Safeguarding Digital Finance: Boost Bank's Approach to Business Continuity Management
Part 2: RAR – Treatment and Control
Introduction
This chapter outlines the Risk Assessment Review (RAR) – Treatment and Control measures adopted by Boost Bank Malaysia to address critical threats that may impact its business continuity.
As a digital bank operating throughout Malaysia, Boost Bank is exposed to various operational, environmental, technological, and human-related risks.
These threats, if left unaddressed, may disrupt essential banking services, erode customer trust, and result in financial and reputational losses.
Following the identification of threats in Part 1: RAR – List of Threats, this section evaluates the existing and planned strategies used to manage each threat under four key risk treatment approaches: Risk Avoidance, Risk Reduction, Risk Transference, and Risk Acceptance.
In addition, this chapter highlights the current controls Boost Bank has in place and proposes additional measures to enhance resilience across its digital and physical infrastructures.
The methodology used aligns with the best practices from BCM Institute and BCMpedia, ensuring a structured approach to threat mitigation and continuity planning.
The table for Boost Bank Malaysia, Part 2: RAR – Treatment and Control, based on the BCMpedia template. Five applicable threats from Part 1 (List of Threats), aligned with Boost Bank’s digital and physical operations across Malaysia.
|
Threat |
Existing Risk Treatment – Risk Avoidance |
Risk Reduction |
Risk Transference |
Risk Acceptance |
Existing Controls |
Additional (Planned) Controls |
|
Denial of Access – Natural Disaster (e.g., flood, earthquake) |
Identify and avoid high-risk physical locations |
🗸 Elevated office floors, flood barriers, and data centre redundancy |
Insurance coverage for physical assets and business interruption |
– |
Site selection criteria, building standards, DR site in low-risk zone |
Real‑time flood/fire sensors; remote‑work drill during disasters |
|
Denial of Access – Man‑made Disaster (e.g., fire, riot) |
Avoid high-crime neighbourhoods; restrict public access |
🗸 Fire suppression, blast-resistant glass, and access control |
Property & business interruption insurance |
– |
CCTV, card access, fire alarms, and evacuation plans |
Hardened perimeter, community outreach, and alternate office site |
|
Unavailability of People (staff illness, pandemic) |
Remote work policy: avoid centralised teams |
🗸 Cross‑training, split teams, and remote infrastructure |
Health insurance, payroll insurance |
– |
VPN, collaboration platforms, backup personnel pool |
Health monitoring, mental health support, and automated shift rotation |
|
Disruption to Supply Chain (e.g., banking hardware/software failures) |
Avoid single-supplier dependence |
🗸 Dual providers for software, on-site spare hardware |
SLAs & vendor contracts; insurance for delivery failure |
– |
Contractual vendor SLAs, periodic supplier review, spare inventories |
Onshore backup vendors, contractual penalty clauses |
|
Equipment and IT‑Related Disruption (e.g., server outage, cyber‑attack) |
Avoid unsupported or outdated tech |
🗸 Patching, endpoint protection, and asset lifecycle management |
Cyber insurance, outsourced SOC services |
– |
IDS/IPS; access controls; daily backups; network segmentation |
Real‑time threat intel, nightly DR drills, next-gen EDR deployment |
Breakdown & Assumptions
- Threat column mirrors the Category of Threats in RAR Part 1.
- Risk Avoidance reflects “stop the threat before it exists” (e.g., not opening in flood zones).
- Risk Reduction includes technical measures like redundancy, patches, and cross-training.
- Risk Transference uses insurance or contractual protection.
- No Risk Acceptance was ticked, assuming Boost Bank has a low tolerance for these major threats.
- Existing Controls list current safeguards aligned to each treatment type.
- Additional Controls are recommended for future enhancements to strengthen resilience.
Summing Up ...
Boost Bank Malaysia’s proactive approach to risk treatment and control demonstrates its commitment to safeguarding operational continuity and customer trust. By implementing a combination of risk avoidance, reduction, and transference strategies—while minimising reliance on risk acceptance—the bank has established a strong foundation for responding to potential disruptions.
The controls currently in place provide significant protection against identified threats such as natural disasters, man-made incidents, IT-related disruptions, and personnel unavailability. However, the evolving risk landscape necessitates ongoing investment in additional controls such as real-time threat detection, remote work resilience, and enhanced supplier risk management.
This chapter serves as a living document to support continuous improvement in Boost Bank’s business continuity strategy, ensuring that the institution remains resilient, responsive, and reliable in the face of adversity.
More Information About Business Continuity Management Courses
To learn more about the course and schedule, click the buttons below for the BCM-300 Business Continuity Management Implementer [BCM-3] and the BCM-5000 Business Continuity Management Expert Implementer [BCM-5].
![Register [BL-B-3]*](https://no-cache.hubspot.com/cta/default/3893111/ac6cf073-4cdd-4541-91ed-889f731d5076.png)
![FAQ [BL-B-3]](https://no-cache.hubspot.com/cta/default/3893111/b3824ba1-7aa1-4eb6-bef8-94f57121c5ae.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
