Operational Resilience has been a hot topic ever since the original 2018 FCA, PRA and Bank of England’s Discussion Paper and first critical deadline of March 2022. Until now, however, most of the focus has been around developing methodologies and preparing documentation to meet the initial deadline. Now it’s time for firms to bring Operational Resilience to life. That means less talk and more action, starting small and simple – and starting now.
Our series of short articles provides practical guidance based on our real-life experience to help you work out what you need to do next.
Many firms are struggling with scenario testing. ‘Where do we start?’ ‘Isn’t it just BCP testing?’ ‘How do we link this to our impact tolerances?’ are just some of the questions our clients ask.
Scenario testing is often left to the last minute, because of perceived complexity and challenging logistics. But it shouldn’t be difficult. It should be practical and, believe it or not, enjoyable.
Having said that, firms’ hesitation is no surprise; this is an activity many have not had to consider before, and which can feel unnatural and challenging to navigate. Even so, it is better to start somewhere and risk getting it wrong than to prevaricate. Firms learn from mistakes and such learning should be embraced.
Starting simple is the key to success.
Start simple, start small
The purpose of scenario testing is to emulate severe but plausible real-life scenarios. We encourage firms to look at the disruptions that can already occur within their day-to-day activities. Firms should consider using an overarching scenario, which can then be complicated by a series of smaller events. Firms also should not be afraid to draw upon business continuity and disaster recovery plans and leverage existing work undertaken. These can provide ready-made foundations for scenarios with minimal initial planning required, and can be matured over time.
Scenario testing should not be over-generated or over-thought; that is unnecessary – and even more importantly, not what the regulator initially expects. Starting simple allows firms to build up to a level where they can handle growing complexity. You could begin with mostly desk-based testing where participants talk through what they would do and start to introduce some initial simulation – in other words, actually create the reports that are described as part of the desk-based test. As your firm begins to mature and stakeholders start to become familiar with the testing format, you can then begin to move towards simulation and increasing levels of complexity.
Starting small also allows firms (and their staff) not to be daunted, but rather to grow and ensure participants are comfortable with the process. Firms could consider:
- Starting with a fully virtual testing format, for example calling people into a virtual meeting as and when required. We find this works well as a way of getting colleagues engaged and exposed to testing.
- Making sessions hybrid or even fully in person as you develop your approach and as knowledge and exposure to testing increases.
In practice, we have found that running a scenario test creates tangible actions and lessons learnt that motivate firms. It is all too easy to get lost in documents and procedures and a scenario test provides the perfect environment to explore just how prepared your company really is for a disruption. A strong feedback loop should also be in place – not just highlighting known vulnerabilities, but also identifying those previously unknown:
Common themes we see emerging from scenario testing include:
- Stakeholders not invoking the appropriate incident plan (even though the firm believed these to have been embedded and well communicated).
- Stakeholders not involving the right people in the incident (often due to the increased pressure felt in the testing environment).
- Not considering the wider context of the overarching scenario or other events.
- Key person dependencies that had not already been identified.
Although firms may initially feel intimidated and overwhelmed, our client feedback has confirmed that the general sentiment is that they found the process much more enjoyable than they originally thought. Instead of being a chore, the process taught them important lessons and challenged their thinking. After all, it’s fine to believe you have a strong incident management process, but if it isn’t properly used in practice, what’s the point? Evoking this resilient way of thinking is invaluable and essential to embedding a resilient culture within the business.
Scenario testing is not about a pass or fail, nor just a ‘test’ of participants’ knowledge or a firm’s protocols. It is an effective way of bringing to life your Operational Resilience framework that creates a valuable feedback mechanism, which in turn allows you to build and grow a resilient culture.
At Sionic, we have pragmatic expertise and practical experience in constructing and conducting Operational Resilience scenario testing. What are your experiences?
If you would like an informal discussion about how we can help your business, please contact us.
Read more on this topic
- Making Operational Resilience real
- Sionic Operational Resilience Market Insights Survey 2022
- Sionic Discusses Operational Resilience with Funds Europe
- Sionic Signals – Operational Resilience asset management survey and forum findings
- Enhancing Operational Resilience – regulatory burden or just good business practice?