[BCM] [CGC] [E3] [PD] [CBF] [1] Risk Assessment and Guarantee Issuance

Business Continuity Recovery Procedure

CBF 1: Risk Assessment and Guarantee Issuance

The Risk Assessment and Guarantee Issuance (CBF-1) function is one of the most critical operations within Credit Guarantee Corporation Malaysia (CGC), serving as the foundation for evaluating creditworthiness, structuring financial guarantees, and supporting access to financing for eligible borrowers.

Given its importance to CGC’s mandate and its direct impact on stakeholders, uninterrupted performance of this function is essential, even during a crisis or disruption.

This chapter outlines the Business Continuity Recovery Procedure developed specifically for CBF-1. It provides a structured, phased approach to ensure operational resilience, minimise downtime, and safeguard client trust.

Covering all essential phases — from preparedness before a crisis, to resumption within the first 24 hours, and full recovery thereafter — the procedure guides CGC’s staff in executing timely, coordinated, and compliant responses to any disruption.

It also aligns with CGC’s broader Business Continuity Management (BCM) strategy and regulatory obligations, ensuring that this core function can continue supporting Malaysia’s financial ecosystem even in the most challenging circumstances.

Pre-Crisis: Preparedness Phase

Objective: To proactively prepare people, processes, and systems to ensure the resilience and readiness of the CBF-1 Risk Assessment and Guarantee Issuance function in the face of potential disruptions.

1. Process and Documentation Preparedness

• SOP Development and Maintenance

  • Ensure that all Standard Operating Procedures (SOPs) for sub-processes (1.1 to 1.8) are fully documented, reviewed semi-annually, and approved by management.
  • Include manual workarounds for critical tasks in the SOPs to ensure continuity if systems are unavailable.

• Process Mapping and Dependencies

  • Maintain a detailed process map of all CBF-1 activities, highlighting interdependencies with other departments (e.g., Legal, IT, Compliance).
  • Identify process bottlenecks and establish mitigation controls for each.

• Template and Form Standardisation

  • Ensure standardised templates for credit assessments, guarantee issuance forms, and approval checklists are readily available in both soft and hard copy formats.
  • Store critical forms in secured, shared folders accessible by the recovery team.

2. Personnel and Role Preparedness

• Recovery Team Identification

  • Assign a Business Continuity Focal Person (BCFP) for CBF-1 and nominate alternates.
  • Create a recovery team roster with clearly defined roles, responsibilities, and contact information.

• Training and Cross-Training

  • Conduct quarterly BCM training for CBF-1 team members, including scenario-based exercises.
  • Cross-train backup personnel for each sub-CBF function to ensure continuity of expertise.

• Call Tree and Contact List

  • Maintain an up-to-date call tree with primary, secondary, and tertiary contacts.
  • Test communication cascades biannually to ensure staff responsiveness during an emergency.

3. IT and Systems Preparedness

• System Redundancy and Backups

  • Ensure high availability for critical applications such as:
    • Guarantee Management System (GMS)
    • Credit Risk Evaluation Tools
    • Customer Relationship Management (CRM) system
    • Document Management System (DMS)
  • Perform daily automated backups with weekly off-site transfers.
  • Test backup restoration quarterly to confirm data integrity.

• Disaster Recovery Testing

  • Include CBF-1 systems in semi-annual Disaster Recovery (DR) tests conducted by the IT department.
  • Ensure documented test results, remediation actions, and BCM team sign-offs are archived for compliance.

• Alternate Access Protocols

  • Equip recovery team members with secure laptops and VPN access to enable remote work.
  • Ensure multi-factor authentication and cybersecurity protocols are enforced.

4. Infrastructure and Workspace Preparedness

• Alternate Worksite Arrangements

  • Secure alternate workspace for the recovery team, complete with network connectivity, workstations, and access to core systems.
  • Conduct regular drills to familiarise staff with the alternate site.

• Remote Work Enablement

  • Test remote access capabilities monthly to ensure uninterrupted remote operation.
  • Ensure recovery staff have access to encrypted cloud-based tools and business applications.

5. Stakeholder Communication and Coordination

• Client Communication Plans

  • Develop and pre-approve templates for disruption notices, FAQs, and response protocols.
  • Ensure the ability to mass-communicate with clients via SMS, email, or website alerts.

• Regulatory Coordination

  • Maintain an escalation protocol for informing regulatory bodies (e.g., Bank Negara Malaysia) in the event of prolonged disruptions to guarantee issuance.

• Vendor and Partner Readiness

  • Assess third-party readiness and BCM capabilities, especially for credit evaluation tools, courier services (for physical documents), and outsourced due diligence partners.
  • Include vendors in joint simulation exercises annually.

6. Testing and Continuous Improvement

• Tabletop and Simulation Exercises

  • Conduct at least two simulation exercises per year to validate the recovery plan and identify gaps.
  • Include realistic disruption scenarios such as cyber-attacks, natural disasters, and application failures.

• Audit and Compliance

  • Integrate BCM preparedness into the internal audit framework.
  • Ensure all findings are addressed with corrective and preventive actions (CAPA) logged and monitored.

• Documentation Updates

  • Review and update all BCM documentation, including the recovery procedures, business impact analysis (BIA), and risk assessments, every 12 months or after significant organisational changes.

By maintaining comprehensive pre-crisis preparedness across people, processes, systems, and infrastructure, Credit Guarantee Corporation Malaysia can ensure the continuity and resilience of its CBF-1 Risk Assessment and Guarantee Issuance function, even in the face of significant disruptions.

Within T+24 Hours (RESUMPTION Phase)

Objective: To restore and resume the most essential and time-sensitive components of the Risk Assessment and Guarantee Issuance function within 24 hours of the incident. The goal is to minimise disruption to business operations, preserve service delivery, and maintain client trust.

1. Immediate Activation of the BCM Response Plan

• Trigger Activation Protocols

  • The BCM Team, upon confirmation of disruption severity, activates the Business Continuity Plan (BCP) for CBF-1.
  • Notify the Head of Risk, Head of Operations, and CEO of plan activation.

• Establish Command Structure

  • Appoint the CBF-1 Business Continuity Focal Person (BCFP) as the Incident Coordinator for the function.
  • Convene the Recovery Team and assign immediate tasks via virtual or alternate-site briefings.

• Incident Logging and Documentation

  • Initiate an incident log to record actions, decisions, and timelines.
  • Collect evidence and document impacts for future reporting and audit requirements.

2. Enable Emergency Work Environment

• Transition to Alternate Site or Remote Mode

  • If the primary location is unavailable, relocate to the designated alternate site.
  • Enable secure VPN access for authorised recovery personnel working remotely.
  • Ensure communication platforms (email, Teams/Zoom, intranet) are operational.

• Set Up Core Work Capabilities

  • Provide emergency workstations or laptops pre-loaded with essential applications (GMS, CRM, DMS).
  • Ensure data access through mirrored backup systems or cloud solutions.

3. Restore Critical Sub-CBF Activities

Resume only time-sensitive and priority-level operations from the eight sub-processes to stabilise essential business functions.

1.1. Application Intake

• Set up a dedicated email inbox or secure online form to receive new applications.
• Acknowledge receipt of applications within 2–4 hours of submission.
• Assign intake officers to categorise and tag high-priority cases (e.g., government-sponsored programs, pre-approved applications).

1.2. Preliminary Eligibility Check

• Manually screen applications using preloaded offline eligibility checklists.
• Temporarily bypass non-essential eligibility filters to expedite the processing of priority applications.

1.3. Credit Risk Assessment

• Use available historical data, CRM insights, and previous assessments to conduct rapid, high-level credit assessments.
• Utilise spreadsheets or hardcopy templates if assessment tools are unavailable.

1.6. Approval Process

• Establish an emergency virtual approval board (via Zoom or MS Teams) for real-time decision-making.
• Use pre-approved delegated authority to expedite approvals without full board consensus when necessary.
• Track and document all decisions made under emergency procedures for later validation.

4. Stakeholder and Client Communication

• Client Communication

  • Send initial disruption advisory to all active clients, highlighting temporary procedures and estimated service resumption times.
  • Provide contact details for dedicated recovery support lines or email helpdesks.

• Internal Communication

  • Send updates to all staff involved in CBF-1 activities regarding resumption progress and task delegation.
  • Provide staff with FAQs and talking points to ensure consistent messaging.

• Regulatory Notification

  • Notify Bank Negara Malaysia (BNM) and other relevant authorities if regulatory timelines or service delivery KPIs will be impacted.
  • Issue interim compliance reports if required.

5. Temporary Workarounds and Mitigations

• Manual Processing

  • Implement manual tracking logs for applications, assessments, and approvals.
  • Use shared folders (cloud-based or physical) to store scanned forms and checklists.

• Contingency Tools

  • Activate simplified credit scoring tools hosted on alternate platforms if the main system is down.
  • Use mobile data collection and communication tools for field verification, where applicable.

6. Ongoing Monitoring and Reporting

• Real-Time Monitoring

  • Monitor resumption activities via recovery dashboards or manual trackers updated every 2 hours.
  • Log and escalate any incidents of delay, failure, or deviation from procedure.

• Progress Reporting

  • Submit resumption status reports to the BCM Team and Management every 6 hours until full recovery begins.
  • Flag unresolved risks or bottlenecks for escalation.

By implementing this structured Within T+24 Hours (RESUMPTION) plan, Credit Guarantee Corporation Malaysia ensures that the most essential aspects of CBF-1 Risk Assessment and Guarantee Issuance can continue under emergency conditions, protecting both client service standards and corporate reputation during the critical early phase of a disruption.

After T+24 Hours (RECOVERY Phase)

Objective: To fully restore all functions of the Risk Assessment and Guarantee Issuance process after the initial resumption. This includes the reactivation of normal workflows, resolution of service backlogs, system restoration, and the reinstatement of quality and compliance standards across all sub-CBF activities.

1. Stabilise Work Environment and Resources

• Restore Normal Work Locations

  • Transition staff back to the primary office once it is declared safe and operational by Facilities and BCM teams.
  • Decommission alternate site operations and consolidate all work materials.

• Review Staff Availability and Well-Being

  • Confirm availability of key personnel for full-time operations.
  • Provide wellness check-ins and psychological first aid where necessary.
  • Reassign additional personnel to high-demand tasks to manage the workload.

• IT Infrastructure Validation

  • Conduct a full system health check of core platforms:
    • Guarantee Management System (GMS)
    • Credit Scoring Tools
    • Document Management System (DMS)
    • Customer Relationship Management (CRM)
  • Confirm data integrity, accessibility, and performance of recovered systems.

2. Resume Full Sub-CBF Operations

With critical operations stabilised, resume all pending and deferred tasks across the eight sub-processes:

1.4. Site Visits / Due Diligence (if required)

• Schedule and perform on-site visits or virtual inspections for applications that were deferred during the resumption phase.
• Coordinate with field teams and external partners to expedite site reporting.

1.5. Guarantee Structuring

• Resume full analysis of appropriate guarantee structures (e.g., amount, tenure, terms).
• Include credit enhancements or tailored risk-sharing options as per client profiles.

1.7. Issuance of Guarantee

• Process all approved guarantees into the system.
• Generate official documents with digital signatures and email/PDF distribution, where physical delivery is not yet restored.
• Coordinate with banks and partners to inform them of the issuance status.

1.8. Post-Issuance Monitoring Setup

• Reinstate automated monitoring mechanisms (e.g., performance alerts, financial statement tracking).
• Assign monitoring officers to onboard new accounts into post-issuance oversight tools.

3. Manage Operational Backlogs

• Backlog Identification

  • Classify all incomplete or deferred cases by urgency, application type, and regulatory importance.
  • Use a prioritisation matrix to address critical or time-sensitive files first (e.g., government-linked loan schemes).

• Taskforce Deployment

  • Establish dedicated recovery task forces to:
    • Clear application backlogs
    • Complete pending risk assessments
    • Process previously delayed approvals
  • Extend work hours or run dual shifts if necessary.

• Client Notifications

  • Inform clients of expected timelines for their cases.
  • Provide dedicated touchpoints for escalations or service recovery queries.

4. Quality Assurance and Compliance Reinforcement

• Revalidation of Emergency Decisions

  • Audit all credit assessments and approvals made during the resumption phase for policy adherence.
  • Rectify any deviations found and document justification for emergency measures.

• Data Reconciliation

  • Compare data entries from manual logs with recovered system data to identify gaps or errors.
  • Ensure all applications, approvals, and guarantees issued during the disruption are properly entered into official systems.

• Regulatory Reporting

  • Submit post-incident reports to Bank Negara Malaysia (BNM) or other regulatory bodies as required.
  • Include summaries of service outages, recovery steps taken, and corrective measures.

5. Lessons Learned and Plan Enhancement

• Post-Mortem and Incident Debrief

  • Conduct structured debrief sessions with the CBF-1 recovery team, IT, BCM office, and department heads.
  • Discuss response timelines, coordination effectiveness, communication issues, and unforeseen challenges.

• Update Recovery Documentation

  • Revise SOPs, recovery playbooks, and contact lists based on recovery experience.
  • Incorporate changes into the Business Continuity Plan (BCP) and ensure staff are briefed on updates.

• Train and Drill

  • Schedule follow-up drills or refresher courses to reinforce recovery skills and test updated procedures.
  • Share lessons learned across departments to improve cross-functional resilience.

6. Rebuild Confidence and Reputation

• Stakeholder Engagement

  • Issue communications to reassure clients, financial partners, and internal stakeholders of full-service restoration.
  • Highlight the robustness of CGC's continuity framework to reinforce trust and credibility.

• Client Support Follow-Up

  • Offer additional support or advisory services to clients significantly impacted during the disruption.
  • Conduct surveys or gather feedback to understand their experience and identify improvement areas.

By fully executing the After T+24 Hours (RECOVERY) phase, Credit Guarantee Corporation Malaysia ensures that its CBF-1 Risk Assessment and Guarantee Issuance function is not only restored to pre-disruption levels but also reviewed, improved, and reinforced against future risks. This structured recovery phase plays a crucial role in preserving operational integrity, client confidence, and regulatory compliance in the long term.

Summing Up ...

The recovery of the Risk Assessment and Guarantee Issuance function during a disruption is pivotal to maintaining CGC’s operational continuity, stakeholder confidence, and public trust.

By following the structured procedure detailed in this chapter — encompassing pre-crisis preparation, immediate resumption, and comprehensive post-crisis recovery — CGC ensures that this essential function can remain effective, compliant, and client-focused under all conditions.

This Business Continuity Recovery Procedure not only enables the organisation to withstand disruptions but also reinforces CGC’s commitment to service excellence and financial stability. Regular testing, updating, and staff training will ensure that the recovery plan remains relevant, responsive, and robust in the face of evolving threats.

 

 

Resilience Redefined: Implementing BCM at Credit Guarantee Corporation Malaysia
eBook 3: Starting Your BCM Implementation
MBCO	P&S	RAR T1	RAR T2	RAR T3	BCS T1	CBF
CBF 1: Risk Assessment and Guarantee Issuance
DP	BIAQ T1	BIAQ T2	BIAQ T3	BCS T2	BCS T3	PD

 

More Information About Business Continuity Management Courses

To learn more about the course and schedule, click the buttons below for the  BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].

	Please feel free to send us a note if you have any questions.