![[CM] [E3] [Risk Assessment] Treatment and Control](https://blog.bcm-institute.org/hs-fs/hubfs/RYT%20eBook%20Blog%20Banner/RYT%20E3%20Long%20Banner/%5BCM%5D%20%5BE3%5D%20%5BRisk%20Assessment%5D%20Treatment%20and%20Control.png?width=1920&height=220&name=%5BCM%5D%20%5BE3%5D%20%5BRisk%20Assessment%5D%20Treatment%20and%20Control.png)
Introduction
As part of Ryt Bank's ongoing efforts to enhance operational resilience and risk preparedness, this section outlines the existing and planned measures for treating and controlling potential crisis scenarios.
The Crisis Risk Assessment (CRA) framework categorises threats based on their nature, ranging from natural disasters and technological failures to organisational misdeeds and reputational crises.
Each threat is mapped against a four-pronged risk treatment approach: risk avoidance, risk reduction, risk transference, and risk acceptance.
This systematic analysis allows Ryt Bank to:
- Mitigate the likelihood of crises materialising,
- Minimise potential impact on operations, customers, and stakeholders, and
- Ensure regulatory compliance with Bank Negara Malaysia and PIDM guidelines.
By identifying existing controls and additional planned controls, this chapter supports decision-making for investment in further resilience measures. It serves as a critical foundation for business continuity, crisis response, and enterprise risk management.
Table Below: Notes for BCM Institute's Course Participants: This is the template for completing the "Part 2: CRA – Treatment and Control."
Part 2: CRA – Treatment and Control for Ryt Bank
|
Threat |
Existing Risk Treatment – Risk Avoidance |
Existing Risk Treatment – Risk Reduction |
Existing Risk Treatment – Risk Transference |
Existing Risk Treatment – Risk Acceptance |
Existing Controls |
Additional (Planned) Controls |
|
Flood (Denial of Access – Natural Disaster) |
Not locating data centres in flood-prone areas |
Implement flood sensors and drainage systems at the premises |
Insurance coverage for property damage |
Accepted for non-critical remote offices |
Elevated server rooms, DR site in low-risk zones |
Cloud-first strategy with geo-redundancy |
|
Power Outage (Technological) |
Avoid single power source dependency |
Install UPS and backup generators |
Utility failure insurance |
Accepted for low-priority sites |
Dual power feeds in Tier 3 DC |
Expand solar-powered failover solutions |
|
Cyberattack – DDoS (Malevolence) |
Avoid the use of unsecured public APIs |
Implement WAF, rate-limiting, and DDoS mitigation tools |
Cyber liability insurance |
None |
24/7 SOC monitoring, incident response playbook |
Advanced AI-driven traffic analysis |
|
Pandemic (Unavailability of People) |
Shift to full remote operations during the outbreak |
Enforce hygiene SOPs, flexible working policies |
Health insurance, COVID-specific riders |
Yes, limited to minor roles |
Vaccination programs, remote access VPN |
Formal pandemic-resilience workstream |
|
Vendor Cloud Outage (Disruption to Supply Chain) |
Multi-cloud architecture to avoid vendor lock-in |
SLA governance, regular testing of failover |
Transfer risk via contractual penalties |
Yes, for short-term disruption |
Redundancy with backup cloud providers |
Explore the on-prem hybrid fallback option |
|
Riot/Civil Unrest (Denial of Access – Man-made) |
Avoid leasing offices in high-risk zones |
Real-time alerts, security vendor engagement |
Property damage insurance |
Accepted for HQ access delays |
Evacuation SOPs, remote work protocol |
Hardened physical access and guard patrols |
|
Industrial Action (Confrontation) |
Engage in regular staff dialogues and union consultation |
HR escalation matrix, performance engagement |
Legal coverage via labour advisors |
Partially accepted in low-skill segments |
Employee grievance channel, staff surveys |
Workforce sentiment monitoring AI |
|
Phishing Attack (Malevolence – Social Engineering) |
Block suspicious domains and unauthorised email servers |
Cybersecurity training, phishing simulations |
Third-party cyber response partners |
Accepted at a minor exposure level |
DKIM, SPF, DMARC protocols |
Voice biometrics for high-risk transactions |
|
Profit Over Ethics (Org Misdeeds – Skewed Values) |
Avoid a culture driven solely by aggressive growth KPIs |
Integrate ethics into performance appraisals |
Compliance insurance, board audit committee |
None |
Corporate Code of Conduct |
Whistleblower hotline revamp and board review |
|
Concealed Breach (Org Misdeeds – Deception) |
Avoid non-disclosure by enforcing a transparency policy |
Legal training for compliance staff |
D&O insurance |
None |
Disclosure guidelines under Bank Negara rules |
Implement a real-time breach detection dashboard |
|
Bribery or Corruption (Org Misdeeds – Misconduct) |
Strict anti-bribery policy and KYC due diligence |
Internal audit rotation and integrity checks |
Insurance under the financial crime umbrella |
None |
MACC compliance policy, HR legal audit |
AI fraud detection in procurement workflow |
|
Workplace Violence |
Avoid volatile HR cases with robust hiring vetting |
De-escalation training, emergency response protocol |
Legal indemnity and staff insurance |
Yes, in low-likelihood roles |
Staff reporting mechanism, HR mediation |
Crisis counselling access and mental health leave |
|
Fake News / Viral Rumours |
Avoid an information vacuum by proactive comms |
Monitor social media trends, rapid response team |
Crisis PR agency retainer |
Yes, minor reputational impact accepted |
Media SOP, verified Twitter/X/X alerts |
Deploy AI for early rumour detection |
|
Liquidity Crunch (Lack of Funds) |
Maintain above-minimum capital reserves |
Stress testing, real-time liquidity dashboards |
Transfer risk via interbank borrowing and capital buffers |
Yes, within tolerable financial ratios |
PIDM protection, board oversight |
Establish a contingency funding plan |
|
Haze / Pollution (Natural Factors) |
Avoid non-essential on-site presence during haze |
Equip offices with air purifiers and N95 distribution |
Not applicable |
Yes, operational continuity is acceptable |
Haze SOP, remote work fallback |
Air quality app integration for staff alerts |
Legend
- Risk Avoidance: A Strategy to prevent risk from occurring entirely.
- Risk Reduction: Minimise the likelihood or impact through controls.
- Risk Transference: Shift impact to third parties (e.g., insurers).
- Risk Acceptance: Tolerating the risk as part of the business strategy.
- Existing Controls: Measures already implemented.
- Additional Controls: Planned improvements and new initiatives.
Conclusion
The comprehensive treatment and control strategies outlined in this section reflect Ryt Bank’s proactive approach to managing a wide range of crisis scenarios relevant to a digital banking environment.
Each identified threat is aligned with pragmatic mitigation strategies that incorporate best practices from financial sector risk management and the BCM Institute frameworks.
This assessment not only documents current preparedness levels but also highlights gaps and areas for improvement that will inform future enhancements.
Ryt Bank’s commitment to digital innovation must be matched by equally robust crisis and risk management capabilities to ensure uninterrupted services, maintain customer trust, and comply with regulations.
Moving forward, the identified additional controls will serve as the basis for implementing roadmaps, conducting internal audits, and performing regular stress testing. Continuous review and refinement of these controls will be essential to building long-term resilience in a dynamic and high-risk digital financial ecosystem.
![[CM] [RYT] [E1] [C1] Overview of Case Study for Ryt Bank](https://no-cache.hubspot.com/cta/default/3893111/68a9bbd6-2838-498a-a618-0e30b5ba4a5d.png)
![[CM] [RYT] [E1] [C2] Understanding Your Organisation](https://no-cache.hubspot.com/cta/default/3893111/89526c07-4d15-44d3-aac3-e0be034e6ae5.png)
![[CM] [TS] [E1] [C3] Establishing CM Goals](https://no-cache.hubspot.com/cta/default/3893111/159179c7-f1c8-412a-9133-d9e58cf3abdd.png)
![[CM] [RYT] [E1] [C4] CM Vs BCM](https://no-cache.hubspot.com/cta/default/3893111/bbea09e8-e1c7-4d77-bf9c-f69152a9238f.png)
![[CM] [RYT] [E1] [C5] Identifying the Types of Crisis Scenarios](https://no-cache.hubspot.com/cta/default/3893111/bd0ae39c-0686-4d0b-a7c2-4d3e05ad8fe2.png)
![[CM] [RYT] [E1] [C5A] Technological Crisis Scenarios](https://no-cache.hubspot.com/cta/default/3893111/d2410cf1-7123-4934-9ccd-9a8341e86645.png)
![[CM] [RYT] [E1] [C6] Assessing Risks and Threats](https://no-cache.hubspot.com/cta/default/3893111/9fe8d89e-6aa7-4c44-8aaa-1fb006fffbca.png)
![[CM] [RYT] [E1] [C7] Composing the CM Team](https://no-cache.hubspot.com/cta/default/3893111/9c22ccbb-eff7-4a33-92ae-32478b8bc6d4.png)
![[CM] [RYT] [E1] [C8] Implementing the CM Planning Methodology](https://no-cache.hubspot.com/cta/default/3893111/2d189dba-1361-4ae0-bb86-67d926848caf.png)
![[CM] [RYT] [E1] [C9] Pre-Crisis - Risk Identification and Crisis Preparedness](https://no-cache.hubspot.com/cta/default/3893111/1ba23c14-9c14-4cbe-b82b-ebc9ff159127.png)
![[CM] [RYT] [E1] [C10] During Crisis - Crisis Response and Decision-Making](https://no-cache.hubspot.com/cta/default/3893111/58d0552a-e73f-45bc-87d1-61beda7e4847.png)
![[CM] [RYT] [E1] [C11] Post Crisis - Crisis Recovery](https://no-cache.hubspot.com/cta/default/3893111/78f12da7-ae09-4fe1-8bae-6794e1e732dc.png)
![[CM] [RYT] [E1] [C12] Summary and Strategic Outlook](https://no-cache.hubspot.com/cta/default/3893111/84317665-f46a-410f-86be-abb5e3d0f684.png)
More Information About Crisis Management Blended/ Hybrid Learning Courses
To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].
![[BL-CM] [5] Register](https://no-cache.hubspot.com/cta/default/3893111/82024308-16f4-4491-98be-818a882c6286.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
