6
Scenario testing
6.1
The Operational Resilience Parts[22] require firms to test regularly their ability to remain within impact tolerances in severe but plausible disruption scenarios. Impact tolerances assume a disruption has occurred, and so testing the ability to remain within impact tolerances should not focus on preventing incidents from occurring. The PRA expects firms to focus on recovery and response arrangements.
Footnotes
- 22. Operational Resilience 5.1, Insurance – Operational Resilience 5.1.
- 31/03/2022
6.2
Firms should identify the severe but plausible scenarios they use for testing. When setting scenarios, firms could consider previous incidents or near misses within the organisation, across the financial sector, and in other sectors and jurisdictions. A testing plan should include realistic assumptions and evolve as the firm learns from previous testing.
- 31/03/2022
6.3
The Operational Resilience Parts[23] require firms to prepare a written self-assessment of compliance with the Operational Resilience Parts. The PRA expects firms to document details of their scenario testing, including assumptions made in relation to scenario design and any identified risks to the firm’s ability to remain within impact tolerances.
Footnotes
- 23. Operational Resilience 6.1, Insurance – Operational Resilience 6.1.
- 31/03/2022
6.4
Over time, the PRA expects a firm’s scenario testing to become more sophisticated as firms develop operational resilience for each important business service. Firms would be expected to test against more severe but plausible scenarios, proportionate to the firm and the degree of operational resilience each important business service has.
- 31/03/2022
6.5
When considering the important business services to prioritise for testing, firms should consider the relative risk they pose to financial stability (if applicable), safety and soundness, and (in the case of insurers) the appropriate degree of policyholder protection.
- 31/03/2022
6.6
The PRA expects firms to develop a testing plan that details how they will gain assurance that they can remain within impact tolerances for important business services. The nature and frequency of a firm’s testing should be proportionate to the potential impact that disruption could cause and whether the operational resources supporting an important business service have materially changed. When developing a testing plan, firms should consider the following:
- the type of scenario testing, which may include paper-based assessments, simulations, or live-systems testing;
- the frequency of the scenario testing – firms that implement changes to their operations more frequently should undertake more frequent scenario testing;
- the number of important business services tested – firms that have identified more important business services should undertake more scenario testing to reflect this; and
- testing the availability and integrity of resources – impact tolerances are concerned with the continued provision of important business services. An important business service that can continue to be provided but has insufficient integrity is not within the impact tolerance. Firms should test their recovery plans for both availability and integrity scenarios, proportionate to their size and complexity; and
- how their environment is changing and whether this will give rise to different vulnerabilities.
- 31/03/2022
6.7
Scenario testing should not pose a material risk of creating a disruption. Where firms consider that live-systems testing is most appropriate for scenario testing their ability to remain within impact tolerances, firms should assess the risk that the scenario testing may create a disruption to the delivery of important business services. The PRA’s Fundamental Rules[24] will remain relevant to decision making for how firms approach their scenario testing. Firms should conduct scenario testing with due skill, care, and diligence, act prudently, have effective risk strategies and risk management, and control their affairs responsibly and effectively.
Footnotes
- 24. Fundamental Rules 2, 3, 5, and 6 are particularly relevant for this example.
- 31/03/2022
6.8
The entire chain of activities that have been identified as the important business service should be considered when developing testing plans.
- 31/03/2022
6.9
The severity of scenarios used by firms for their testing could be varied by increasing the number or type of resources unavailable for delivering the important business service, or extending the period for which a particular resource is unavailable. The mapping work that firms will undertake is likely to be useful in informing them how their scenarios could be made more difficult.
- 31/03/2022
6.10
The PRA recognises that it would not be proportionate to require firms to be able to remain within impact tolerances in circumstances which are beyond severe or implausible. There will be scenarios where firms find they could not deliver a particular important business service within their impact tolerance. For example, if essential infrastructure (such as power, transport, or telecommunications) were unavailable, some firms may not be able to deliver their important business services within their impact tolerance.
- 31/03/2022
6.11
As impact tolerances are set on the assumption that disruptions will occur, the PRA does not expect firms to devote too much time to considering the relative probability of incidents occurring.
- 31/03/2022
6.12
Firms should test a range of scenarios, including those in which they anticipate exceeding their impact tolerance. Understanding the circumstances where it is impossible to stay within an impact tolerance will provide useful information to firms’ management and to their supervisors. Boards and senior management will need to judge whether failing to remain within the impact tolerance in specific scenarios is acceptable and be able to explain their reasoning to supervisors.
- 31/03/2022
6.13
Chapters 5 to 10 of SS2/21 set out detailed expectations on how firms should perform due diligence and obtain effective and proportionate assurance from third parties, including through scenario testing. In particular, the PRA expects contractual agreements for material outsourcing arrangements to include ‘requirements for both parties to implement and test business contingency plans. For the firm, these should take account of firms’ impact tolerances for important business services. Where appropriate, both parties should commit to take reasonable steps to support the testing of such plans’. SS2/21 further notes that firms’ business continuity and exit plans for material outsourcing arrangements should ‘where possible and relevant … align to, support, or even be a component of firms’ scenario testing for operational resilience. For instance, one of the severe but plausible scenarios that firms may select for this testing could involve a failure or disruption at a third party, or their supply chain, based on previous incidents or near misses within the organisation, across the financial sector, and in other sectors and jurisdictions’.
- 31/03/2022