Operational Resilience Update - Scenario Testing

Under Operational Resilience, firms must develop and maintain robust testing plans to ensure they remain within impact tolerances for each important business service. These plans should identify severe but plausible scenarios across various adverse conditions, reflecting risks and vulnerabilities. This information is crucial for a firm’s governing body and senior management to develop well-funded plans to address vulnerabilities.

Effective scenario testing should evolve in sophistication, considering scenarios from the FCA’s regulatory Handbook and incrementally increasing disruption severity. This includes increasing unavailable resources and extending disruption periods to assess the response and recovery plan's effectiveness. Testing should help firms to understand when they can no longer stay within impact tolerance, revealing the full impact of disruptions and necessary remediation.

Mature testing formats should move beyond judgment-based tests to empirical data from penetration tests, disaster recovery, simulations, and real scenario lessons. Including third parties in testing ensures their resilience aligns with impact tolerances. Firms must ensure third-party testing methodologies and scenarios meet their own requirements. Finding out that a third-parties testing does not meet a firm’s operational resilience requirements just before 31^st March 2025 is too late. If third party testing has not already been completed, and shortfalls are not already being addressed, then operational resilience compliance on 31^st March 2025 is already in jeopardy.