[OR] [BDCB] [E2] [C18] Providing Self-Assessment

Chapter 18

 Provide Self-Assessment – Sustain Phase

Introduction

The Provide Self‑Assessment stage is a pivotal component of the Sustain phase in Brunei Darussalam Central Bank’s (BDCB) Operational Resilience Planning Methodology.

As operational environments evolve and new risks emerge, continuous evaluation ensures that resilience strategies remain effective and aligned with the Bank’s objectives.

This stage empowers BDCB to systematically assess the robustness of critical functions, identify gaps, and prioritise improvements, enabling proactive management of operational disruptions.

By implementing structured self‑assessment practices, the Bank strengthens its capacity to maintain essential services, safeguard financial stability, and uphold public trust.

The stage also fosters a culture of accountability and continuous improvement, reinforcing resilience across all levels of the organisation.

Purpose

The self-assessment stage enables BDCB to evaluate its operational resilience posture continuously—benchmarking strengths, identifying gaps, and directing improvements to ensure long-term robustness and adaptability.

1. Define Assessment Objectives & Scope

Implementation Steps

• Clarify the goals—e.g., “Evaluate the resilience of critical payment infrastructure,” or “Assess readiness for cyber-attack incidents.”
• Define the scope—systems, processes, departments (e.g., monetary operations, licensing, payment services).

Example

Assess BDCB’s Centralised Statistical System (CSS) resilience under stress—this system automates licensing and renewals and is critical for supervisory operations at BDCB.

2. Establish Governance & Oversight Mechanism

Implementation Steps

• Constitute a cross-functional resilience committee (e.g., IT, operations, risk, legal, cybersecurity).
• Set regular reporting lines to the Managing Director or Board.

Example

In the context of cyber resilience, coordinate with BruCERT (Brunei Computer Emergency Response Team), which handles national IT security and incident response

3. Select Self-Assessment Frameworks and Tools

Implementation Steps

• Leverage recognised frameworks (e.g., ISO 22301 for business continuity, NIST CSF, or sector-specific toolkits).
• Tailor them using BDCB’s context and regulatory environment.

Example

Use BDCB’s interface with the Regional Payment Connectivity (RPC) initiative: test cross-border payment continuity and connectivity under scenarios like system outages or regional disruptions

4. Map Critical Functions and Dependencies

Implementation Steps

• Catalogue core functions (e.g., monetary policy operations, liquidity facilities, supervision, payment systems).
• Identify interdependencies: internal (IT infrastructure, staff roles) and external (MAS for currency interchange, RPC consortium, supply chains).

Example

Map dependency of liquidity provisioning on the CSS and on external counterparties—especially given BDCB’s currency board arrangement with Singapore and reciprocal collateral arrangements with MAS

5. Assess Current Resilience Maturity

Implementation Steps

• Evaluate per function—define maturity levels (e.g., “ad hoc,” “structured,” “optimised”).
• Use indicators—e.g., frequency of BCP tests, time to recover CSS availability, and recent incident metrics.

Example

If BDCB has not recently tested CSS failover under simulated cyber-attack scenarios, maturity is “ad hoc” in that domain. If system redundancy exists and BCP is tested annually, maturity is “structured.”

6. Conduct Scenario-Based Testing (Self-assess via Simulations)

Implementation Steps

• Design realistic stress scenarios—e.g., cyber-attack on CSS, mass failure of RPC connectivity, or systemic liquidity shock.
• Simulate internally or via tabletop exercises; involve IT, operations, external partners (e.g., MAS, RPC members).

Example

A cyber-incident simulation where CSS is taken offline; assess the ability to continue licensing operations manually or via backup channels. Engage BruCERT and IT teams in the exercise

7. Document and Analyse Findings

Implementation Steps

• Record gaps, strengths, and weaknesses across categories: people, process, technology.
• Categorise by risk severity and regulatory alignment.

Example

If the simulation reveals reliance on a single data centre or an absent manual override for licensing, these become flagged gaps needing mitigation.

8. Report Results to Stakeholders

Implementation Steps

• Prepare concise, actionable reports for senior leadership and relevant departments.
• Include metrics, gaps, risk matrices, and recovery capacity indicators (RTO, RPO).

Example

The report shows that the CSS licensing operation RTO is 24 hours, but the target should be <4 hours, prompting infrastructure or procedural enhancements.

9. Develop and Prioritise Remediation Actions

Implementation Steps

• For each identified gap: define remediation steps, timelines, and accountable owners.
• Examples of actions: infrastructure upgrades, BCP updates, staff training, policy revisions.

Example

• Implement a secondary failover location for CSS (IT).
• Conduct annual resilience drills with MAS or RPC counterparts (operations).
• Update BCP to reflect cyber-attack response processes (risk/legal).‌

10. Implement & Track Progress

Implementation Steps

• Roll out remediation plans.
• Track via dashboards and review regularly to ensure closure of identified gaps.

Example

Quarterly dashboard showing CSS redundancy implementation, successful BCP drills, and training completion status.

11. Continuous Improvement Loop

Implementation Steps

• Schedule recurring self-assessments—annually or semi-annually.
• Adjust framework based on emerging risks, e.g., AI threats, climate-related disruptions, or digital payment expansions.

Example

Explore AI-driven threat detection in operations, learning from strategic AI integration in financial regulation or account for future resilience needs tied to growing digital payment infrastructure and RPC expansion.

Summary Table: Self-Assessment Steps

Example in Practice: CSS Resilience Self-Assessment

• Scope: CSS availability and recovery under an ICT-related incident.
• Governance: Led by Deputy Managing Director (Monetary Operations/Development & International), with IT, Risk, and External Affairs participation.
• Framework: Basic BCP aligned with ISO 22301.
• Dependencies: Internal servers, network devices, upcycled IT donated to IBTE (reflects IT asset availability) external coordination with MAS.
• Scenario: Simulate a ransomware attack, disabling CSS—test switchover to backup and manual processing.
• Findings: No recent failover test; a manual process exists, but slow.
• Report: CSS RTO 12 hours vs target 4 hours.
• Remediate: Procure cloud standby, conduct quarterly drills, and train operations.
• Track: Dashboard updates quarterly.
• Next cycle: Include AI-led threat detection systems in self-assessment

Final Thoughts

The Provide Self-Assessment stage serves as the keystone of the Sustain phase—ensuring that BDCB understands, measures, and evolves its operational resilience posture in an ever-changing environment.

This chapter lays out a clear roadmap: from defining objectives, mapping dependencies, surveying maturity, and testing robustness, all the way through remediating gaps and embedding a culture of continual enhancement.

Summing Up ...

The Provide Self‑Assessment stage concludes the sustainment of operational resilience by converting insights into actionable improvements.

Through well‑defined objectives, governance, scenario-based testing, and structured reporting, BDCB can accurately measure its operational strengths and vulnerabilities.

The findings from these assessments guide the remediation of gaps, refinement of processes, and enhancement of preparedness, ensuring that critical functions remain reliable under varied disruption scenarios.

By embedding regular self-assessments into its operational practices, the Bank not only strengthens its resilience posture but also cultivates a culture of continuous improvement and vigilance, ensuring that it remains adaptable and robust in the face of emerging challenges.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.