view, not to be able to recover within Impact Tolerances. Where this is deemed unacceptable, the Board must determine prioritised investment decisions to allow recovery within tolerance to be achieved.

Regulatory expectations for Scenario Testing

regular testing

Firms are required to regularly test their ability to remain within impact tolerances in severe but plausible disruption scenarios. Regulators expect firms to develop a testing plan that details how they will gain assurance that they can remain within impact tolerances for important business services.

severe but plausible scenarios

Firms should identify the severe but plausible scenarios they use for testing. When setting scenarios, firms could consider previous incidents or near misses within the organisation, across the financial sector, and in other sectors and jurisdictions.

documentation

As part of the written self-assessment of Operational Resilience compliance, firms should document details of their scenario testing, including assumptions made in relation to scenario design and any identified risks to the firm’s ability to remain within impact tolerances.

important business services

As part of the written self-assessment of Operational Resilience compliance, firms should document details of their scenario testing, including assumptions made in relation to scenario design and any identified risks to the firm’s ability to remain within impact tolerances.

PROPORTIONALITY

The nature and frequency of a firm’s testing should be proportionate to the potential impact that disruption could cause and whether the operational resources supporting an important business service have materially changed.

BEYOND SEVERE OR IMPLAUSIBLE

It would not be proportionate to require firms to be able to remain within impact tolerances in circumstances which are beyond severe or implausible. There will be scenarios where firms find they could not deliver a particular important business service within their impact tolerance. For example, if essential infrastructure (such as power, transport, or telecommunications) were unavailable.

RANGE OF SCENARIOS

Firms should test a range of scenarios, including those in which they anticipate exceeding their impact tolerance. Understanding the circumstances where it is impossible to stay within an impact tolerance will provide useful information to firms’ management and to their supervisors. Boards and senior management will need to judge whether failing to remain within the impact tolerance in specific scenarios is acceptable and be able to explain their reasoning to supervisors.

CONTRACTUAL AGREEMENTS

Regulators expect contractual agreements for material outsourcing arrangements to include requirements for both parties to implement and test business contingency plans. For the firm, these should take account of firms’ impact tolerances for important business services. Firms’ business continuity and exit plans for material outsourcing arrangements should align to, support, or even be a component of firms’ scenario testing for operational resilience.

SOPHISTICATION

Firms are expected to develop the sophistication of their scenario testing over time as they develop operational resilience for each important business service. Over time, firms would be expected to test against more severe but plausible scenarios, proportionate to the firm and the degree of operational resilience each important business service has.

Testing frequency

  • There is a material change to the firm’s business, the important business services identified or impact tolerances
  • Following improvements made by the firm in response to a previous test
  • In any event, on a regular basis.

Points for Attention and Key Considerations

MULTIPLE SCENARIO TESTING EXERCISES

Firms will need to plan to make multiple scenario testing exercises ahead of the first Self-Assessment ready for Board sign-off.

Prioritising

Firms should allow plenty of time to conduct scenario tests and start early. When prioritising important business services for testing, firms should consider the relative risk they pose to financial stability, safety and soundness.

probability

As impact tolerances are set on the assumption that disruptions will occur, firms are not expected to devote too much time to considering the relative probability of incidents occurring.

realistic assumptions

A testing plan should include realistic assumptions and evolve as the firm learns from previous testing. The severity of scenarios used by firms for their testing could be varied by increasing the number or type of resources unavailable for delivering the important business service, or extending the period for which a particular resource is unavailable. The mapping work will be useful in informing how firms’ scenarios could be made more difficult.

testing plan

When developing a testing plan, firms may wish to consider the following:

Testing Plan

pragmatic approach

Firms should take a pragmatic approach to testing, focusing on insights from the exercise and not dedicate disproportionate resource to quantifying every permutation.

existing scenario libraries

Firms may be able to leverage any previous incidents or near misses and existing scenario libraries from other activities such as operational risk, ICAAP, stress testing or business continuity. Those scenarios can be enriched and tailored to cover firm-specific important business services using the elements of potential impact from the mapping exercise (people, processes, technology, facilities and information).

The differences

This being said, in many ways, scenario testing is different from business continuity (BCP), disaster recovery (DRP) or financial stress testing. BCP or DRP testing:

Operational Resilience

Scenario Testing Approaches

A range of testing approaches are being used by firms and the choice is being informed by the degree of maturity of each firm’s operational resilience programme.

Scenario Approaches

Subscribe to Updates

Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.

Subscribe >>