Financial Services Financial Services & Banking Cybersecurity & Operational Resilience

Operational Resilience

Regulated environments where trust, compliance, and operational resilience are non-negotiable.

IBM Fusion Risk Management Everbridge ServiceNow
Inside this journey
  1. Pre-Discovery

    Align the room on outcomes, decision process, and constraints before deeper discovery.

    1. Stakeholder Alignment

      Confirm decision roles (COO, CRO, CIO, head of resilience), timelines, and regulatory priorities to align board-ready reporting expectations.

      Alignment Questions

      Start Here: The Board Just Demanded a Map

      • Who should join this discovery so we don't miss anyone critical? (select all relevant roles) Options: COO, CRO, CIO, Head of Operational Resilience, Head of Third-Party Risk, Head of Technology Operations, Chief Compliance Officer, Board Risk Chair, Head of Business Lines, Other
      • How soon has the board asked for a full dependency map and a board-ready resilience statement? Options: Immediately / Emergency request, Within 30 days, Within 60 days, Within 90 days, Within 6 months, No timeline given / ongoing expectation
      • Briefly describe the outage impact we should know about (services affected, duration, public coverage) — tell the story in a few sentences.
      • Which regulatory or examiner priorities are driving this work right now? (select all that apply) Options: PRA / UK operational resilience, ECB / DORA, OCC / US guidance, Fed expectations, Local/regional supervisors, Internal audit focus, Legal / compliance requirements, No clear regulator focus yet, Other
      • Who currently owns presenting resilience status and the annual resilience statement to the board risk committee? Options: COO, Head of Operational Resilience, CRO, CIO, CISO, Chief Risk Officer + COO jointly, Other

      Are You Sure You Know Who’s Really in Charge?

      • When the payment processor fails again tomorrow, who will have the authority to accept customer impact and speak for the institution to the board? Options: COO, CRO, CIO, Head of Operational Resilience, Head of Business Line, Incident Commander (named person), No single decision-maker is defined, Other
      • Do you have a documented RACI or decision-rights matrix for resilience incidents, and how current is it? Options: Documented and up-to-date, Documented but partially out-of-date, Informal / tribal knowledge only, No matrix exists
      • Give a recent example where decision responsibilities blurred during the outage — who stepped in, and what consequence followed?
      • Which of these governance levers were used to set remediation timelines after the outage? Options: Board mandate, Executive committee decision, CRO/COO agreement, Regulatory pressure, Vendor SLA negotiation, Vendor-imposed timelines, No formal timeline set
      • How do your CRO and COO currently align on defining impact tolerances — workshop, formal policy, ad hoc conversations, or something else? Options: Formal policy and sign-off, Periodic workshops, Ad hoc conversations, No formal alignment process, Other

      Where the Lights Flickered: What Actually Happened

      • What single failure point from the outage still makes you wince when the board asks questions?
      • Which business services were degraded or unavailable during the outage? (select all that applied) Options: Payments / card processing, Customer-facing digital banking (web/mobile), Lending origination, Claims processing, Customer support/contact centres, ATM/cash network, Clearing/settlement, Other
      • How accurate are your existing continuity plans when compared to what actually failed in the incident? Options: Fully accurate, Mostly accurate with small gaps, Partially accurate — significant gaps, Largely inaccurate, No continuity plans existed
      • How long did it take your team to reconcile internal logs, vendor timelines, and customer impacts after the outage? Options: Under 24 hours, 24–72 hours, 3–7 days, Over 1 week, Still reconciling
      • What incident evidence do you already have that would be useful for an examiner (select all that apply)? Options: System logs/telemetry, Incident report / timeline, Vendor communications / RCA, Customer complaints / complaints data, Board/exec meeting minutes, Change/configuration records, None / incomplete
      • How did the public and media coverage affect your internal priorities and the urgency of fixes? Tell us one concrete change that happened because of the coverage.

      The Blind Spots You Don’t Want to Find Under Pressure

      • If a regulator asked for a full end-to-end dependency map tomorrow, which critical service would you be least confident mapping? Options: Payments, Lending, Claims, Customer channels (web/mobile), Treasury/clearing, Back-office settlements, We could map all confidently, Not sure / need to investigate
      • Which types of dependency data do you currently struggle to produce reliably? (select all that apply) Options: Technology components (servers, databases), Network topology / links, Third-party vendor dependencies, Personnel / owners / on-call, Physical facilities and failover locations, Telemetry and monitoring metrics, Contracts and SLAs, Configuration items in CMDB, Other
      • Tell us about one supplier or vendor concentration you suspect is an undocumented single point of failure and why it worries you.
      • How do you currently surface hidden dependencies: manual interviews, CMDB, application mapping, vendor attestations, observability tools, or something else? Options: Manual interviews with SMEs, CMDB/configuration tools, APM/observability traces, Automated dependency mapping tools, Vendor attestations and questionnaires, We don't have a reliable method, Other
      • Practically speaking, how long would it take to assemble a consolidated dependency view for a single critical service today? Options: Under 1 week, 1–4 weeks, 1–3 months, Over 3 months, Unknown / depends on service
      • When you think about those blind spots, what feels like the biggest personal risk to you or your leadership team (embarrassment, regulatory finding, customer loss, financial exposure)? Options: Regulatory finding / sanction, Board criticism / loss of confidence, Customer churn and reputational damage, Financial loss / penalties, Operational inability to recover, Other

      What Tolerances Would Keep the Board Calm?

      • If the board demanded a quantifiable impact tolerance for payments today, what single metric would you give them—and why might that number fail an examiner’s scrutiny?
      • Which impact tolerance dimensions do you currently track or have proposed? (select all that apply) Options: Customer-facing outage duration (hours), Maximum acceptable transaction loss, Financial loss threshold, Percentage of customers affected, Regulatory breach threshold, Reputational / media impact metric, Service-level / throughput degradation, Other
      • Who in your organisation is empowered today to define or approve impact tolerances? Options: CRO, COO, CFO, Head of Operational Resilience, Board Risk Committee, Business Line Heads, Executive Committee, No single owner / shared responsibility, Other
      • Describe a recent example where a tolerance threshold was exceeded — what happened, who notified the board, and what remediation occurred?
      • How would you prefer impact tolerances and supporting evidence to be presented to the board? Options: Single yes/no resilience statement with evidence bundle, Interactive dashboard with drilldowns, Scenario narratives with artifacts, Heatmap with metric thresholds, Executive summary plus technical annex, Other

      Can Your Tests Actually Prove Resilience?

      • When you run a resilience scenario today, does it feel like a meaningful test of real-world failure or merely a compliance exercise? Options: Meaningful, realistic test, Mostly compliance-oriented, Mixed — some realistic elements, We do not run scenario tests
      • Which of these test types have you executed in the last 12 months? (select all that apply) Options: Tabletop / workshop scenarios, Live failover to DR environment, Simulated cloud-region outage, Vendor outage simulation, Chaos engineering experiments, No tests executed, Other
      • How often does the board require scenario testing and evidence of resilience? Options: Quarterly, Semi-annually, Annually, Ad hoc after incidents, Not defined
      • What artifacts or evidence do you currently capture during tests that you think would satisfy an examiner? (select all that apply) Options: Telemetry traces and logs, Business impact metrics, Witness statements and minutes, Vendor confirmations, Remediation tickets and closure evidence, None / insufficient evidence
      • Who owns scheduling tests and driving remediations from test findings? Options: Business owners, Technology operations, Operational resilience team, Third-party risk / procurement, Governance committee, No clear owner
      • Recall one test that failed to validate resilience — what specific gap surfaced and how long did remediation take (or is taking)?

      If We Had a Clear Runbook — What Would Change?

      • Imagine your dependency map is live, testable, and audit-ready — what are the first three decisions you would make differently?
      • Which platform capabilities would create the most immediate operational lift for your teams? (select up to three) Options: Live end-to-end mapping, Scenario simulation engine, Vendor concentration alerts, Audit-ready evidence bundling, Impact tolerance tracking, Playbook automation / remediation workflows, Role-based dashboards for execs and SMEs
      • What integrations are non-negotiable for deployment to be viable (SIEM, CMDB, ITSM, cloud telemetry, vendor portals)? (select all that apply) Options: SIEM / security logs, APM / observability, CMDB / asset inventory, ITSM / ticketing (ServiceNow/Jira), Cloud provider telemetry (AWS/Azure/GCP), Vendor portals / supplier APIs, Financial / transaction systems, Other
      • Realistically, how much team capacity can you allocate to an initial deployment (people-hours per week across teams)? Options: Under 5 hours/week, 5–10 hours/week, 10–20 hours/week, 20–40 hours/week, Over 40 hours/week
      • What would success look like at 30 days, 90 days, and 180 days after going live? Be specific about deliverables and governance changes.

      Next Steps: What Would Make Us Move Together?

      • If you had to sign off on one deliverable to convince the board the program is working, which single artifact would that be? Options: Board-ready resilience statement with evidence, Complete end-to-end dependency map, Quarterly scenario-testing plan with results, Regulator-ready evidence bundle for examiners, Governance and acceptance criteria + operating model
      • What pilot timeline from kickoff to a board-ready statement feels realistic for your organisation? Options: 30 days, 60 days, 90 days, 6 months, Depends on scope / need to agree scope first
      • Who must sit on the steering group and how often should it meet to keep momentum without governance fatigue? (select roles and preferred cadence) Options: COO, CRO, CIO, Head of Operational Resilience, Head of Third-Party Risk, Head of Business Line, Board Risk Chair (ex-officio), Monthly cadence, Bi-weekly cadence, Quarterly cadence, Ad hoc as issues arise
      • Which metrics would make you declare this program a success after 12 months? (select all that apply) Options: Reduced time to produce dependency map, Number of scenarios passed within tolerance, Percentage of critical gaps closed, No regulatory findings on resilience, Board acceptance of resilience statement, Reduced mean time to detect/recover
      • What outstanding concerns or constraints would give you pause before committing to a pilot?
      • Is there any other context, historical issue, or stakeholder dynamic we should know that would change how we approach your organisation?
    2. Current State Mapping

      Document existing continuity plans, recent outage impacts, known blind spots, and where dependency data is missing.

      Current State

      How Did We Get Here? (A Quick Check‑In)

      • Who is the day‑to‑day owner driving your operational resilience program today? Options: COO, Head of Operational Resilience, CRO, CIO/CTO, Head of Third‑Party Risk, Other
      • Give a brief factual summary of the recent nine‑hour outage and its immediate business impacts.
      • Which customer‑facing services were most visibly degraded or unavailable during the outage? Options: Payment processing, Retail banking portal, Card authorization, Lending origination, Claims processing, Other
      • How did your board and executive team react within the first 72 hours? Options: Demanded immediate root‑cause and remediation plan, Requested dependency map within 30 days, Asked for a regulatory‑facing statement, Escalated to external PR/legal, No substantive direction yet, Other
      • What timeline has leadership imposed for delivering a complete dependency map and quarterly scenario testing cadence? Options: Immediate (within 2 weeks), 30 days, 60–90 days, By next quarter, Not yet defined

      So this outage was a warning — or a new normal?

      • What makes you think the nine‑hour outage was a one‑off rather than the first sign of systemic fragility?
      • Do you have evidence that the root cause was isolated (internal process) or systemic (third‑party/vendor/cloud)? Options: Internal application/configuration, Third‑party vendor failure, Cloud region/ISP outage, Combined/multi‑factor, Still under investigation/unknown
      • Were there any services or teams that successfully routed around the failure? Tell us which ones and how they did it.
      • How worried are you that undocumented single points of failure still exist? Options: Extremely worried, Very concerned, Somewhat concerned, Not concerned
      • Has any regulator or examiner signaled an immediate review or requested evidence since the outage? Options: Yes — explicit request, Informal inquiry, No contact yet, Unsure

      Where the Paper Plans Fail: What We Really Need to Know

      • If an examiner opened your business continuity binders right now, what key claims could you not substantiate?
      • Do you maintain formal continuity plans for each critical business service, or are they consolidated at a program level? Options: Service‑level plans for each critical service, Consolidated program‑level plans, Hybrid (some service plans, some program), No formal plans
      • When were those plans last exercised end‑to‑end (not just tabletop)? Options: Within last 3 months, 3–6 months, 6–12 months, Over 12 months, Never
      • Which inventory areas do you believe are incomplete or unreliable today? (select all that apply) Options: People/roles/backup contacts, Applications and services, Technology components (DBs, queues), Networks & cloud regions, Third parties & subcontractors, Facilities (data centers, offices)
      • Where do you suspect dependency data is missing most — and why do you think it went undocumented?

      Show Me the Map — Can You Point to Every Dependency?

      • Can you honestly point to every third party, cloud region, and internal service whose failure would break a critical customer journey? Options: Yes — we can point to each dependency, Partially — some dependencies mapped, No — we cannot identify all dependencies
      • Do you currently have a live dependency map (service→technology→vendor) that updates from telemetry or inventories? Options: Yes — dynamic and integrated, Static map (manual updates), Partial automation, No map
      • Which classes of resources are already mapped (select all that apply)? Options: Business processes/services, Applications/microservices, Databases & storage, Networks & cloud regions, People & roles, Third‑party vendors
      • How visible are vendor concentration points (e.g., single vendor providing a shared capability across services)? Options: High visibility — documented and monitored, Some visibility — known for major vendors only, Low visibility — ad hoc awareness, No visibility
      • Which telemetry or feeds do you currently integrate with any mapping tool (select all that apply)? Options: CMDB/asset inventory, Cloud provider APIs (AWS/Azure/GCP), SIEM/logs, APM/tracing, Third‑party vendor portals, None
      • Who owns each layer of the map (business, application, infrastructure, vendor) and how often are they accountable for updates?

      If the Board Asked for Proof Today, What Would You Deliver?

      • Would your current evidence package support a PRA/ECB/OCC spot‑check without ad hoc followups? Options: Yes — fully supportable, Partially — gaps exist, No — insufficient evidence
      • Have impact tolerances been defined for your most critical services, and who set them? Options: Defined by CRO/Risk, Defined jointly with COO/CIO, Drafted but not approved, Not defined
      • What concrete artifacts would you be able to present to prove a scenario test (logs, telemetry, remediation tickets, board slides)? Options: Test run recordings & telemetry, Remediation tracking and closure evidence, Board‑ready summary statement, Third‑party attestations, We cannot produce these today
      • What parts of the regulator checklist give you the least confidence (e.g., mapping, tolerances, scenario realism, governance)? Options: Mapping completeness, Impact tolerance justification, Scenario realism and scope, Test evidence & audit trail, Governance and escalation paths
      • How often does the board expect a resilience update, and what would they accept as the minimum evidence in that update? Options: Quarterly with evidence, Semi‑annual summary, Annual statement only, Board hasn't specified

      What Would Real, Stressful Testing Look Like Here?

      • If we simulated a simultaneous cloud‑region failure plus your largest payment vendor outage, what would your end‑to‑end customer impact likely look like?
      • Have you ever executed a scenario using actual services and vendor inputs (not just tabletop)? Options: Yes — full live scenario, Hybrid (some live components), Only tabletop exercises, Never
      • Who would be required to participate in a regulator‑grade scenario run (roles, teams, vendor contacts)?
      • How are scenario failures tracked and closed today (ticketing systems, project trackers, or informal emails)? Options: Formal ticketing with SLA, Project tracker with owners, Ad hoc emails/meetings, No tracking
      • What time window of system telemetry would you expect to present as evidence for a single scenario run? Options: Full run logs + 24h before/after, Run logs only, Summary metrics, Unsure

      What Would Never Happen Again If You Had the Right Visibility?

      • If you could never be surprised by an undocumented single point of failure again, what would change for your team and the board?
      • What are the top three outcomes you need from a resilience platform to regain regulatory confidence? Options: Complete, evidence‑backed dependency maps, Regulator‑aligned scenario testing, Clear impact tolerance framework, Automated evidence collection for exams, Ongoing governance cadence & reporting
      • What impact tolerances feel realistic today for your two most critical services (name service and tolerance in hours or % customers affected)?
      • Which reporting format would the board find most convincing: a concise board‑ready statement, a technical appendix with full evidence, or both? Options: Board‑ready statement only, Technical appendix only, Both statement and appendix
      • How much executive time and budget could you realistically allocate over the next 90 days to close top‑tier mapping and testing gaps? Options: Significant (dedicated budget & time), Moderate (some resources), Limited (tight constraints), None currently
      • What would cause you to say ‘this solved the problem’ three months after deployment?

      Quick Inventory: Concrete Inputs We'll Need to Start Mapping

      • Which of these source systems can you provide access to for automated mapping (select all that apply)? Options: CMDB/asset inventory, Cloud provider accounts (AWS/Azure/GCP), Vendor portals/SSO, APM/tracing tools, Network/topology data, None available currently
      • Do you have a canonical list of critical business services and their business owners we can use as the mapping seed? Options: Yes — up to date, Yes — but needs validation, No canonical list, Partially (top services only)
      • Which teams should be invited to initial discovery workshops (select all that apply)? Options: Business service owners, CIO/Infrastructure, Risk & Compliance/CRO, Third‑party risk team, Legal/PR, Customer operations
      • What constraints should we be aware of before proposing integrations or automated data pulls (legal, vendor contracts, security approvals)?
      • Realistically, when could you provide the first batch of inventories and owner contacts for an initial mapping sprint? Options: Within 1 week, 1–2 weeks, 2–4 weeks, Longer than a month, Not sure
  2. Outcome Discovery

    Define target resilience outcomes, measurable impact tolerances, and the board acceptance criteria aligned to PRA/ECB/OCC expectations.

    Discovery Questions

    Start Here: What Brought Us Together

    • In one short paragraph, tell us what happened in the recent outage and who first flagged it
    • Which of the following best describe the immediate business impacts you observed? Options: Customer-facing downtime, Transaction failures/loss, Regulatory or examiner attention, Material reputational damage (press coverage), Increased call center volume, Other
    • How long were customer-facing services materially disrupted? Options: < 1 hour, 1–3 hours, 3–6 hours, 6–12 hours, > 12 hours
    • Which internal owners led the response to the outage? Options: COO, CRO, CIO, Head of Operational Resilience, Head of Third-Party Risk/Procurement, CISO, Business Unit Leader, Other
    • How urgent is the board’s request for a dependency map and quarterly scenario testing? Options: Immediate (weeks), Next quarter, Within six months, No firm deadline yet
    • What external reactions occurred after the outage (select all that apply)? Options: Media/press coverage, Regulatory inquiry/outreach, Internal audit review, Customer litigation/complaints, No external action yet, Other
    • If there’s one detail about that outage that still keeps you up at night, what is it?

    If This Happened Again, What Would Break?

    • How confident are you that there are no undocumented single points of failure across critical services? Options: Very confident, Somewhat confident, Not confident, We don't know
    • List any specific services, flows, or integrations you suspect rely on a single vendor, cloud region, or team
    • When you've run post-incident reviews, which recurring blind spots keep showing up?
    • Which types of dependency data are most incomplete or unreliable today? Options: Third-party supplier links, Application-to-database mappings, Network/topology maps, Operational runbooks, People/role ownership, Configuration & deployment records, Other
    • How often do you discover critical dependencies only during an incident or an ad hoc drill? Options: Never, Rarely, Occasionally, Often, Almost always
    • Who in your organization holds the tacit knowledge for complex payment flows—and is that knowledge documented and reachable? Options: Well documented & reachable, Documented but hard to reach, Known people but undocumented, Unknown
    • How does the prospect of hidden dependencies make you feel about your institution’s readiness?

    What the Board Will Actually Accept (Not What We Hope)

    • If the board asked you to defend one resilience metric next quarter, what would you pick—and would you be comfortable defending it to regulators?
    • Which regulatory frameworks are you prioritizing for alignment? Options: PRA (UK), ECB (EU), OCC/US Federal expectations, DORA, Local/national regulator, Multiple of the above
    • For your most critical customer-facing services, what maximum downtime would the board accept (choose closest)? Options: 15 minutes, 1 hour, 4 hours, 9 hours, 24 hours, Other
    • Which stakeholders must explicitly sign off on the board-ready resilience statement? Options: Board Risk Committee, COO, CRO, CIO, Head of Operational Resilience, Chief Legal/Compliance, Other
    • What specific evidence types does the board expect to see when evaluating resilience (pick all that apply)? Options: Scenario simulation results, Vendor attestations/SRAs, Operational telemetry and logs, Audit trails and timestamps, Playbook walkthroughs, Customer impact metrics
    • Describe a prior board conversation on resilience—what was the hardest, most uncomfortable question you were asked?

    How Your Impact Tolerances Were Born (and Whether They Hold Up)

    • When your impact tolerances were set, how much were they driven by data versus opinion or politics? Options: Mostly data-driven, Combination of data and judgment, Mostly opinion/optimistic assumptions, I don't know
    • Who in your organisation defined and approved the tolerance limits (roles and any committee names)?
    • Which quantitative metrics currently map to your impact tolerances? Options: Transactions lost, Revenue per hour, Customers affected, Time to restore, Service-level degradations, Other
    • Have any tolerances been revised after an incident or test? Please give one concrete example.
    • How do you believe regulators will challenge your chosen tolerances—what’s most likely to trigger pushback?
    • If we modeled a simultaneous cloud-region failure plus a key vendor outage, which tolerance would you expect to exceed first? Options: Availability/downtime, Transaction throughput, Revenue impact, Customer SLA breaches, Other

    Can You Measure What You Say You Want?

    • Can you produce tamper-resistant, time-stamped evidence that a scenario met board acceptance criteria today? Options: Yes, Partial (some evidence), No, Not sure
    • What primary sources of truth exist for dependencies and incidents today? Options: CMDB/asset inventory, Monitoring/observability, Incident management timeline, Vendor SLAs/contracts, Manual runbooks, None consolidated
    • How complete and current are your inventories of services, technologies, people, facilities, and third parties? Options: Highly accurate, Mostly accurate with gaps, Significant gaps, No consolidated inventory
    • Which telemetry or log sources are currently integrated into any resilience or incident view? Options: Cloud region health, Network metrics, Application performance, Third-party status/feeds, Security/event logs, None
    • What would it take—people, access, tooling—to create an auditable trail of scenario execution and outcomes?
    • Who in your organisation is responsible for collecting and presenting evidence to examiners today? Options: Head of Operational Resilience, CRO, CIO, Internal Audit, Compliance, No single owner / shared responsibility

    Imagine the Board’s Resilience Statement — Read It Aloud

    • If you had to read the board-facing resilience statement tomorrow, what would you be proud to say—and what would you avoid saying?
    • How often does the board expect scenario-testing evidence to be refreshed and presented? Options: Quarterly, Biannually, Annually, Ad hoc after major incidents
    • Which business services must absolutely appear in the annual resilience statement? Options: Payments, Lending, Claims, Customer onboarding/portal, Clearing/settlement, Trading, Other
    • What three KPIs would most convincingly show the board that resilience has improved?
    • What kind of governance cadence and named owners would make the board comfortable signing off year after year?
    • Which outcome—immediate risk reduction, regulatory alignment, or cultural change—matters most to you right now? Options: Immediate risk reduction, Regulatory alignment / exam readiness, Long-term cultural & process change, All equally

    What’s Getting in the Way — The Real Politics and Logistics

    • Which part of making this program regulator-proof do you secretly think will break first?
    • Select the barriers most likely to slow or derail delivery Options: Data access and quality, Vendor cooperation, Budget and headcount, Tooling & integration, Governance fatigue, Competing transformation priorities, Legal/contract constraints
    • Which internal teams are most likely to resist deep mapping and scenario testing? Options: IT/Engineering, Security, Business Units, Procurement/Third-party risk, Legal/Compliance, Operations
    • Have vendors ever refused to share architecture or dependency details when asked? Options: Yes — often, Sometimes/partially, No — they cooperate, We haven't asked
    • How realistic is it to secure necessary data access, telemetry, and vendor collaboration within 60 days? Options: Very realistic, Possible with effort, Unlikely, Impossible
    • What existing incentives, escalation paths, or executive levers can we use to get reluctant teams or vendors to comply?

    Which Services We Should Map First (Quick Wins vs. Mission Critical)

    • If you could prioritize five services to map and test next quarter, which would they be and why?
    • Select up to five services you’d prioritise now Options: Payments processing, Retail lending, Claims adjudication, Customer portal & mobile app, Wire transfers/FX, Treasury/clearing, Trading systems, Account opening/KYC
    • Which of those services has the highest third-party concentration or single-vendor exposure? Options: Payments processing, Retail lending, Claims adjudication, Customer portal, Treasury/clearing, Trading, Account opening/KYC, Unknown
    • Which services already have usable runbooks or continuity plans that we could build on? Options: Most, Some, Few, None
    • Would you be open to a focused pilot on one service to validate mapping, telemetry, and a regulator-aligned scenario run? Options: Yes — payments suggested, Yes — we suggest another service, Maybe, No
    • Who from your organisation must be actively involved in that pilot (roles and names if possible)?

    Deciding How Fast — Commitment and Timeline

    • If you had to promise the board a delivery date for a board-ready dependency map and a first scenario run, what would you commit to—and can you live with that promise? Options: 2 weeks, 1 month, 2 months, 3+ months, Unclear / need more info
    • What's the earliest your teams could provide consolidated inventories and access to run a pilot? Options: Immediately, 2–4 weeks, 1–2 months, 3+ months
    • Which internal approvals would we need before starting (select all that apply)? Options: Procurement, Security review, Legal sign-off, Data governance approval, Executive sponsor sign-off, None
    • Which stakeholders should receive weekly pilot updates? Options: COO, CRO, CIO, Head of Operational Resilience, Board Risk Committee, Internal Audit, Other
    • What budget, resource, or vendor constraints might prevent a rapid start?
    • If we can demonstrate a board-ready scenario this quarter, what specific outcome would be most valuable to you (e.g., regulator-prepared evidence, reduced downtime guarantee, clear remediation plan)?
  3. Solution Experience

    Run scenario-based exercises using the customer’s actual services, vendor concentrations, and technology dependencies to validate outcomes.

    Experience Meetings

    • Pre-Exercise Alignment
    • Scenario Design Workshop
    • Simulation Run Planning
    • Live Scenario Exercise
    • Post-Exercise Validation & Board Evidence Review
    • Confirm time-to-restore and other measurable metrics for reporting.
    • Environment & Data Access Confirmation
    • Ensure all technical and access prerequisites are satisfied for a controlled live run.
    • Lock the run-of-show with named owners for every inject, observation, and evidence capture point.
    • Agree communication protocols and rollback conditions to protect production and regulators' expectations.
    • Schedule and scope a dry run to validate readiness.
    • Provision and verify access to any test environments and confirm data masking where required.
    • Integrate and verify telemetry feeds into the evidence repository; run a quick sanity check capture.
    • Publish the final runbook with minute-by-minute timings, owner contact details, and rollback criteria.
    • Execute a scheduled dry run and document any deviations for correction prior to the live exercise.
    • Brief restatement of Preconditions & Success Criteria
    • Execute the scenario exactly to script and collect all artifacts required by the examiner-evidence checklist.
    • Validate whether outcomes meet CRO-defined impact tolerances and the agreed future-state.
    • Identify and document immediate critical gaps and their operational impact.
    • One-sentence Current State (facilitator read)
    • Assemble the raw evidence package (logs, timestamps, decisions, screenshots) and store in the secure evidence repository.
    • Document all deviations from the script with owner-assigned corrective actions and severity rating.
    • Produce an initial Incident/Exercise report within 48 hours summarizing outcomes and metrics.
    • Schedule follow-up root-cause analysis sessions for items flagged as critical.
    • Executive Summary of Outcomes
    • Produce a finalized examiner-evidence package and narrative ready for regulator review.
    • Agree a prioritized remediation roadmap with owners and timelines for closure of critical gaps.
    • Draft and sign-off a board-ready resilience statement and a quarterly testing cadence.
    • Establish governance cadence and who is accountable for regulatory reporting and board presentations.
    • Finalize and lock the examiner evidence pack and circulate to the COO/CRO/CIO/Head of Resilience for approval.
    • Publish the prioritized remediation roadmap with owners, deadlines, and acceptance criteria.
    • Produce the first draft of the board-ready resilience statement and schedule a board-risk-committee review.
    • Schedule the quarterly scenario testing calendar and confirm participants for the next iteration.
    • Produce a single, agreed current-state sentence capturing the outage, gaps, and who is impacted.
    • Surface and quantify the consequence so the exercise has urgency and measurable stakes.
    • Agree a single, measurable future-state outcome that scenarios must prove.
    • Confirm the initial scope of services, vendors, and data owners with named contacts.
    • Establish required pre-work, data deliveries, and a go/no-go checklist for the next meeting.
    • Author and circulate the one-sentence current-state and future-state statements for sign-off by COO/CRO/CIO/Head of Resilience.
    • Deliver inventories: critical services list, vendor concentration report, and available telemetry feeds to the project workspace.
    • Designate and confirm primary/backup contacts for service, vendor, and tech owners.
    • Provide high-level estimated impact metrics from the recent outage (hours, customer impact, press/regulatory notes) to quantify consequence.
    • Kickoff & Objectives
    • Define 1–3 prioritized, concrete scenarios that reflect actual service and vendor dependencies.
    • Translate CRO impact tolerances into pass/fail criteria for each scenario.
    • Specify the exact evidence package required to demonstrate compliance to examiners.
    • Assign scenario owners and agree a timeline for execution and dry-run.
    • Produce finalized scenario scripts including step-by-step injects, expected observable outcomes, and the telemetry sources for each success criterion.
    • List and acquire any missing telemetry or logs required to prove outcomes, with owner and due date.
    • Identify and document third-party contacts needed during the run and obtain their availability/consent.
    • Prepare the examiner-evidence checklist template for use during the live exercise.
    • Detailed Findings & Root Causes
    • Execute Scenario Phase 1 (Service Outage)
    • Critical Service Walkthrough
    • Telemetry & Evidence Pipeline
    • Explicit Consequence Statement
    • Run-of-Show & Timing
    • Examiner Evidence Package Review
    • Vendor Concentration & Single-Point Analysis
    • Immediate Validation Checkpoint
    • One-sentence Future State
    • Execute Scenario Phase 2 (Vendor/Region Concentration Failure)
    • Scope & Critical Services Confirmation
    • Communications & Stakeholder RACI
    • Failure Mode Brainstorm (targeted)
  4. Solution Scope

    Define which critical business services, underlying technologies, people, facilities, and third parties will be mapped, tested, and reported.

    Scope Configuration

    • Ingest CMDB, Asset, and Directory Feeds
    • Auto-Discover Service-to-Technology Dependencies
    • Map Business Services to People and Facilities
    • Map Third-Party Vendors and Concentration Points
    • Set Impact Tolerances per Critical Service
    • Build Testable Service Recovery Playbooks
    • Seed Synthetic Transaction Traffic for Tests
    • Orchestrate Controlled Failure Injection
    • Run End-to-End Scenario Simulations
    • Enable Continuous Dependency Drift Detection
    • Integrate Incident Management and Ticketing
    • Generate Regulatory-Ready Resilience Reports
    • Train Governance Teams on Platform Operations

    Scope Questions

    Ingest CMDB, Asset, and Directory Feeds

    • Do you want us to ingest your CMDB, asset inventory, and directory feeds? Options: Yes, No
    • Which feed types are available and should be ingested? Options: CMDB, Asset Inventory, Active Directory / LDAP, Cloud Inventory (AWS/Azure/GCP), Network Inventory, Other
    • What delivery mechanisms are available for those feeds? Options: API/REST, Database dump, CSV/Excel export, LDAP connector, SFTP, Other
    • How frequently do these feeds need to be refreshed for your resilience requirements? Options: One-time import, Daily, Weekly, Near real-time / streaming, Other
    • Approximately how many asset/service records should we expect to ingest? Options: Less than 1,000, 1,000–10,000, 10,000–100,000, 100,000+, Unknown
    • Are there access, compliance, or credential constraints (e.g., VPC-only access, encrypted exports) we should know about?

    Auto-Discover Service-to-Technology Dependencies

    • Do you want automated discovery of service-to-technology dependencies in scope? Options: Yes, No
    • Which runtime environments should discovery cover? Options: Production, Pre-prod / Staging, Disaster Recovery, Cloud (public), On-premises / private, Hybrid
    • Which data sources or tools can we integrate to assist discovery? Options: APM (e.g., Dynatrace, New Relic), Cloud provider APIs, Network flow/NetFlow, Service mesh traces, Telemetry agents, Other
    • Which discovery methods do you prefer or allow? Options: Agent-based discovery, Agentless (API/flow) discovery, Log/trace analysis, Manual mapping enrichment, Other
    • What accuracy or confidence threshold is required for automated dependency mappings? Options: High (>90%), Medium (70–90%), Low (<70%)
    • Are there known blind spots (e.g., legacy systems, shadow IT) we should plan to treat manually?

    Map Business Services to People and Facilities

    • Do you want business services mapped to named people and physical facilities? Options: Yes, No
    • Which business services should be considered critical and prioritized for mapping? Options: Payments, Lending, Claims / Payouts, Customer Onboarding, Market Data / Trading, Other
    • Who are the service owners and key contacts we should record for each critical service?
    • Which types of facilities should be included (e.g., data centers, office sites, co-locations)? Options: Data centers, Office locations, Co-location facilities, Cloud regions, Edge sites, Other
    • What personnel roles must be included (e.g., on-call resolver, application owner, vendor liaison)? Options: Service Owner, Application Support / Ops, Network/Infra, Third-party Manager, Business SME, Other
    • Are there privacy or personnel-related constraints on storing contact information (e.g., PII controls)? Options: Yes, No

    Map Third-Party Vendors and Concentration Points

    • Should third-party vendors and concentration points be mapped and prioritized? Options: Yes, No
    • Approximately how many external vendors will be in scope? Options: Less than 50, 50–200, 200–1,000, 1,000+, Unknown
    • Do you have vendor data available (contracts, SLAs, subprocessors, architecture diagrams)? Options: Contracts, SLA / performance data, Subprocessor lists, Technical dependency diagrams, Contact lists, None
    • Do you require concentration analysis across vendors (e.g., single provider for payments across multiple services)? Options: Yes, No
    • Are there regulatory-designated critical third parties or approved lists we must highlight? Options: Yes, No
    • Will you permit ingestion of vendor-provided telemetry or only contractual/metadata sources? Options: Vendor telemetry allowed, Only contractual/metadata, Restricted – requires approvals

    Set Impact Tolerances per Critical Service

    • Do you want us to facilitate setting impact tolerances (RTO, customer impact thresholds) for each critical service? Options: Yes, No
    • Who is the primary decision owner for impact tolerances? Options: CRO, COO, Business Owner, Resilience Head, Other
    • Which impact tolerance metrics do you require (select all that apply)? Options: Maximum outage duration (hours), Transaction loss tolerance, Customer impact percentage, Financial loss threshold, Regulatory breach threshold, Other
    • Should tolerances be aligned to specific regulator expectations (e.g., PRA, ECB/DORA, OCC)? Options: PRA, ECB / DORA, OCC, Other, None
    • Are there existing documented tolerances we should import or validate? Options: Yes, No
    • What acceptance criteria will the board require to approve tolerance levels?

    Build Testable Service Recovery Playbooks

    • Do you want playbooks created for each critical service that are executable during tests? Options: Yes, No
    • Which playbook formats do you prefer? Options: Step-by-step runbook, Automated orchestration scripts, Decision trees, Checklists, War-room communication scripts
    • What level of automation should playbooks support? Options: Manual processes only, Semi-automated with human approvals, Fully automated orchestration
    • Do playbooks need vendor coordination steps and vendor contact procedures included? Options: Yes, No
    • Who must approve and sign-off playbooks before they are used in tests? Options: Service Owner, COO, CIO, Resilience Head, Change Advisory Board, Other
    • Are there compliance or documentation standards (e.g., audit trail, versioning) required for playbooks? Options: Yes, No

    Seed Synthetic Transaction Traffic for Tests

    • Do you want synthetic transaction traffic generated for scenario testing? Options: Yes, No
    • Which transaction types should be simulated? Options: Payment transactions, Authentication / logins, Loan origination, Claims processing, API transactions, Other
    • What traffic volume profile do you want for tests? Options: Light (smoke), Moderate (normal daytime), High (peak), Stress / storm (above peak), Custom
    • Do you have masked or synthetic datasets available, or do we need to generate/test with anonymized production-like data? Options: Masked production data available, Need platform to synthesize data, Cannot use production data
    • Are there time windows or blackout periods where synthetic traffic is not permitted?
    • Do synthetic transactions need to be traced end-to-end and surfaced in reports for regulators? Options: Yes, No

    Orchestrate Controlled Failure Injection

    • Do you want controlled failure injection (chaos) as part of testing? Options: Yes, No
    • Which failure types should be orchestrated? Options: Service process crash, Network partition, Cloud region outage, Vendor API failure, Database failover, Other
    • What safety/guardrails must be enforced during failure injection? Options: Timeboxed tests, Canary rollout, Automated rollback, Approval gates, Monitoring and kill-switch
    • Are there regulatory, legal, or vendor contractual constraints that limit failure injection? Options: Yes, No
    • Who must approve each test run (roles or committees)? Options: COO, CRO, CIO, Resilience Head, Change Advisory Board, Other
    • Do you require dry-runs, canary phases, or escalation playbooks tied to failure injection? Options: Dry-run required, Canary required, Direct injection allowed with approvals, Other

    Run End-to-End Scenario Simulations

    • Should we run full end-to-end scenario simulations for mapped services? Options: Yes, No
    • What types of scenarios should be prioritized? Options: Single component failure, Compound failures (vendor + cloud), Simultaneous region outage, Regulatory exam scenario, Custom
    • Which internal and external participants must be invited to simulations? Options: Service Owners, IT Operations, Third-party contacts, Legal / Compliance, Business Continuity / Resilience Team, Board observers
    • What success criteria or KPIs define a passed simulation?
    • What evidence artifacts must be collected and retained for each simulation? Options: Telemetry traces, Transaction logs, Screenshots / recordings, Test transaction attestations, Sign-off forms
    • How often should end-to-end simulations be scheduled (frequency)? Options: One-off, Quarterly, Monthly, Ad-hoc as required

    Enable Continuous Dependency Drift Detection

    • Do you want continuous detection of dependency drift and configuration changes? Options: Yes, No
    • Which sources should feed drift detection? Options: CMDB / asset feeds, Network telemetry, Cloud inventories, Vendor update feeds, Direct agents / probes
    • What alerting sensitivity do you prefer for drift (trade-off false positives vs missed changes)? Options: High sensitivity (more alerts), Medium, Low sensitivity (fewer alerts)
    • Should detected drifts auto-create incidents or simply notify owners for review? Options: Auto-create incidents, Notify owners for manual review, Both
    • What reporting cadence is required for drift metrics (e.g., daily, weekly)? Options: Real-time / immediate, Daily summary, Weekly report, Monthly report, On-demand
    • Are there known expected changes (e.g., planned maintenance) that should be whitelisted? Options: Yes, No
  5. Mutual Commit

    Agree on deliverables, timelines, governance cadence, acceptance criteria, and regulatory reporting responsibilities.

    Agreement Modules

    • Statement of Work (SOW)
    • Master Services Agreement (MSA)
    • Service Level Agreement (SLA) / Performance Metrics
    • Implementation Timeline & Milestones
    • Pricing & Payment Schedule
    • Data Processing Agreement (DPA) & Security Addendum
    • Regulatory Reporting & Examiner Evidence Plan
    • Governance Cadence & RACI
    • Acceptance Criteria & Handover Checklist
    • Change Control & Scope Adjustment Agreement
    • Third-Party Access & Vendor Integration Agreement
    • Testing Authorization & Scenario Sign-Off
    • Escalation & Incident Response Integration
    • Post-Deployment Support & Renewal Terms
    • Confidentiality & Non-Disclosure Agreement (NDA)
    • Audit & Compliance Support Addendum
    • Termination & Exit Plan
  6. Deployment

    Operationalize rollout with readiness checks, enablement, and outcome validation.

    1. Pre-Deployment Readiness

      Confirm data access, inventories, integrations, owners, and test environments are prepared for mapping and scenario execution.

      Readiness Questions

      Quick Snapshot — Who's in the Room?

      • Which role are you answering these questions for? Options: COO / Program owner, CRO / Impact tolerance owner, CIO / Technology owner, Head of Operational Resilience, Board risk lead, Other (please specify)
      • Which best describes your organisation? Options: Large global bank, Large regional bank, Major insurance company, Specialist financial services firm, Holding company / conglomerate, Other (please specify)
      • Briefly describe the recent outage that triggered this work (services affected, public impact, duration).
      • Who formally owns the resilience programme and which roles are expected to be engaged in delivery? (pick all that apply) Options: COO / Programme owner, CRO / Risk owner, CIO / Tech owner, Head of Operational Resilience, Head of Third‑Party Risk, Legal / Compliance, Other — specify
      • What is the immediate board ask or regulatory trigger we should prioritise in this engagement? Options: Full dependency map for all critical services, Quarterly scenario testing cadence, Board-ready resilience statement, Remediation plan for gaps identified, Other — specify

      If This Happens Again, What Breaks First?

      • If another nine-hour outage hit tomorrow, what would materially change about customer trust, market confidence, or regulator scrutiny?
      • How concerned are you that undocumented single points of failure exist in your critical services? Options: Extremely concerned, Very concerned, Somewhat concerned, Not concerned / confident
      • Which areas do you suspect are the most fragile right now? (select all that apply) Options: Third‑party vendor concentration, Cloud / region dependencies, Data availability and integrity, People / role single points, Physical facilities, Configuration and change management, Other — specify
      • Tell us about any regulator interactions, supervisory findings, or near misses related to resilience in the last 24 months.
      • How does this threat feel politically inside your organisation—an urgent executive priority, a board crisis, or a longer-term program? Options: Immediate board crisis, Executive priority with deadlines, Operational program workstream, Compliance checkbox / low priority

      Where the Data Lives — Can We Map It?

      • Imagine we attempted a full dependency map tomorrow and key inventories were missing—whose problem would that be and what would likely happen?
      • Do you have an authoritative, single-source inventory of critical business services today? Options: Yes — centralised and maintained, Partial — service lists exist but fragmented, No — spreadsheets / local lists only, Not sure
      • Which primary systems currently hold the data we’ll need to map dependencies? (select all that apply) Options: CMDB / ITSM, Vendor registry / third‑party portal, Business unit spreadsheets, GRC platform, Cloud provider consoles (AWS/Azure/GCP), HR / org charts, Other — specify
      • What access method would we most likely use to ingest data from each source? (pick all that apply) Options: API (preferred), Database read / SQL, SFTP / file drops, Manual CSV upload, No direct access — would need extraction by your team, Unsure
      • Who are the nominated data stewards or owners responsible for inventories, and how reachable are they for mapping work?

      Integration Reality Check — Can We Execute Scenarios?

      • What would stop us from executing a realistic scenario against your live topology this quarter?
      • Do you have non‑production environments that faithfully mirror production for testing? Options: Yes — production parity for key services, Partial — some services mirrored, No — little to no parity, Unsure / need help assessing
      • Are there contractual, privacy, or regulatory constraints that limit what data or vendor behaviours we can simulate? Options: Yes — significant constraints, Some constraints but manageable, No constraints, Unsure — need legal review
      • Who provides authorisation for simulated outages, data extracts, or vendor testing (select all that apply)? Options: Business unit owner, CIO / IT security, Legal / Compliance, Third‑party vendor, Board or executive sponsor, Other — specify
      • What telemetry or monitoring feeds can we integrate to validate scenario outcomes? (e.g., APM, network, vendor SLAs)

      People, Governance, and the Clock — Who Moves Fast?

      • If regulators requested evidence in 30 days, could your team produce a defensible dependency map and one scenario test report? Options: Yes — confident, Maybe — with focused support, No — would need more time, Unsure
      • Please list the core team members (name, role, % availability) who will be allocated to the pilot phase.
      • What governance cadence is realistic for delivery (select the cadence your leadership expects)? Options: Weekly delivery / steering, Biweekly, Monthly, Quarterly, Ad hoc as needed
      • Are there fixed external deadlines we must align to (regulatory exam date, board meeting, public disclosure)? Please specify dates.
      • Which internal KPIs or success metrics will convince the board that this solution is working? Options: Reduction in undocumented dependencies, Quarterly scenario pass rate, Evidence package completeness for exams, Reduced mean time to recovery estimates, Other — specify

      What 'Board‑Ready' Actually Means to You

      • When you imagine a board‑ready resilience statement, what would make you feel confident handing it to the board?
      • Which formats of evidence are mandatory for your board/regulator? (select all that apply) Options: Executive summary / slide pack, Detailed dependency maps, Scenario test logs and timelines, Runbooks and remediation actions, Raw telemetry extracts, Other — specify
      • Which regulatory frameworks or examiner expectations must we explicitly align to for your institution? Options: UK PRA, ECB / DORA, US OCC, Local regulator, Internal audit, Other — specify
      • What acceptance thresholds or impact tolerances are already defined versus what still needs to be set? Options: Fully defined and approved, Drafts exist, Not defined, Don't know — need support
      • Who must formally sign off the final resilience statement and evidence package? Options: COO, CRO, CIO, Head of Operational Resilience, Board risk committee, Other — specify

      Hidden Costs, Politics, and What Breaks the Plan

      • What's the single internal objection that could stop deployment even if the technical work is flawless?
      • Which teams are most likely to resist deeper dependency mapping and why? (select all that apply) Options: Infrastructure / Cloud, Application owners, Third‑party management, Legal / Compliance, Business units, Other — specify
      • Have previous cross‑functional programmes failed because of resource shortages, procurement delays, or conflicting priorities? Tell us one short example.
      • Are there procurement, licensing, or budget cycles we must align to before we begin work? Options: Yes — specific window, Yes — flexible within quarter, No constraints, Unsure
      • Are employee privacy, union rules, or data residency concerns likely to affect our ability to ingest or simulate data? Options: Significant impact, Some impact but manageable, No impact, Unsure — need legal review

      What Would Make You Say Yes — The Minimal Viable Win

      • If we removed your top three obstacles in the next 30 days, what specific deliverable would make you sign off on a pilot?
      • Which pilot scope would you prefer as the fastest route to board confidence? Options: Single critical business service (end‑to‑end), Bundle of 3–5 high‑risk services, Technology stack / third‑party focused pilot, Enterprise discovery pilot
      • What is an acceptable timeline to complete an initial pilot and present board‑ready results? Options: 2–4 weeks, 1–2 months, 3 months, Longer than 3 months
      • Who must be present on the decision call to approve the pilot (name or role)?
      • Are there any immediate compliance or legal steps you want us to begin before technical work (SLA reviews, DPA amendments, NDAs)? Options: Yes — start now, Yes — but after scoping, No immediate steps, Unsure — ask legal
    2. Deployment Enablement

      Execute the mapping, integrate vendor and telemetry feeds, and schedule initial scenario runs with clear owners and timelines.

    3. Validation Checklist

      Run regulator-aligned scenario tests, verify impact tolerance thresholds, document evidence for examiners, and close critical gaps.

      Validation Questions

      Opening: A Quick Snapshot

      • Which role are you completing this with today? Options: COO, CRO, CIO, Head of Operational Resilience, CISO, Legal/Compliance, Other
      • Briefly describe the outage that prompted this program — what failed, when, and for how long?
      • Which customer-facing services were most visibly impacted? Options: Payments processing, Online banking/web portal, Mobile apps, Loan origination, Claims processing, Customer support/contact centre, ATM/POS services, Other
      • How quickly did leadership treat this as an operational resilience issue and who was assigned program ownership? Options: Immediately — COO owned, Within 24 hours — COO/Resilience lead, Within a week — CIO-led, Multiple owners/steering group, No single owner yet, Other
      • What regulatory or examiner engagement has followed the incident (tick all that apply)? Options: PRA inquiry (UK), ECB / DORA engagement (EU), OCC / US supervisory contact, Informal regulator questions, Public enforcement or fine, None yet, Other
      • What timeline do you have in mind to produce a board-ready resilience statement? Options: Immediate (<30 days), 1–3 months, 3–6 months, 6–12 months, No timeline yet

      If This Happens Again, Who's Going to Answer?

      • Who will be on the hook if a similar outage results in an examiner finding — and are those people prepared to defend the record today?
      • Please confirm the primary decision roles and owners for the resilience program. Options: COO, CRO, CIO, Head of Operational Resilience, Legal/Compliance, Procurement, Vendor Management Office, Other
      • How do the COO, CRO, CIO and Head of Resilience currently coordinate—formal governance, periodic check-ins, or ad-hoc? Options: Formal governance committee (regular), Monthly alignment meetings, Ad-hoc when issues arise, Siloed handoffs across functions, Other
      • Who is responsible for setting and signing off on impact tolerances within your organisation? Options: CRO, COO, Board/Board Risk Committee, Regulatory/Compliance, Cross-functional committee, Not yet assigned
      • When there’s disagreement on tolerances or protections, how are trade-offs resolved and recorded?
      • How would the executive team feel if they had to publicly account for unresolved third‑party concentration after the next outage? Options: Confident and prepared, Uneasy but capable, Very uncomfortable, Prefer not to speculate

      Where the Maps Stop and the Unknown Starts

      • Which critical services could you not fully trace end‑to‑end if an examiner asked for a complete dependency map tomorrow? Options: Payments processing, Card acquiring / gateway, Settlement/clearing, Customer authentication, Loan origination, Claims adjudication, Other
      • List the top three vendors, platforms or cloud regions where you suspect there may be undocumented single points of failure.
      • Do you maintain a central, searchable inventory of technology components, third parties and facilities that can be used to build dependency chains? Options: Yes — live automated inventory (CMDB integrated), Yes — manual spreadsheets, Partial — fragmented sources, No central inventory
      • Which data sources are unreliable or missing when you try to stitch together service→technology→vendor dependencies? Options: CMDB / asset inventory, Vendor contracts and SLAs, Network / topology maps, Application ownership records, Telemetry / logs, Cloud tenancy mappings, None — all present
      • How often is your dependency mapping refreshed and who signs off on updates? Options: Continuous / automated, Weekly, Monthly, Quarterly, Ad-hoc / infrequently
      • Tell us about a specific incident where an undocumented dependency caused escalation — what lingered and why?

      When Regulators Knock, What Will They See?

      • What is the single most likely gap an examiner would flag in your current resilience program?
      • Which regulatory frameworks does your resilience program aim to satisfy? Options: PRA / UK operational resilience, ECB / DORA, OCC / US guidance, Local/national regulators, Multiple jurisdictions, Unsure
      • How are impact tolerances defined today—by service, by customer cohort, by transaction, or not formally defined? Options: By critical business service, By customer segment/class, By transaction type, Not formally defined, Other
      • Do you have documented acceptance criteria and evidence templates that would satisfy a regulator’s request? Options: Yes — evidence templates and packs ready, Partial — templates only, No — nothing formalised, Unsure
      • When was the last regulator-focused review of your resilience controls or reporting? Options: Within 3 months, 3–12 months ago, >12 months ago, Never
      • Who in your organisation would be the named owner for examiner-facing evidence and submissions? Options: Head of Operational Resilience, Legal / Compliance, CIO, CRO, External consultant, Multiple owners

      Do Your Scenarios Mirror Reality — Or Your Paper Plans?

      • When you run scenario tests, do they simulate compound, real-world failures (e.g., a cloud-region outage plus a vendor outage) or do you run simplified checklists? Options: Realistic compound scenarios, Mostly idealised tabletop checklists, We don’t run scenario tests, Hybrid / some realistic, some checklist
      • Which actual services and vendor telemetry feeds are included in your current scenario runs? Options: Payments platform, Core banking systems, Primary cloud provider, Identity & authentication providers, Third-party payment gateway, Network/telemetry feeds, None
      • How do you validate that scenario outcomes meet your declared impact tolerances (e.g., automated metrics, executive sign-off)? Options: Automated quantitative metrics, Executive / CRO sign-off, Narrative post-mortem, No formal validation, Other
      • Have you ever run a live scenario against production‑like services (not just synthetic test data)? If yes, what did you learn?
      • How often do you conduct cross-functional exercises that include business owners, tech teams and key third parties? Options: Monthly, Quarterly, Bi-annually, Annually, Never
      • What currently prevents you from running realistic, high‑impact scenarios more frequently? Options: Risk of customer impact, Lack of test environment / integrations, Vendor contractual limits, Governance objections, Resource constraints, Other

      What Would 'Board‑Ready' Sound Like?

      • If the Board asked you to prove payments resilience in one slide, what key element would you be missing right now?
      • Which metrics would most convince the Board—pick all that apply? Options: Time-to-recover (RTO) vs tolerance, % of customers affected, Estimated financial impact, Vendor concentration score, Testing cadence & outcomes, Regulatory compliance status
      • Does the Board require quarterly scenario testing results and a formal resilience statement as a condition of acceptance? Options: Yes — formal requirement, Yes — informal expectation, Not currently required, Unsure
      • How do you typically present resilience evidence to the Board today—dashboards, slides, narrative, live demo, or other? Options: Dashboards, Slide decks, Narrative reports, Live simulation demo, Ad-hoc emails or memos, Other
      • What would make the Board stop asking for more detail—standardised evidence packs, live demos, third‑party attestation, or regulatory confirmation? Options: Standardised evidence pack, Live demo of scenario, Third-party attestation, Regulatory sign-off, Other
      • How comfortable are you with the current level of transparency to the Board about unresolved resilience gaps? Options: Very comfortable, Somewhat comfortable, Uncomfortable, Prefer to limit disclosure

      What Would It Take to Close the Critical Gaps?

      • What would you be willing to change—process, budget, vendor terms, or architecture—to remove a material single point of failure within 90 days? Options: Re-architect service, Add redundancy/alternate vendor, Renegotiate vendor contracts/SLA, Increase monitoring and telemetry, Not prepared to change within 90 days, Other
      • What internal resources can you commit to mapping, testing and evidence collection (FTE count, SMEs, budget)? Options: Dedicated team & budget, Shared resources across functions, Ad-hoc SME availability, Rely on external partner, No resources available
      • Which governance cadence would be most effective for you—weekly runbooks, monthly execution reviews, or quarterly board-ready reporting? Options: Weekly execution stand-ups, Bi-weekly working group, Monthly governance review, Quarterly board reporting, Other
      • What contractual or procurement barriers with third parties limit scenario testing or telemetry sharing today?
      • How do you define success for a resilience improvement—fewer outages, faster recovery, improved regulator feedback, or reduced customer impact? Options: Faster recovery (RTO), Fewer incidents, Positive regulator feedback, Reduced customer complaints/impact, Cost reduction, Other
      • If we proposed a time‑boxed pilot to validate one payment service end‑to‑end in 30 days, what would need to be true for you to greenlight it?

      Ready, Set, Validate

      • Can you currently run a regulator‑aligned scenario and produce examiner‑grade evidence with your existing tools? Options: Yes — ready now, Partially — needs automation or templates, No — cannot with current toolset, Unsure
      • Which types of evidence do you capture today during tests? Select all that apply. Options: System logs and traces, Telemetry dashboards (metrics), Third‑party attestations or reports, Video or session recordings, Playbooks and step notes, None
      • Do you have test environments that reliably mirror production for the services you must validate? Options: Full mirrored environments, Partial / subset mirrors, Sandbox or feature flags only, No production-like environments, Unsure
      • Who is expected to sign off that a test met impact tolerances and that evidence is exam-ready? Options: CRO, Head of Operational Resilience, COO, Board Risk Committee representative, Legal / Compliance, Multiple signatories
      • What typical inhibitors stop you from closing evidence gaps after a test—time, data access, vendor cooperation, or competing priorities? Options: Lack of time / capacity, Insufficient data access, Vendor cooperation limits, Tooling gaps, Competing business priorities, Other
      • If we delivered a validation checklist that mapped each board acceptance criterion to specific evidence artifacts, what single feature would be most valuable to you?
      • When would you like to schedule an initial discovery workshop to capture the critical-service map and run a baseline scenario? Options: Immediately, Within 2 weeks, 2–6 weeks, 2–3 months, Unsure
  7. Success

    Establish quarterly scenario-testing cadence, produce the board-ready resilience statement, and maintain a shared channel for issues and improvements.

    Success Reviews

    • Quarterly Scenario Cadence Planning
    • Scenario Execution & Post-Test Review
    • Board Resilience Statement Workshop
    • Regulatory Evidence & Examiner Readiness
    • Shared Channel Governance & Continuous Improvement Forum

    Issues & Enhancements

    • Assign owners for each examiner question and confirm who will brief regulators if engaged.
    • Assign remediation owners and agree timelines and retest triggers where needed.
    • Extract 2–3 immediate process improvements to reduce friction in future tests.
    • Evidence custodian to compile and store the test artifact bundle in the shared channel and mark it as 'board-ready' within 3 business days.
    • Assigned owners to provide remediation plans with deadlines and validation steps within 7 business days.
    • Platform team to flag any telemetry or mapping gaps and propose fixes within 5 business days.
    • Resilience lead to update the quarterly playbook based on lessons learned and circulate before the next run.
    • One-line Current State for the Board
    • Produce a final draft of the board resilience statement with mapped evidence for each claim.
    • Agree the internal approval workflow and sign-off timeline so the Head of Resilience can present to the board.
    • Create a minimal examiner Q&A and external communications outline linked to the statement.
    • Head of Resilience to finalize the board statement draft and attach evidence map within 3 business days.
    • General Counsel and Communications to review wording and submit comments within 4 business days.
    • COO to confirm approval pathway and date for board presentation within 5 business days.
    • Evidence Inventory (Current State)
    • Produce a regulator-aligned evidence pack template and index for quarterly submission.
    • Current State Recap
    • Identify high-priority evidence gaps and remediation deadlines to meet supervisory expectations.
    • Compliance to publish the regulator checklist mapped to evidence pack template within 4 business days.
    • IT to ensure evidence storage meets access and retention controls and report back within 7 business days.
    • Assigned SME owners to draft short, evidence-backed answers to top 10 examiner questions within 5 business days.
    • Channel Purpose & Stakeholders
    • Agree a governed shared channel with clear triage rules, SLAs, and owners to prevent governance fatigue and ensure timely remediation.
    • Define a continuous-improvement cadence that converts test findings into prioritized fixes and platform enhancements.
    • Establish the minimal KPI set and dashboard locations for ongoing visibility to executives and the board.
    • Operations lead to create the channel with pinned triage playbook, naming conventions, and access list within 2 business days.
    • Resilience lead to publish the SLAs and onboarding runbook and schedule a 30-minute onboarding drop-in for participants.
    • Analytics to build a one-page dashboard for the agreed KPIs and deliver a first version within 10 business days.
    • Establish an approved quarterly testing calendar with named owners for each run.
    • Agree on scenario types and prioritization aligned to recent outage lessons and regulatory focus.
    • Define clear acceptance criteria and required evidence for board/regulator reporting.
    • Confirm pre-test artifact list and platform outputs required for each scenario.
    • Platform team to publish template of required evidence artifacts and sample scenario output within 5 business days.
    • COO/CRO to approve the quarterly calendar and named owners within 7 business days.
    • IT/CIO to validate availability of telemetry and test environments for scheduled dates within 10 business days.
    • Operational resilience lead to circulate finalized scenario taxonomy and pre-work checklist to stakeholders within 3 business days.
    • Test Summary (Current State)
    • Confirm whether the scenario met impact-tolerance acceptance criteria and capture definitive test outcome.
    • Assemble and validate the evidence pack required for board and regulator review.
    • Consequence Framing
    • Regulatory Consequence Mapping
    • Regulatory Expectation & Consequence Boilerplate
    • Immediate Consequences Observed
    • Triage & Prioritization Process
    • Assemble Standardized Evidence Pack (Proof)
    • SLAs & Response Times
    • Define the Future-State Statement
    • Define Future State for Cadence
    • Evidence Package Walkthrough (Proof)
    • Backlog, Roadmap & Continuous Improvement Cadence
    • Scenario Taxonomy & Priority
    • Examiner Q&A Rehearsal
    • Map Evidence to Claims (Proof)
    • Gap Analysis & Root Cause
    • Schedule & Owner Assignment
    • Metrics & Dashboards
    • Retention, Access & Audit Trail
    • Remediation Plan & Retest Criteria (Future State)
    • Approval Criteria & Governance
    • Acceptance Criteria & Evidence Requirements
First-Party AI

1-2 minutes please — Your AI agent is working

First-Party AI™ can make mistakes. Always check important information.