What the guidance and good practice says

Why Operational Resilience Preparations Matter

Operational resilience has moved beyond the build phase for many regulated organisations.

Firms are expected to demonstrate that they understand their important business services, operational risks, impact tolerances and ability to remain within those tolerances during disruption.

This means organisations must not only document their resilience arrangements but also test them, evidence them and improve them through structured governance.

Simulation exercises provide a practical way to test whether crisis management, business continuity and operational response arrangements work under pressure.

The Need for Operational Resilience

Regulators expect firms to show that they can withstand, respond to and recover from serious disruption without causing intolerable harm to customers, markets or stakeholders.

This requires organisations to:

• Understand their operational risks
• Define impact tolerances
• Develop realistic response and recovery arrangements
• Stress test against credible disruption scenarios
• Identify vulnerabilities and remediate weaknesses
• Provide evidence for governance, assurance and board review

Operational resilience is therefore not a one off compliance project. It must become part of business as usual.

Why Simulation Exercises Are Critical

Simulation exercises allow organisations to test resilience arrangements in a controlled but realistic environment.

They help teams practise how they would respond to disruption, communicate under pressure, escalate decisions and manage competing priorities.

Effective simulations also reveal gaps that may not be visible during document reviews or desktop planning.

These may include unclear roles, slow escalation, weak communication routes, dependency failures or unrealistic recovery assumptions.

Understanding Operational Risks

A strong resilience programme begins with a clear understanding of the risks that could disrupt important business services.

Common scenarios may include:

• Cyber attacks
• Technology outages
• Supply chain disruption
• Loss of premises
• Loss of key people
• Third party failure
• Regulatory or reputational incidents

Simulation exercises allow firms to explore how these risks may develop in real time and how prepared their teams are to respond.

Testing Impact Tolerances

Impact tolerances define the maximum level of disruption an organisation can tolerate before causing unacceptable harm.

Testing those tolerances requires more than asking whether a plan exists.

Organisations must explore how disruption affects customers, services, systems, people, suppliers and decision making over time.

For example, a simulated technology outage can help assess whether recovery times, communication arrangements and customer impact assumptions are realistic.

Action Plans and Response Readiness

Once impact tolerances and key risks are understood, organisations need practical response arrangements that teams can activate under pressure.

This includes:

• Incident management protocols
• Crisis leadership structures
• Business continuity plans
• Recovery priorities
• Internal and external communications
• Decision making and escalation routes

Simulation exercises test whether those arrangements are understood, usable and effective.

Stress Testing Under Pressure

The most valuable exercises place teams under realistic pressure.

Scenarios may combine multiple challenges, such as a cyber incident alongside supplier disruption, media pressure, customer impact and internal resource constraints.

This helps organisations understand how their systems, processes and people perform when disruption is complex, fast moving and uncertain.

Stress testing can identify vulnerabilities in:

• Communication structures
• Decision making processes
• Information management
• Recovery assumptions
• Third party dependencies
• Governance and reporting

The Value of Independent Assurance

As organisations prepare evidence for boards and regulators, independent assurance can provide additional confidence.

External facilitators can help ensure scenarios are realistic, proportionate and aligned to the organisation’s risk profile.

They can also provide objective observations, structured debriefing and evidence to support self assessments, remediation planning and governance reporting.

Operational Resilience as Business as Usual

Operational resilience must be embedded into normal organisational governance.

This means exercises, testing, lessons identified and remediation activity should be tracked and reviewed over time.

The strongest organisations treat resilience as a continuous improvement cycle rather than a compliance deadline.

What good looks like

• Important business services clearly identified
• Impact tolerances defined and understood
• Credible disruption scenarios developed
• Simulation exercises delivered regularly
• Board and senior leadership engaged in resilience testing
• Clear evidence gathered from exercises and stress tests
• Vulnerabilities identified and remediated
• Third party and supplier dependencies considered
• Exercise outputs linked to governance and assurance
• Operational resilience embedded into business as usual

Common mistakes we see

Treating operational resilience as a deadline

Resilience should be embedded into business as usual rather than treated as a one off regulatory project.

Testing plans without testing people

Plans may look strong on paper, but exercises reveal whether teams can actually use them under pressure.

Using unrealistic scenarios

Scenarios must reflect credible risks, operational dependencies and the organisation’s real response environment.

Failing to test impact tolerances properly

Impact tolerances must be challenged through realistic disruption, not simply documented.

Weak evidence capture

Boards and regulators need clear evidence of testing, decisions, vulnerabilities and remediation activity.

No remediation follow through

Exercises only add value if lessons are tracked, owned and addressed through governance.

Practical checklist

Preparation

• Confirm important business services
• Review impact tolerances
• Map key dependencies and vulnerabilities
• Identify credible disruption scenarios
• Confirm participants and decision makers
• Define exercise objectives and success criteria

Simulation Exercise Delivery

• Use realistic injects and time pressure
• Test escalation and decision making
• Capture information flow and communications
• Assess customer and stakeholder impact
• Challenge recovery assumptions
• Observe team behaviours and coordination

Evidence and Assurance

• Record exercise attendance
• Capture key decisions and rationale
• Document strengths and vulnerabilities
• Produce debrief reports
• Assign owners for improvement actions
• Track remediation through governance
• Prepare evidence for board review and self assessment

FAQs

Why are simulation exercises important for operational resilience?

They allow organisations to test plans, people, processes and dependencies under realistic pressure before a real disruption occurs.

What should operational resilience exercises test?

Exercises should test impact tolerances, decision making, communication, recovery assumptions, third party dependencies and the organisation’s ability to remain within acceptable disruption levels.

How often should organisations run resilience exercises?

Exercises should be run regularly and whenever there are significant changes to services, systems, suppliers, operating models or risk exposure.

What evidence should be captured?

Organisations should retain exercise plans, attendance records, scenario materials, decision logs, debrief reports, vulnerabilities identified and remediation tracking.

Who should take part in simulation exercises?

Participants should include operational teams, crisis leaders, business continuity leads, technology teams, communications teams, key suppliers and senior decision makers where appropriate.

What is independent assurance?

Independent assurance involves external review or facilitation to provide objective confidence that resilience testing is realistic, effective and aligned to regulatory expectations.

What is the biggest mistake firms make?

The biggest mistake is treating operational resilience as a documentation exercise rather than testing whether the organisation can actually respond effectively under pressure.