.png)
Understanding Scenario Testing
& Impact Tolerance
What is Scenario Testing in Operational Resilience?
Scenario testing is a structured, forward-looking method used to assess your organisation’s ability to withstand and recover from severe but plausible disruptions. In the context of operational resilience, it focuses not on financial outcomes but on maintaining the continuity of your important business services—those that, if disrupted, could cause intolerable harm to customers, markets, or your firm’s stability.
​
Unlike financial stress testing, which evaluates the impact of macroeconomic shocks on capital or liquidity, operational scenario testing examines real-world failures such as cyberattacks, third-party disruptions, or system outages. The aim is to test whether your firm can stay within its defined impact tolerances—the limits set by regulators and boards to prevent unacceptable harm.
​
Scenario testing is a core requirement across regulatory frameworks, including the UK’s PRA SS1/21, CP24/3, the FCA’s operational resilience guidance, and the EU’s Digital Operational Resilience Act (DORA). These regulations expect firms to demonstrate their ability to continue delivering critical services under stress—and scenario testing provides the evidence to do just that.
Scenario Testing: From Theory to Practice
Scenario testing marks a fundamental shift in how organisations approach operational disruption. Rather than relying solely on incident logs, risk registers, or tabletop reviews, it brings a proactive and structured discipline to testing the real-world limits of your resilience. It’s not just about compliance—it’s about leadership readiness, response capability, and informed decision-making when it counts.
​
Traditional approaches to business continuity or disaster recovery often focus narrowly on restoring systems or maintaining access. But scenario testing asks a deeper question: Can your organisation continue delivering critical services under pressure—and for how long—before causing intolerable harm to customers, markets, or your own viability?
​
By embedding scenario testing into your operational risk framework, you create a dynamic feedback loop—linking governance, control design, and risk appetite to actual performance under stress. It allows you to understand interdependencies, assess your most vulnerable points, identify single points of failure, and explore how multiple failures can interact in ways not easily predicted by historical data.
​
This shift also reflects growing regulatory expectations. Authorities like the PRA, FCA, and EU (under DORA) now require firms not only to anticipate disruption but to demonstrate through scenario testing that they can operate within defined impact tolerances. These are no longer theoretical exercises—they are measurable indicators of a firm’s resilience posture.
​
Done well, scenario testing is both a learning tool and a strategic enabler. It builds internal awareness, strengthens governance, informs investment decisions, and gives boards confidence in the organisation’s ability to protect what matters most.
​
Adopting Scenario Testing Helps You Achieve Several Critical Objectives:
Build Resilience Capability and Culture
Scenario testing equips teams to think ahead, adapt, and act under pressure. It drives engagement across functions and embeds resilience into the culture—not just as a compliance exercise, but as a core capability.
Critical Dependencies & Single Points of Failure
Reveal where important services rely on fragile processes, individual systems, or third parties. Understand how these interdependencies behave under stress, especially in multi-layered or cascading disruptions.
Demonstrate Regulatory Compliance
Meet evolving expectations under DORA, PRA SS1/21, CP24/3, and FCA guidance by proving that you’ve tested your most important services under severe but plausible scenarios.
Strengthen Risk Governance
Link impact tolerance thresholds to your board’s risk appetite, regulatory obligations, and customer expectations—making governance more actionable.
Prioritise Investments and Resources
Use scenario outcomes to focus attention and resources on the areas of highest exposure—reducing risk more effectively and efficiently.
Effective Response Under Pressure
Strengthen leadership and team confidence through realistic testing. Develop muscle memory for decision-making, escalation, and stakeholder management when it matters most.
From Risk Strategy to Scenario Testing
& Tolerance Setting
Before diving into scenario testing and impact tolerance setting, it’s essential to understand how these activities connect with your organisation’s overall risk strategy (read our Risk Strategy Tutorial). This foundational step ensures that scenario testing aligns with your business objectives, providing a clear framework to assess your resilience. Below, we outline the key steps to incorporate risk strategy into your scenario testing process.
Ready to Integrate Your Risk Strategy into Operational Resilience?
At Aevitium LTD, we help organisations bridge the gap between risk strategy and operational resilience. Our tailored approach includes setting meaningful tolerances, defining key risk indicators (KRIs), and embedding resilience into governance, decision-making, and operations. We ensure that your risk management framework is practical, actionable, and aligned with your long-term objectives.
What Is an Example of Scenario Testing in Practice?
Scenario testing typically involves simulating a severe but plausible disruption to one of your important business services—such as a major IT outage, cyberattack, or third-party failure. You then assess whether the service can remain within your defined impact tolerance, using real input from operations, technology, compliance, and leadership teams.
This approach is embedded in regulatory frameworks like DORA and the UK’s PRA SS1/21 and CP24/3, which emphasise practical, cross-functional testing over purely theoretical models. Unlike financial stress testing, operational scenarios focus on service continuity, customer harm, and governance under pressure—not just balance sheet impacts.
Common Challenges Firms Face
Generic or unrealistic scenarios
Many firms rely on abstract scenarios that don’t reflect how disruptions actually unfold within their specific business models. This makes it difficult to identify real vulnerabilities or stress points that matter in practice.
​
Too much focus on systems, not people
Scenario exercises often emphasise IT recovery and system dependencies but overlook the human and governance dimensions—like decision-making, communication breakdowns, or unclear accountability during a crisis.
It’s a once-a-year checkbox exercise
When scenario testing is treated as an annual event for regulatory reporting, it loses its strategic value. Embedding it into BAU cycles helps create a culture of continuous learning and resilience.
Vague or untested impact tolerances
Impact tolerances are often either too conservative or too broad—and rarely tested. Without clarity or evidence, it’s hard to assess whether services can truly withstand disruption within those thresholds.
No feedback loop into planning or investment
Insights from testing don’t always translate into tangible actions. Without a structured mechanism to capture lessons learned and inform planning, resilience improvements stall after the exercise.
“That doesn’t apply to us” mindset
It’s common to dismiss disruptions experienced in other sectors as irrelevant. But operational risks—cyberattacks, third-party failures, internal errors—often transcend industries. The goal isn’t to predict the exact scenario, but to test how well your organisation can adapt when the unexpected happens.
These Challenges Are Common—But Solvable
**If any of these challenges sound familiar, you're not alone—**and you're not the only one under pressure to get this right. At Aevitium LTD, we help organisations turn fragmented testing into a structured, value-driven resilience programme. Whether you're just getting started or need to improve what’s already in place, we’re here to help.
Is Scenario Testing Part of ERM?
Yes. Scenario testing plays a critical role within an Enterprise Risk Management (ERM) framework—especially when it comes to assessing operational risks and stress points across services, systems, and third parties. Frameworks like ISO 31000 and COSO ERM recognise the value of structured scenario analysis in preparing organisations for disruption.
Core Components of Scenario Testing & Impact Tolerance Setting
Scenario testing and impact tolerance setting are critical tools for assessing your ability to maintain essential services during disruption. To be effective, they must be grounded in your actual business model, applied to the right services, involve the right people, and generate insights that inform real decisions—not just satisfy regulatory expectations.
1
Selecting the Right Business Services
Start by applying scenarios to your important business services—not just systems or departments. This means identifying services whose disruption would cause intolerable harm to customers, markets, or regulatory obligations. Don’t spread efforts too thin; focus on high-priority services that align with your impact tolerance regime.
2
Defining Clear, Measurable Impact Tolerances
Set thresholds in operational terms (e.g. maximum allowable downtime, data loss, financial loss, reputational hit). Tolerances must be meaningful, specific, and tested—avoiding vague language like "minimal disruption" or "as soon as possible." Where possible, tie them to customer harm and regulatory expectations.
3
Designing Scenarios That Matter
Effective scenarios are both severe and plausible—but also tailored. Consider whether the disruption originates internally (e.g. system failure, human error) or externally (e.g. supplier outage, regulatory intervention), and whether it affects a single service, a region, your whole enterprise, or even the wider market. Avoid disaster-movie thinking—focus on layered risks, like a cyberattack during a change freeze or a third-party failure during peak operations. Use recent disruptions, near misses, or industry events to keep scenarios grounded and relevant. And don’t overlook slow-burn scenarios that test endurance, not just response.
4
Choosing the Right Format (Live vs Offline)
Run tabletop or live simulations depending on the maturity of your teams and complexity of the scenario. Tabletop exercises are ideal for testing governance, decision-making, and communication flow. Live testing (including failover and data restoration) is crucial for validating systems and control readiness. Both have value—use them strategically.
5
Involving the Right People at the Right Levels
Participation should reflect the nature and potential impact of the scenario. A localised disruption may only require operational managers, while an enterprise-wide or systemic event demands senior leadership at the table. Always include the actual decision-makers—this is key to testing governance and escalation pathways under pressure. Service owners, risk, compliance, customer operations, and technology should all be engaged. Scenario testing is as much about how people respond as it is about systems. Impact tolerances should be approved by executives or the board, who must also review and learn from key scenario outcomes.
6
Embedding a Structured Debrief & Feedback Loop
Post-exercise, run a formal after-action review. Capture insights on what worked, what didn’t, and what requires immediate remediation. Feed this directly into control improvements, budget allocation, and board reporting—not just the next test plan.
Who Is Responsible for Scenario Testing and Impact Tolerances?
Responsibility typically sits with the Chief Risk Officer or operational resilience lead, but success depends on cross-functional ownership. Senior management must sponsor the programme, while business units, IT, risk, compliance, and third-party managers contribute to design and execution. Impact tolerances should be approved at executive or board level—ensuring accountability and alignment with the firm’s risk appetite and customer obligations.
Who Is Accountable for Scenario Testing and Impact Tolerances?
While operational resilience is a shared responsibility, accountability for the scenario testing programme typically rests with the Board of Directors, the Chief Executive Officer (CEO), and the Chief Risk Officer (CRO). The executive team must ensure that the programme aligns with the firm’s strategy, regulatory requirements, and risk appetite. However, scenario testing involves key stakeholders across business functions—including service owners, IT, risk, compliance, and third-party managers—ensuring it becomes an integral part of the business continuity framework.
Is Your Scenario Testing Ready for the Next Challenge?
Struggling to design realistic scenarios or set meaningful impact tolerances? Is your testing programme reactive or siloed, lacking input from key stakeholders? Building a resilient and effective scenario testing framework takes more than just ticking boxes. If you're facing these challenges, you're not alone!
Main Types of Scenarios for Testing Operational Resilience
Effective scenario testing involves designing disruptions that challenge your organisation’s resilience in different ways. Below are the key types of scenarios to consider, each testing a unique aspect of your operations—from everyday disruptions to catastrophic events. Understanding these will help you build a comprehensive resilience programme that prepares you for both the expected and the unexpected.
High-Impact, Low-Probability Scenarios
These are severe, but unlikely, disruptions—such as a major cyberattack, natural disaster, or a systemic market collapse. These scenarios test your organisation’s ability to withstand catastrophic events and maintain service continuity under extreme conditions.
Example: A cyberattack that disables your core banking system for a week, impacting millions of customers.
High-Probability, Low-Impact Scenarios
These disruptions are more likely to occur, but their immediate impact is less severe. Examples include routine IT outages, temporary supplier failures, or minor cyber incidents. These scenarios are useful for ensuring that you can continue to function during everyday disruptions and maintain business-as-usual operations.
Example: A short outage of your email system due to server maintenance, affecting internal communication but not customer-facing services.
Compound Scenarios
A compound scenario involves the simultaneous occurrence of multiple events, such as a cyberattack coinciding with a supply chain failure. These test your organisation’s ability to manage cascading risks and ensure that your response mechanisms are flexible and robust enough to handle multiple disruptions.
Example: A ransomware attack that locks critical systems while a key supplier goes offline due to a logistical strike, crippling your ability to deliver services.
Slow-Burn Scenarios
Slow-burn scenarios are disruptions that unfold over time, rather than suddenly. For example, a gradual decrease in service quality, a prolonged third-party failure, or the slow erosion of operational capacity. These scenarios assess your organisation’s ability to identify and respond to emerging risks before they become critical.
Example: A gradual decline in service quality from a third-party vendor, which leads to customer dissatisfaction and attrition over a six-month period.
Industry-Specific Scenarios
These scenarios reflect risks unique to your industry, such as regulatory changes, sector-specific supply chain disruptions, or technological shifts. For example, financial firms may test the impact of regulatory changes like DORA or SMCR, while a healthcare organisation may test its ability to operate during a pandemic.
Example: A new regulatory requirement (e.g., DORA) comes into effect, forcing your organisation to quickly adapt its IT and third-party risk management processes to remain compliant.
Unlock Your Resilience Scenario Toolkit
At Aevitium LTD, we believe that effective scenario testing is built on a structured, comprehensive approach. Our Resilience Scenario Toolkit is designed to help you develop, execute, and assess scenarios that drive actionable insights and enhance operational resilience.
​
This toolkit is composed of four key components that guide your organisation from scenario definition to in-depth assessment and continuous improvement. From curating predefined scenarios to evaluating response effectiveness, each element plays a critical role in strengthening your organisation’s preparedness for potential disruptions.
​
Get started by exploring the high-level structure of our toolkit below. Want more details? Download our one-pager to access a breakdown of the framework and see how it can be tailored to your organiation’s needs.
Aevitium LTD Operational Resilience:
Case Studies & Insights
Triggers for Scenario Testing &
Impact Tolerance Setting
Scenario testing and impact tolerance setting are key exercises to evaluate your organisation’s resilience. These activities are triggered by various factors—regulatory requirements, operational disruptions, strategic changes, regular risk reviews, or crisis preparedness needs. By identifying the right trigger, you can ensure your organisation is prepared for challenges and compliant with resilience expectations.
Regulatory Requirements
Regulations such as DORA, PRA SS1/21, or FCA guidelines require organisations to test their operational resilience regularly. Scenario testing often becomes a key part of fulfilling compliance mandates and preparing for audits or regulatory reviews.
Objective: Ensure your organisation is prepared for regulatory scrutiny and can demonstrate its ability to meet resilience expectations.
Strategic Change or Growth
As your organisation expands, launches new products, or enters new markets, there may be increased exposure to new risks, prompting the need for scenario testing.
Objective: Test resilience against evolving business scenarios, ensuring new risks are identified and mitigated proactively.
Operational or External Disruptions
A recent disruption or close call—such as a system outage, cyber-attack, or supply chain breakdown—can serve as a trigger for scenario testing. This could stem from an event that directly impacted operations or a near-miss that revealed vulnerabilities.
Objective: Evaluate how well your systems, people, and processes can respond to real-world risks, identifying areas for improvement.
Crisis Preparedness
Scenario testing is often integrated into the regular business continuity or risk management review cycles, typically conducted annually or during major reviews. If crisis response or business continuity plans haven't been tested recently, scenario testing becomes essential to refine decision-making, escalation, and recovery protocols.
Objective: Continuously enhance your operational resilience strategy and ensure a well-coordinated, effective response to crises, aligned with the organization's overall strategy.