By March 2025, in-scope firms must have fully captured, in their up-to-date self-assessment document, testing plans that detail how they can remain within impact tolerances for each of their important business services.
Firms must have identified severe but plausible scenarios across an appropriate range of adverse circumstances, varying in nature, severity, and duration, that are aligned to their risks and vulnerabilities. Fortunately the Regulators have been quite specific in what they mean by this and the evidence they expect to see.
Key Features of an “effective” scenario testing plan
Severe but plausible scenarios, firms should, consider at a minimum these scenarios:
corruption, deletion or manipulation of data critical to the delivery of its IBS.
unavailability of facilities or key people.
unavailability of third-party services, which are critical to the delivery of its IBS.
disruption to other market participants, where applicable.
loss or reduced provision of technology underpinning the delivery of IBS.
Scenario testing and mapping should have matured and developed in sophistication throughout the transition period, enabling greater understanding of resilience capabilities.
Effective testing will have incrementally increased the severity of disruption by both increasing the number/type of resources unavailable and the length of time of the disruption period to fully understand the effectiveness of the associated response and recovery plan.
This testing enables firms to understand the severity at which they are no longer able to remain within impact tolerance and, in doing so, understand the full impact of the disruption and any vulnerability required to be remediated.
Firms should also mature the format and type of testing used to understand the resilience of your organisation. Scenario testing should be evolving from judgment, desk-based scenario tests, to a wider range of testing that provides empirical data including, but not limited to:
penetration tests
disaster recovery/fail over tests
simulations
lessons learned from real scenarios
The inclusion of third parties in testing should help ensure firms understand their capability to remain within your impact tolerance.
Testing of a third party’s resilience can be undertaken by the third party themselves, but firms need to be satisfied that their methodology and tested scenarios are appropriate and sufficient for your requirements.
The challenge a lot of firms face is finding the time and resources to organise a simulation exercise that involves a key third-party supplier. That is where Aldbury International can help. To find out how, contact us.
Comments