Why firms should increase the sophistication of their scenario planning over time

Companies and individuals have never been more globally interconnected. The world is becoming riskier, more digitised and under more scrutiny than ever before.

All these factors have meant the nature and severity of risks companies are facing is evolving rapidly, resulting in more operational incidents including cyber attacks, pandemics and geopolitical events.

Scenario planning has a key role to play in allowing you to operate effectively in this environment.

Done correctly it will allow you to identify risks to your organisation, ensure your risk treatment is effective and allow you to practice and refine your response and recovery to a risk event.

Scenario planning should involve all levels of the organisation, including the C-suite. There are a number of benefits including:

  • Proactively identifying and mitigating risks to prevent an operational incident occurring in the first place;
  • Practicing and continually improving your ability to respond and recover from operational incidents in a timely and effective manner (because these events will happen);
  • Ensuring you operate with integrity and comply with relevant regulation, and
  • Being in control, so that when an incident occurs, you know you can respond appropriately. By having this comfort, you can instil confidence in colleagues, customers and regulators.

When implementing scenario testing it is important to understand what outcomes you are trying to deliver and the people, technology, third parties, information (data), processes and facilities that enable this delivery. Essentially, what are the ‘crown jewels’ you are seeking to protect.

It helps to formulate a list of ‘severe but plausible’ scenarios you wish to test. What are the scenarios that might impact your ability to deliver these key customer outcomes? Start small and increase sophistication.

For instance, you might start with a small desktop exercise to walkthrough your response to a ransomware attack. Over time, increase this sophistication to include secondary events such as customer data leakage or destruction. Move from desktop walkthrough to more sophisticated testing (eg war games / no notice tests).

If you have critical third parties involved in delivering key customer outcomes, then include them in your scenario testing. Ensure you have experienced facilitators and all improvements captured are monitored. The CEO and senior leadership should be actively involved at every stage.

Putting scenario testing into practice

We worked with a financial services firm that had previously undertaken basic desktop scenario tests but had found when incidents occurred response and recovery activities weren’t coordinated and communications were disjointed. Below is an outline of the five-step approach we undertook to enhance scenario testing.

1. Determine the scenario – we consulted with business stakeholders and determined a list of ‘severe but plausible’ scenarios we wished to test over a period of time. These were designed to test the organisation’s ability to respond and recover - they weren’t scenarios we knew we could easily respond to.

2. Planning – a lot of effort went into this to ensure we got the required benefits. Objectives and roles were set and agreed with senior management. We gathered data on existing processes (KPIs / SLAs etc) as well as risk data and information on known vulnerabilities. This allowed us to ensure everyone was briefed in advance and we had a ‘runbook’ for the event (which of course was not shared in advance).

3. Execute the test – During the test we leveraged the run book to ensure we robustly tested the process. We referred to the data collected prior to the event such as process maps, known vulnerabilities, recovery time objectives / impact tolerances to ensure they were all accurate and to identify any unknown vulnerabilities.

4. Identify resilience improvement options – this was carried out over two sessions. The first session we held within 24 hours to reflect on any vulnerabilities identified. The second was held a few days later was to reflect on the process and the experience to identify lessons learned for future tests.

5. Test completion report – finally we documented the identified vulnerabilities (there were over 10) and the lessons learned (there were 6) and the report was circulated and approved. The actions were then tracked through existing risk management processes.

Ultimately the client executed a robust scenario test and identified vulnerabilities to remediate. Equally importantly, senior management and the team increased their capability in executing response, recovery and communication plans.

Future planning

As mentioned, firms should look to increase sophistication over time. Technology has a key role to play in this maturity and will allow you to:

  • Capture all your policy, risk, control and resilience information in one place:
  • Have real time reporting on your organisations risk position and proactive reporting that allows you to have a forward-looking view on risks, and
  • Automated and continuous scenario testing to identify any vulnerabilities. For example: if you introduce a change the technology automatically runs ‘what if’ scenarios to identify vulnerabilities.

All firms should have a strategy related to risk management technology and automated and continuous scenario testing should be a core part of it.

To sum up, scenario testing is a very powerful discipline that gives you peace of mind that risks are being proactively identified and managed and you have robust response, recovery and communications capabilities in place.

You should be conducting robust scenario testing now and over time look to move to continuous and automated scenario testing.

Stuart Birnie is operational risk and resilience subject matter expert at whyaye.