[CM] [RYT] [E1] [C9] Pre-Crisis - Risk Identification and Crisis Preparedness

Chapter 9

Purpose of the Chapter

This chapter aims to equip Ryt Bank’s crisis management team with the foundational steps to strengthen its organisational resilience through proactive crisis identification and preparedness activities.

Grounded in the principles of ISO 22361, this section outlines a structured approach to understanding and preparing for potential crises before they escalate into disruptive events.

Readers will learn how to systematically identify risks, assess vulnerabilities, and prepare effective response strategies that are critical to safeguarding stakeholders, maintaining trust, and protecting Ryt Bank’s digital-first operational model.

Identifying Potential Crises Affecting Digital-First Financial Institutions

Ryt Bank, operating entirely on a digital platform, faces a unique risk landscape that is distinct from that of conventional banking institutions. With no physical branches and a fully cloud-based infrastructure, the bank must consider a broad spectrum of potential crises, including:

• Cybersecurity Breaches: Unauthorised access to digital infrastructure, phishing attacks, and ransomware incidents.
• Technology Failures: Disruption in cloud services, software bugs, or failure of third-party tech providers.
• Reputation Crises: Social media backlash, public complaints, or service outages damaging public trust.
• Regulatory Non-Compliance: Failure to comply with Bank Negara Malaysia and the Ministry of Finance regulations.
• Financial Crime and Fraud: Online identity theft, fraudulent transactions, or digital money laundering schemes.
• Third-Party and Ecosystem Risk: The bank's dependency on partners, such as Sea Ltd or payment processors, increases its exposure to external incidents.

The risk identification process should involve regular horizon scanning, industry benchmarking, and input from cross-functional teams, including legal, compliance, cybersecurity, customer service, and IT operations.

Crisis Risk Assessment and Categorisation

Once potential crises have been identified, they must be assessed for their likelihood and impact. Using ISO 22361-aligned risk assessment tools, Ryt Bank can apply a risk matrix approach to prioritise scenarios requiring urgent attention. The categorisation process should distinguish between:

• Strategic Risks: Events that threaten Ryt Bank’s long-term positioning or stakeholder confidence (e.g., massive data breach).
• Operational Risks: Events that disrupt day-to-day banking functions (e.g., digital service outage).
• Compliance Risks: Failures to meet regulatory obligations (e.g., delayed reporting or lapses in AML controls).
• Reputational Risks: Incidents that erode customer or investor trust (e.g., customer data exposure or negative media coverage).

Risk categorisation also helps in mapping escalation protocols, crisis team activation thresholds, and the type of response needed for each category.

Scenario Planning and Contingency Planning

Scenario planning enables Ryt Bank to stress-test its preparedness across a range of plausible crises. Each scenario should simulate how a specific threat evolves, who it affects, and how the organisation should respond. Examples include:

• A coordinated cyberattack locked out customers from mobile and web platforms.
• Regulatory penalties resulting from compliance oversights are often tied to third-party vendors.
• A viral social media campaign accused the bank of discriminatory lending practices.

Each scenario should result in the development of contingency plans that outline alternative processes, failovers, or manual workarounds to be deployed in the event of a disruption, thereby sustaining critical functions. Plans must be living documents that are regularly reviewed, updated, and tested through tabletop exercises and simulated drills.

Early Warning Systems and Crisis Indicators

Effective crisis preparedness requires the implementation of early warning systems (EWS) that detect deviations from normal operational baselines. These systems serve as tripwires, providing the crisis team with lead time to assess and intervene before issues escalate. Examples include:

• Cybersecurity Dashboards track intrusion attempts, unusual access patterns, or malware detection.
• Customer Sentiment Analysis,  powered by AI, to detect spikes in complaints or negative online sentiment.
• Performance Monitoring Tools for App Uptime, Transaction Processing Delays, and API Failures.
• Regulatory Risk Alerts are issued when internal audits reveal inconsistencies or potential compliance breaches.

Ryt Bank should establish crisis indicators that map to predefined thresholds for escalation. These indicators should feed into the bank’s centralised incident management platform, providing real-time decision support and enabling the crisis management team to transition quickly into a response posture when necessary.

Summing Up ...

A well-prepared organisation anticipates crises well in advance of their occurrence. For Ryt Bank, a digital-only financial institution with a rapidly growing user base and unique exposure to digital risk, the Pre-Crisis phase is not optional—it is a strategic necessity.

By investing in structured risk identification, prioritisation, planning, and detection mechanisms, Ryt Bank strengthens its ability to act swiftly, protect stakeholders, and uphold public trust in moments of disruption.

This chapter lays the foundation for the subsequent stages of crisis response and recovery, ensuring that when the unforeseen happens, Ryt Bank is ready not only to survive but to lead with resilience.