top of page

Understanding Scenario Testing
& Impact Tolerance

This tutorial supports operational resilience teams, risk practitioners, scenario testing leads, service owners, and governance functions responsible for designing and validating resilience scenarios under PRA, FCA, and DORA standards.

Expert-led, boutique advisory trusted by financial services, fintechs, and purpose-driven organisations.

An image symbolizing operational resilience and scenario testing, featuring a person looking through large gears that represent problem-solving and planning, with a city skyline in the background.

What is Scenario Testing in Operational Resilience?

Scenario testing is a structured, forward-looking method used to assess your organisation’s ability to withstand and recover from severe but plausible disruptions. In the context of operational resilience, it focuses not on financial outcomes but on maintaining the continuity of your important business services, those that, if disrupted, could cause intolerable harm to customers, markets, or your firm’s stability.

Unlike financial stress testing, which evaluates the impact of macroeconomic shocks on capital or liquidity, operational scenario testing examines real-world failures such as cyberattacks, third-party disruptions, or system outages. The aim is to test whether your firm can stay within its defined impact tolerances especially the limits set by regulators and boards to prevent unacceptable harm.

Scenario testing is a core requirement across regulatory frameworks, including the UK’s PRA SS1/21, CP24/3, the FCA’s operational resilience guidance, and the EU’s Digital Operational Resilience Act (DORA). These regulations expect firms to demonstrate their ability to continue delivering critical services under stress and scenario testing provides the evidence to do just that.

Scenario Testing: From Theory to Practice

Scenario testing marks a fundamental shift in how organisations approach operational disruption. Rather than relying solely on incident logs, risk registers, or tabletop reviews, it brings a proactive and structured discipline to testing the real-world limits of your resilience. It’s about leadership readiness, response capability, and informed decision-making when it counts.

Traditional approaches to business continuity or disaster recovery often focus narrowly on restoring systems or maintaining access. But scenario testing asks a deeper question: Can your organisation continue delivering critical services under pressure, and for how long, before causing intolerable harm to customers, markets, or your own viability?

By embedding scenario testing into your operational risk framework, you create a dynamic feedback loop linking governance, control design, and risk appetite to actual performance under stress. It allows you to understand interdependencies, assess your most vulnerable points, identify single points of failure, and explore how multiple failures can interact in ways not easily predicted by historical data.

This shift also reflects growing regulatory expectations. Authorities like the PRA, FCA, and EU (under DORA) now require firms not only to anticipate disruption but to demonstrate through scenario testing that they can operate within defined impact tolerances. These are measurable indicators of a firm’s resilience posture.

Done well, scenario testing is both a learning tool and a strategic enabler. It builds internal awareness, strengthens governance, informs investment decisions, and gives boards confidence in the organisation’s ability to protect what matters most. Scenario testing cycles also support continuous improvement and enhance the organisation’s ability to respond to real-world scenarios.

Adopting Scenario Testing Helps You Achieve Several Critical Objectives:

Build Resilience Capability and Culture

Scenario testing equips teams to think ahead, adapt, and act under pressure. It drives engagement across functions and embeds resilience into the culture as a core capability.

Critical Dependencies & Single Points of Failure

Reveal where important services rely on fragile processes, individual systems, or third parties. Understand how these interdependencies behave under stress, especially in multi-layered or cascading disruptions.

Demonstrate Regulatory Compliance

Meet evolving expectations under DORA, PRA SS1/21, CP24/3, and FCA guidance by proving that you’ve tested your most important services under severe but plausible scenarios.

Strengthen Risk Governance

Link impact tolerance thresholds to your board’s risk appetite, regulatory obligations, and customer expectations, making governance more actionable.

Prioritise Investments and Resources

Use scenario outcomes to focus attention and resources on the areas of highest exposure, reducing risk more effectively and efficiently.

 

Effective Response Under Pressure

Strengthen leadership and team confidence through realistic testing. Develop muscle memory for decision-making, escalation, and stakeholder management when it matters most.

Need help building operational resilience?

At Aevitium LTD, we help organisations develop tailored scenario testing programmes, set meaningful impact tolerances, and embed resilience into governance, decision-making, and operations.

From Risk Strategy to Scenario Testing
& Tolerance Setting

Before diving into scenario testing and impact tolerance setting, it’s essential to understand how these activities connect with your organisation’s overall risk strategy (read our Risk Strategy Tutorial). This foundational step ensures that scenario testing aligns with your business objectives, providing a clear framework to assess your resilience. Below, we outline the key steps to incorporate risk strategy into your scenario testing process.

5 Steps From Risk Strategy to Scenario Testing & Tolerance Setting

Ready to Integrate Your Risk Strategy into Operational Resilience?

At Aevitium LTD, we help organisations bridge the gap between risk strategy and operational resilience. Our tailored approach includes setting meaningful tolerances, defining key risk indicators (KRIs), and embedding resilience into governance, decision-making, and operations. We ensure that your risk management framework is practical, actionable, and aligned with your long-term objectives.

What Is an Example of Scenario Testing in Practice?

Scenario testing typically involves simulating a severe but plausible disruption to one of your important business services, such as a major IT outage, cyberattack, or third-party failure. You then assess whether the service can remain within your defined impact tolerance, using real input from operations, technology, compliance, and leadership teams.

 

This approach is embedded in regulatory frameworks like DORA and the UK’s PRA SS1/21 and CP24/3, which emphasise practical, cross-functional testing over purely theoretical models. Unlike financial stress testing, operational scenarios focus on service continuity, customer harm, and governance under pressure, not just balance sheet impacts.

Common Challenges Firms Face

Generic or unrealistic scenarios

Many firms rely on abstract scenarios that don’t reflect how disruptions actually unfold within their specific business models. This makes it difficult to identify real vulnerabilities or stress points that matter in practice.

Too much focus on systems, not people

Scenario exercises often emphasise IT recovery and system dependencies but overlook the human and governance dimensions—like decision-making, communication breakdowns, or unclear accountability during a crisis.

It’s a once-a-year checkbox exercise

When scenario testing is treated as an annual event for regulatory reporting, it loses its strategic value. Embedding it into BAU cycles helps create a culture of continuous learning and resilience.

Vague or untested impact tolerances

Impact tolerances are often either too conservative or too broad and rarely tested. Without clarity or evidence, it’s hard to assess whether services can truly withstand disruption within those thresholds.

No feedback loop into planning or investment

Insights from testing don’t always translate into tangible actions. Without a structured mechanism to capture lessons learned and inform planning, resilience improvements stall after the exercise.

“That doesn’t apply to us” mindset

It’s common to dismiss disruptions experienced in other sectors as irrelevant. But operational risks—cyberattacks, third-party failures, internal errors—often transcend industries. The goal isn’t to predict the exact scenario, but to test how well your organisation can adapt when the unexpected happens.

These Challenges Are Common—But Solvable

**If any of these challenges sound familiar, you're not alone—**and you're not the only one under pressure to get this right. At Aevitium LTD, we help organisations turn fragmented testing into a structured, value-driven resilience programme. Whether you're just getting started or need to improve what’s already in place, we’re here to help.

Proven. Certified. Trusted.

Logo FRM
Julien Haye is a Risk.net Faculty
Julien Haye Top 25 - Risk Management Thought Leader on Thinkers360
Julien Haye CPD Accreditation
Julien Haye is a member of CISI (MCSI)

Is Scenario Testing Part of ERM?

Yes. Scenario testing plays a critical role within an Enterprise Risk Management (ERM) framework—especially when it comes to assessing operational risks and stress points across services, systems, and third parties. Frameworks like ISO 31000 and COSO ERM recognise the value of structured scenario analysis in preparing organisations for disruption.

Core Components of Scenario Testing & Impact Tolerance Setting

Scenario testing and impact tolerance setting are critical tools for assessing your ability to maintain essential services during disruption. To be effective, they must be grounded in your actual business model, applied to the right services, involve the right people, and generate insights that inform real decisions—not just satisfy regulatory expectations.

1

Selecting the Right Business Services

Start by applying scenarios to your important business services—not just systems or departments. This means identifying services whose disruption would cause intolerable harm to customers, markets, or regulatory obligations. Don’t spread efforts too thin; focus on high-priority services that align with your impact tolerance regime.

2

Defining Clear, Measurable Impact Tolerances

Set thresholds in operational terms (e.g. maximum allowable downtime, data loss, financial loss, reputational hit). Tolerances must be meaningful, specific, and tested. You should be avoiding vague language like "minimal disruption" or "as soon as possible." Where possible, tie them to customer harm and regulatory expectations. Impact Tolerance Example Impact tolerances are set using operational metrics that reflect the maximum acceptable level of disruption for an important business service. Below is a simplified example. Service: Payments Processing Metric Type: Maximum Outage Duration Tolerance: Up to 4 hours of total service unavailability. Additional Indicators Used in Assessment Maximum backlog before customer harm: 15,000 queued transactions. Maximum number of affected customers: 100,000. Maximum processing delay for same-day payments: 2 hours. These parameters create a measurable threshold used during scenario testing to determine whether the service remains within tolerance. Ultimately, expected resilience outcomes should be defined alongside impact tolerance thresholds.

3

Designing Scenarios That Matter

Effective scenarios are both severe and plausible, but also tailored. Consider whether the disruption originates internally (e.g. system failure, human error) or externally (e.g. supplier outage, regulatory intervention), and whether it affects a single service, a region, your whole enterprise, or even the wider market. Avoid disaster-movie thinking. Instead, focus on layered risks, like a cyberattack during a change freeze or a third-party failure during peak operations. Use recent disruptions, near misses, or industry events to keep scenarios grounded and relevant. And don’t overlook slow-burn scenarios that test endurance, not just response. Finally, consider that a structured scenario development process helps teams create realistic and repeatable resilience scenarios.

4

Choosing the Right Format (Live vs Offline)

Run tabletop or live simulations depending on the maturity of your teams and complexity of the scenario. Tabletop exercises are ideal for testing governance, decision-making, and communication flow. Live testing (including failover and data restoration) is crucial for validating systems and control readiness. Both have value—use them strategically.

5

Involving the Right People at the Right Levels

Participation should reflect the nature and potential impact of the scenario. A localised disruption may only require operational managers, while an enterprise-wide or systemic event demands senior leadership at the table. Always include the actual decision-makers—this is key to testing governance and escalation pathways under pressure. Service owners, risk, compliance, customer operations, and technology should all be engaged. Scenario testing is as much about how people respond as it is about systems. Impact tolerances should be approved by executives or the board, who must also review and learn from key scenario outcomes.

6

Embedding a Structured Debrief & Feedback Loop

Post-exercise, run a formal after-action review. Capture insights on what worked, what didn’t, and what requires immediate remediation. Feed this directly into control improvements, budget allocation, and board reporting—not just the next test plan.

Trader at Workstation

Example: End-to-End Scenario Walkthrough

This example shows how the core components come together in practice.

Trigger
A regional cloud provider experiences a configuration failure affecting authentication services.

Dependency Chain
Third-party cloud service → shared identity platform → internal customer portal → payments processing service.

 

Service Impacts (sample)

  • Customers unable to log into accounts.

  • Payment submissions delayed or queued.

  • SLA breaches across high-volume channels.

  • Increased call centre volumes and operational backlog.

  • Reduced visibility of transaction status for service teams.

 

Impact Tolerance Assessment

  • Maximum allowable outage for the service: 4 hours.

  • Threshold exceeded at 2.5 hours due to compounding effects from the identity platform.

  • Operational backlog projected to exceed tolerance by hour 3.

 

Evidence Collected During Testing

  • Timestamped escalation records.

  • Dependency mapping validation against third-party commitments.

  • Manual workarounds effectiveness log.

  • Communication updates and stakeholder notifications.

 

Outcome
The scenario demonstrates that the service breaches its impact tolerance under a severe-but-plausible disruption, highlighting dependencies requiring remediation.

Downloadable How To Guide

Cover image for the “Scenario Testing and Impact Tolerance Guide,” featuring a digital blue abstract pattern representing data flows, system interconnections, and resilience pathways. The title reads “Design and Validate Severe-but-Plausible Scenarios Across Critical Services,” with Aevitium LTD branding and contact details below.

Step-by-step guide to: 

Scenario Testing and Impact Tolerance

Designing and applying effective scenario testing supports operational resilience, service continuity, and governance oversight. It helps organisations assess severe-but-plausible disruptions, understand dependencies, and validate whether critical services can operate within defined impact tolerances.

This guide provides a clear, structured approach to scenario design, tolerance setting, and evidence collection. It supports teams in building practical, regulator-aligned testing programmes across important business services and Critical or Important Functions.

Download the guide to support your scenario testing activities.

Click here to download

Evidence and Documentation Requirements

Operational resilience regulations expect firms to maintain clear evidence of how scenarios are designed, executed, and assessed. Documentation must demonstrate that scenarios are severe and plausible, aligned to important business services, and supported by validated assumptions. The following elements form the core evidence set used during reviews, audits, and board reporting and supports regulatory expectations under PRA SS1/21, FCA rules, and DORA.

Scenario Design and Justification

 

1) Description of the trigger, severity level, and propagation path.

2) Rationale for selecting the scenario, including sector incidents, dependency risks, or known vulnerabilities.

3) Evidence that the scenario is severe and plausible, supported by internal and external data.

4) Clear alignment to the important business service being tested.

5) Document the scenario steps, inputs, and results to strengthen review cycles.

Assumptions and Validation


 

1) Documented assumptions for recovery times, manual workarounds, resource availability, and supplier support.

2) Cross-functional challenge from operational, technology, cyber, and third-party teams.

3) Supplier engagement evidence where the scenario relies on third- or fourth-party capabilities.

4) Traceability between assumptions and reference data or operational metrics.

Execution Records and Impact Assessment
 

1) Timestamps, escalation logs, and decision records gathered during the test.

2) Evidence of communication updates and operational actions.

3) Quantitative assessment against impact tolerance metrics such as outage duration, backlog volumes, or customers affected.

4) Confirmation of whether the service remained within tolerance.

Lessons Learned, Remediation, and Board Reporting

1) Structured after-action review outcomes and defined remediation actions.

2) Updates to service maps, tolerances, dependency records, or scenario libraries.

3) Assigned owners and timeframes for improvements.

4) Board-ready summaries covering scenario narrative, impacts, vulnerabilities, and required investment.

Who Is Responsible for Scenario Testing and Impact Tolerances?

Responsibility typically sits with the Chief Risk Officer or operational resilience lead, but success depends on cross-functional ownership. Senior management must sponsor the programme, while business units, IT, risk, compliance, and third-party managers contribute to design and execution. Impact tolerances should be approved at executive or board level—ensuring accountability and alignment with the firm’s risk appetite and customer obligations.

Who Is Accountable for Scenario Testing and Impact Tolerances?

While operational resilience is a shared responsibility, accountability for the scenario testing programme typically rests with the Board of Directors, the Chief Executive Officer (CEO), and the Chief Risk Officer (CRO). The executive team must ensure that the programme aligns with the firm’s strategy, regulatory requirements, and risk appetite. However, scenario testing involves key stakeholders across business functions—including service owners, IT, risk, compliance, and third-party managers—ensuring it becomes an integral part of the business continuity framework.

Image by Robs

Is Your Scenario Testing Ready for the Next Challenge?

Struggling to design realistic scenarios or set meaningful impact tolerances? Is your testing programme reactive or siloed, lacking input from key stakeholders? Building a resilient and effective scenario testing framework takes more than just ticking boxes. If you're facing these challenges, you're not alone!

Main Types of Scenarios for Testing Operational Resilience

Effective scenario testing involves designing disruptions that challenge your organisation’s resilience in different ways. Below are the key types of scenarios to consider, each testing a unique aspect of your operations—from everyday disruptions to catastrophic events. Understanding these will help you build a comprehensive resilience programme that prepares you for both the expected and the unexpected.

High-Impact, Low-Probability Scenarios

These are severe, but unlikely, disruptions—such as a major cyberattack, natural disaster, or a systemic market collapse. These scenarios test your organisation’s ability to withstand catastrophic events and maintain service continuity under extreme conditions.

 

Example: A cyberattack that disables your core banking system for a week, impacting millions of customers.

High-Probability, Low-Impact Scenarios

These disruptions are more likely to occur, but their immediate impact is less severe. Examples include routine IT outages, temporary supplier failures, or minor cyber incidents. These scenarios are useful for ensuring that you can continue to function during everyday disruptions and maintain business-as-usual operations.


Example: A short outage of your email system due to server maintenance, affecting internal communication but not customer-facing services.

Compound Scenarios

A compound scenario involves the simultaneous occurrence of multiple events, such as a cyberattack coinciding with a supply chain failure. These test your organisation’s ability to manage cascading risks and ensure that your response mechanisms are flexible and robust enough to handle multiple disruptions.


Example: A ransomware attack that locks critical systems while a key supplier goes offline due to a logistical strike, crippling your ability to deliver services.

Slow-Burn Scenarios

Slow-burn scenarios are disruptions that unfold over time, rather than suddenly. For example, a gradual decrease in service quality, a prolonged third-party failure, or the slow erosion of operational capacity. These scenarios assess your organisation’s ability to identify and respond to emerging risks before they become critical.


Example: A gradual decline in service quality from a third-party vendor, which leads to customer dissatisfaction and attrition over a six-month period.

Industry-Specific Scenarios

These scenarios reflect risks unique to your industry, such as regulatory changes, sector-specific supply chain disruptions, or technological shifts. For example, financial firms may test the impact of regulatory changes like DORA or SMCR, while a healthcare organisation may test its ability to operate during a pandemic.


Example: A new regulatory requirement (e.g., DORA) comes into effect, forcing your organisation to quickly adapt its IT and third-party risk management processes to remain compliant.

Selecting Important Business Services or
Critical or Important Functions

Scenario testing must focus on the services where disruption would cause intolerable harm to customers, markets, or the firm’s stability. These are defined as important business services (IBS) - Critical or Important Functions (CIFs) - and form the foundation for proportionate resilience testing under PRA, FCA, and DORA expectations.

Team working on the Criteria for Identifying Services to Test

Criteria for Identifying Services to Test

Organisations typically assess the following elements when determining which services qualify as IBS or CIFs:

  • The scale of customer impact if the service fails.

  • Market or financial stability implications.

  • Regulatory or contractual obligations linked to continuity.

  • Dependencies on critical third parties, shared platforms, or concentrated regions.

  • Potential for operational backlog or data integrity issues.

Services meeting these criteria are prioritised for scenario testing because they carry the highest potential for intolerable harm.

Image illustrating Regulatory Expectation for Coverage

Regulatory Expectation for Coverage

Regulators expect firms to test scenarios that reflect the full range of severe but plausible disruptions that could affect their IBS. Testing must be proportionate, ensuring:

  • Each IBS is covered by scenarios that reflect its unique dependencies.

  • Scenarios include internal disruptions and external disruptions such as third-party, technology, or regional failures.

  • Evidence shows how testing has informed tolerance setting, remediation, and investment decisions.

 

This provides assurance that resilience capabilities extend across all critical services, not only isolated systems or departments.

Abstract image Linking IBS Mapping to Scenario Selection

Linking IBS Mapping to Scenario Selection

IBS mapping identifies dependencies, single points of failure, and interconnections across people, processes, technology, and third parties. These insights guide scenario selection by highlighting:

  • Where disruptions are most likely to propagate.

  • Which suppliers or shared services create concentration risk.

  • Which operational steps are most sensitive to delay or degradation.

  • Where a realistic scenario could escalate beyond tolerance.

 

Using IBS maps as the starting point ensures scenarios reflect real operating conditions and align with service continuity outcomes.

Aevitium LTD Resilience Scenario Toolkit Structure

Unlock Your Resilience Scenario Toolkit

At Aevitium LTD, we believe that effective scenario testing is built on a structured, comprehensive approach. Our Resilience Scenario Toolkit is designed to help you develop, execute, and assess scenarios that drive actionable insights and enhance operational resilience.

This toolkit is composed of four key components that guide your organisation from scenario definition to in-depth assessment and continuous improvement. From curating predefined scenarios to evaluating response effectiveness, each element plays a critical role in strengthening your organisation’s preparedness for potential disruptions.

Get started by exploring the high-level structure of our toolkit below. Want more details? Download our one-pager to access a breakdown of the framework and see how it can be tailored to your organiation’s needs.

Aevitium LTD Operational Resilience:

Case Studies & Insights

Triggers for Scenario Testing &
Impact Tolerance Setting

Scenario testing and impact tolerance setting are key exercises to evaluate your organisation’s resilience. These activities are triggered by various factors—regulatory requirements, operational disruptions, strategic changes, regular risk reviews, or crisis preparedness needs. By identifying the right trigger, you can ensure your organisation is prepared for challenges and compliant with resilience expectations.

Regulatory Requirements

Regulations such as DORA, PRA SS1/21, or FCA guidelines require organisations to test their operational resilience regularly. Scenario testing often becomes a key part of fulfilling compliance mandates and preparing for audits or regulatory reviews.


Objective: Ensure your organisation is prepared for regulatory scrutiny and can demonstrate its ability to meet resilience expectations.

Strategic Change or Growth

As your organisation expands, launches new products, or enters new markets, there may be increased exposure to new risks, prompting the need for scenario testing.


Objective: Test resilience against evolving business scenarios, ensuring new risks are identified and mitigated proactively.

Operational or External Disruptions

A recent disruption or close call—such as a system outage, cyber-attack, or supply chain breakdown—can serve as a trigger for scenario testing. This could stem from an event that directly impacted operations or a near-miss that revealed vulnerabilities.


Objective: Evaluate how well your systems, people, and processes can respond to real-world risks, identifying areas for improvement.

Crisis Preparedness

Scenario testing is often integrated into the regular business continuity or risk management review cycles, typically conducted annually or during major reviews. If crisis response or business continuity plans haven't been tested recently, scenario testing becomes essential to refine decision-making, escalation, and recovery protocols.


Objective: Continuously enhance your operational resilience strategy and ensure a well-coordinated, effective response to crises, aligned with the organization's overall strategy.

Ready to bring your risk and compliance to the next level?

Reach out today to discover how our integrated approach will help you to achieve your objectives. At Aevitium LTD, we’re dedicated to providing personalised approach through our risk advisory services.

bottom of page