[OR] [BDCB] [E2] [C5] Developing Strategy and Roadmap

Chapter 5

Develop Strategy and Roadmap

1. Purpose and Objectives

The Develop Strategy and Roadmap stage serves as the critical bridge from understanding where BDCB stands today (current state) to defining where it wants to be (target future state) in terms of operational resilience. Objectives include:

• Translating assessment findings into clear, prioritised strategic actions
• Ensuring alignment with BDCB's mandate, regulatory obligations, national priorities, and risk appetite
• Structuring deliverables into phased, sequenced initiatives—a roadmap—with clear timelines, responsibilities, and success metrics
• Embedding flexibility to adjust to evolving threats or regulatory developments

2. Inputs to This Stage

From previous phases, BDCB brings in:

• Resilience Gap Assessment: identified weaknesses (e.g., insufficient redundancy in key systems, outdated incident response plans)
• Business Impact Analysis (BIA): prioritised critical functions (payment systems, liquidity management, supervision operations) and their tolerances for disruption
• Threat and Vulnerability Analysis: mapped scenarios (cyber incidents, natural disasters, technology failures) that could impair those functions
• Relevant Policy and Regulatory Requirements: e.g., national resilience directives, international central bank standards, expectations of ASEAN central banks

3. Strategic Framework & Principles

Before mapping specific initiatives, BDCB defines guiding strategic principles such as:

• Continuity-First Design: ensure critical services—real-time gross settlement, currency operations—can continue within tolerance thresholds
• Defence-in-Depth: layering resilience measures in prevention, detection, response, and recovery
• Scalability & Flexibility: designing solutions that can scale with evolving technology (e.g., digital currency infrastructure)
• Collaboration & Communication: ensuring plans integrate with national crisis mechanisms (e.g., Prime Minister’s Office, national cybersecurity centres), and with financial sector peers
• Continuous Improvement: embedding testing, review, and learning loops

4. Translate Gaps into Strategic Initiatives

BDCB translates each gap into strategic initiatives, for example:

5. Prioritise Initiatives

BDCB adopts a Prioritisation Matrix, evaluating each initiative by:

• Impact on Critical Functions
• Effort/Cost
• Strategic Importance / Regulatory Driver
• Time Sensitivity

For instance, enhancing data connectivity redundancy may be high impact and moderate cost, thus a top priority. Setting up a backup operations site may be high cost yet vital—placed as medium-term but essential.

6. Develop the Roadmap

BDCB composes a multi-phase roadmap, perhaps structured as:

• Phase 1 (0–6 months):
  • Enhance dual network connectivity for payment systems
  • Update Business Continuity Plan with remote-work capabilities
  • Establish Incident Command governance structure
• Phase 2 (6–18 months):
  • Launch resilience testing program (quarterly drills)
  • Begin design and planning of geographic backup operations centre
  • Integrate third-party dependency resilience (i.e., vendors, cloud providers)
• Phase 3 (18–36 months):
  • Construct and operationalise a backup centre
  • Conduct full failover and recovery tests, including external stakeholders
  • Institutionalise a cycle of annual review and updates

Each roadmap element includes:

• Timeline (start, finish, milestones)
• Ownership (e.g., IT Resilience Unit, Operations Division, Risk & Compliance)
• Dependencies (e.g., vendor contracts, budget approval, cross-agency coordination)
• Budget Estimates
• Key Performance Indicators (KPIs) (e.g., Recovery Time Objective met in drill, number of successful remote-work transitions, resilience test scores)

7. Resource Allocation & Governance

BDCB ensures:

• Budget is allocated per phase—e.g., initial funding for connectivity upgrades, followed by capital for backup site construction.
• Governance structure: a Steering Committee (senior executives across IT, Risk, Operations, Finance) oversees progress, reviews KPIs, and authorises shifts.
• Regular reporting to the Board, perhaps quarterly, on roadmap progress, issues, and adjustments.

8. Communication & Stakeholder Engagement

To support implementation:

• Internal Communications Plan: training staff and executives on updated BCP, platform changes, and roles in incident response
• External Coordination: engaging with the Ministry of Finance, national digital resilience bodies, and financial institutions—to align exercises, share insights, and possibly access shared infrastructure
• Public Messaging: ensuring stakeholder confidence by highlighting BDCB’s proactive resilience journey (e.g., high-level press release following a major milestone)

9. Build in Review, Learning & Iteration Loops

BDCB embeds:

• Post-exercise After-Action Reviews (AARs): capturing lessons from drills, identifying improvement opportunities
• Annual Roadmap Review: adjusting timelines and priorities based on evolving threats (e.g., rising cyber threat landscape), policy changes (e.g., central bank digital currency program), or operational changes
• Dashboard & KPIs Monitoring: e.g., percentage of resilience initiatives on schedule, drill performance metrics
• Governance Reassessment: updating roles and decision-making structures as the organisation matures in resilience capability

10. Example Narrative for Implementation Flow

Scenario: During the Gap Assessment, BDCB discovered that its payment systems had only a single network provider. A cyber-attack or outage that takes down that network would halt interbank settlements—an unacceptable risk.

• Strategic Initiative: Implement dual-homed network connectivity via two independent telecommunications providers.
• Phase 1 (0–6 months):
  • Issue Request for Proposal (RFP), procure redundant connectivity
  • Configure firewalls and routers for failover capabilities
  • Conduct failover tests to validate reliability
• Ownership: IT Infrastructure Team (lead), supported by Procurement and Risk Management
• KPI: 99.99% uptime in simulated outage; automatic fail-over within 60 seconds; Passenger-bank reconciliation times unchanged
• Governance: Monthly status updates to the IT Steering Committee
• Post-Implementation: Include redundant link in quarterly resilience drill; update BCP documentation; report to Board

Meanwhile, for remote-work BCP enhancement:

• Strategic Initiative: Enable key operations staff to work securely from home during disruptions (e.g., floods, pandemics).
• Phase 1 (0–6 months): Procure secure VPN infrastructure; provision encrypted laptops; train staff.
• Phase 2 (6-18 months): Conduct full-scale remote-work drill; measure performance against critical timeliness KPIs; identify issues (e.g., bandwidth bottlenecks) and remediate.
• Governance & Communication: The BCP Committee oversees, and staff are briefed through internal channels. After the drill, AAR captures observations, roadmap is updated accordingly.

11. Summary & Transition to Next Phase

By completing the Develop Strategy and Roadmap stage, BDCB achieves:

• A clear, actionable resilience strategy aligned with priorities
• A phased implementation plan with ownership, timelines, budgets, and metrics
• Communication and governance structures to manage execution
• Embedded mechanisms for learning, adaptation, and continuous improvement

This sets the stage for the next phase (often the “Implement” or “Execute” phase), where BDCB begins putting the roadmap into operational effect—deploying solutions, conducting tests, and monitoring outcomes.

Summing Up ...

The "Develop Strategy and Roadmap" chapter for BDCB's Operational Resilience Planning Methodology underscores how strategic translation of assessments into concrete actions—organised into a sequenced roadmap, backed by governance and continuous-learning loops—drives the bank’s transformation toward a more robust and responsive operational posture.

	Operational Resilience at BDCB: A Strategic Implementation Guide
	"Plan" Phase of the Operational Resilience Planning Methodology
	C2	C3	C4	C5	C6	C7

OR Planning Methodology Phases		Plan	Implement	Sustain

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.