Share with us a complex technology or change challenge - we'll take it from there.

Green Dolphin (TCCR) Limited
Green Dolphin (TCCR) Limited
  • Home
  • Subscribe
  • Our Story
  • Client Feedback
  • Outcomes Delivered
  • Community Outcomes
  • Services
    • Overview
    • Change Assurance
    • Internal Audit and Risk
    • Technology and Cyber Risk
    • SWIFT Compliance
    • Scenario Testing
    • M&A
    • GRC Support
  • Our Team
    • Senior Delivery Team
    • Alliance Partners
    • Flex Careers
  • Blogs and Insights
  • NEW Change Risk Scorecard
  • NEW Coffee in the Camper
  • Contact Us
  • About Us

When engaging with expert consultants, I value solutions tailored to our requirements, not generic lists. The collaboration with Green Dolphin has been refreshing, their expertise, passion and reliability have enhanced delivery. Addressing challenges pragmatically to find logical ways to mitigate

Kev Mowles | COO | Beverley Building Society

Scenario Testing

Testing Your Ability to Stay Within Impact Tolerances

Overview


We've helped dozens of firms to build and strengthen their operational resilience capability in line with regulatory requirements. 


As digital interdependencies grow spanning cloud, AI, and third-party ecosystems, our clients are shifting from response and recovery to continuous, connected resilience.  The question is no longer “Can we recover?” it’s, “How quickly can we adapt without losing customer trust or operational continuity?”  


Operational resilience scenario testing simulates severe but plausible disruptions (like cyber attacks, major outages, or third-party failures) to test your ability to remain within defined impact tolerances for your important business services, focusing on response and recovery rather than prevention.  Testing identifies vulnerabilities, validates continuity plans, and drives improvements to ensure services continue with minimal harm to customers or markets. 


When should testing take place?


  • There is a material change to your business operations, the important business services identified or impact tolerances;
  • Following improvements made in response to a previous test; and
  • In any event, on a regular basis.


Do you have third and fourth parties involved?  


The regulator is clear that you should approach testing with third parties in the same way as you approach the mapping exercise, working as effectively as possible with third parties to facilitate testing.  This could mean that either you or the third party carries out testing.  You'll need to satisfy yourself, if the third party is going to carry out any testing, of the methodologies, scenarios and considerations of the third party in doing so.  You are ultimately responsible for the quality and accuracy of any testing carried out, be that by themselves or by an external party. 


Regulators also expect firms to demonstrate board-level engagement and scenario testing for severe but plausible cyber events. The FCA has indicated that failure to meet these expectations could lead to enforcement action or supervisory intervention from 2026. 


Approach


We view operational resilience and scenario testing as a maturity journey.  We support you to take a pragmatic approach to testing, focusing on insights from the exercise and not dedicating disproportionate resource to quantify and test every permutation. 


We help you to:


  • Prioritise important business services for testing, considering the relative risk they pose to financial stability, customers, safety and soundness. 
  • Create a testing plan that includes realistic assumptions and evolves as you learn from previous testing.  The severity of scenarios used for testing could be varied by increasing the number or type of resources unavailable for delivering the important business service, or extending the period for which a particular resource is unavailable.
  • Leverage any previous incidents or near misses and existing scenario libraries from other activities such as operational risk, ICAAP, stress testing or business continuity. 


A range of testing approaches can be used, including a combination of:


  • Drills - Testing scenarios at an individual asset level to understand roles and responsibilities;
  • Desktop exercises and workshops - Walkthroughs of the recovery plans and playbooks, including third and fourth parties (less resource intensive);
  • Simulated tests - Involving internal business stakeholders and third parties to test a response and recovery to a severe but plausible scenario;
  • Full live testing - Creating a real time disruption within the production (or parallel) environment to test your ability to remain within impact tolerance;
  • Historical incidents - Analysing real-life incidents and near misses to assess effectiveness; and
  • Existing third party assurance - Relying on previous assurances such as disaster recovery and business continuity already carried out by third parties.

 

Why choose Green Dolphin


  • You're in safe hands: Our senior team have done this before and can combine roles of independent facilitator and trainer to build your capability as we go.  We fully tailor the approach and involve multiple team members to ensure diversity of skills and experience.
  • Phycological safety: Scenario testing only works when people feel safe to surface weaknesses.  We create an environment where teams can be honest, challenged, and supported - without fear of blame.
  • Improving your capability: We'll leave you stronger with a clear view of vulnerabilities and improvements, better playbooks, clearer roles, and more confident teams that can undertake their own testing in the future.
  • Proportionate and commercial: An understanding that budgets are not infinite and therefore our support needs to be proportionate to the risks faced, regulatory expectations and commercial realities.

Referenceable - Just Ask Us

Please let us put you in touch with your peers at other building societies, insurers and banks so you can hear first hand how we've performed similar testing.


Typical Green Dolphin Effort: 


Planning: 2 days

Facilitation: 1 day

Reporting: 2 days

Let's Talk

Case Study

Strengthening Operational Resilience Through Scenario Testing

Challenge


A Building Society (200 FTE) wanted to mature its operational resilience capability and demonstrate to its Board, members and regulators that it could respond to and recover from a disruptive incident. While it had identified its Important Business Services (IBS) and set impact tolerances, it had limited experience running realistic scenario tests that truly stretched its people, processes, and technology.


The Society recognised that traditional tabletop exercises often fail to expose real weaknesses.  They needed a structured, well‑designed scenario with credible injects, expert facilitation, and coaching to help teams build confidence and capability over time.


Approach


We designed and delivered a multi‑stage operational resilience scenario test approach tailored to the Society’s environment, dependencies, and IBS. The initial exercises included over 20 carefully sequenced injects, each designed to simulate escalating pressure, decision‑making complexity, and cross‑team coordination challenges.


Our approach combined:


  • Realistic scenario design: We developed a severe‑but‑plausible incident aligned to regulatory expectations, incorporating technology disruption, supplier dependencies, customer impact, and media pressure.
  • Progressive injects: More than 20 injects were delivered across the session, gradually increasing complexity to test leadership judgement, communication, escalation, and recovery planning.
  • Supportive facilitation and coaching: Throughout the exercise, we provided guidance, prompts, and reflective coaching to help participants think clearly under pressure, understand their roles, and build confidence in their response approach.
  • Evidence‑led insights: We observed behaviours, decision‑making, and control effectiveness in real time, capturing strengths and areas for improvement across governance, communication, technology, and third‑party management.
  • Maturity‑focused feedback: Rather than simply identifying gaps, we provided practical recommendations and coaching to help the Society embed resilience thinking into day‑to‑day operations.


Outcome


The Building Society significantly strengthened its ability to respond to and recover from a major incident. Operational teams gained:


  • Greater clarity on roles and responsibilities
  • Improved cross‑functional coordination
  • A deeper understanding of IBS dependencies
  • Increased confidence in their recovery playbooks
  • A clear roadmap to enhance resilience maturity


The Board received a concise, evidence‑based view of the Society’s readiness, supported by actionable recommendations aligned to PRA SS1/21 expectations.

Green Dolphin TCCR provides operational resilience and scenario testing in building societies.

© Green Dolphin (TCCR) Limited
Company registered in England and Wales (NO.16855006)


NCSC Cyber Essentials Certified 2026 (No.8fe63bb4-be60-4c2a-81f7-8cad1848de4d)


Good Business Charter Accredited 2026


VAT Registration 513 0298 23


All rights reserved.

Powered by

  • Subscribe
  • LinkedIn Page
  • Policies
  • Trustpilot Reviews
  • Contact Us
  • About Us

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept