[OR] [AmB] [E2] [P1] [S1] [C3] Assessing Capability and Maturity

Assess Capability and Maturity

(Part of the “Plan” Phase in Operational Resilience for Metrobank)

Introduction

Operational resilience is a critical component of AmBank Malaysia’s strategic risk management approach.

As part of the “Plan” phase in its Operational Resilience Planning Methodology, the “Assess Capability and Maturity” stage is essential for understanding the bank’s current resilience posture, identifying gaps, and prioritising improvements.

This chapter outlines the key steps in assessing capability and maturity, along with relevant implementation examples.

Step 1: Define the Scope of the Assessment

Before assessing operational resilience, AmBank must clearly define the scope of the assessment, considering:

• Critical Business Services – Services that, if disrupted, would significantly impact customers and financial stability.
• Operational Functions – Processes, systems, and resources supporting critical services.
• Third-Party Dependencies – External vendors and partners are essential to operations.

Example

AmBank prioritises real-time payment processing and digital banking services as critical business services, ensuring the assessment focuses on the key operational and IT functions supporting them.

Step 2: Establish an Operational Resilience Maturity Model

Incorporating the seven-level Operational Resilience Maturity Model from the BCM Institute into AmBank Malaysia’s assessment framework provides a more nuanced evaluation of the bank’s resilience capabilities. Below is the adapted model:

Level 0: Ad-hoc

Characteristics

• Absence of a formal approach to operational resilience.
• Lack of established processes or controls to manage disruptions.

Requirements

• Implement basic controls to address potential disruptions.
• Raise staff awareness regarding the organisation’s expectations for resilience.

Example

AmBank has no documented procedures for handling unexpected IT system outages, resulting in inconsistent, reactive responses when they occur.

Level 1: Reactive

Characteristics

• Operational resilience measures are developed in response to past incidents.
• Processes exist but are inconsistently applied across the organisation.

Requirements

• Develop and implement a comprehensive risk management framework.
• Establish processes for monitoring and reporting on risks.

Example

Following a significant data breach, AmBank introduced security protocols; however, these measures are inconsistently applied across departments.

Level 2: Proactive

Characteristics

• A proactive approach to operational resilience is in place.
• An established set of processes exists to manage risk.
• The organisation can identify potential disruptions before they occur.

Requirements

• Develop and implement a comprehensive risk management framework.
• Establish processes for monitoring and reporting on risk.

Example

AmBank conducts regular risk assessments to identify vulnerabilities in its online banking platform and addresses them before they can be exploited.

Level 3: Mature

Characteristics

• A mature approach to operational resilience is evident.
• A comprehensive risk management framework is in place.
• The organisation effectively identifies and manages risks.

Requirements

• Establish a culture of continuous improvement.
• Ensure that staff are trained on the organisation’s approach to operational resilience.

Example

AmBank has a dedicated resilience team that regularly reviews and updates business continuity plans, incorporating lessons learned from simulations and real incidents.

Level 4: Advanced

Characteristics

• An advanced approach to operational resilience is adopted.
• The organisation integrates resilience considerations into strategic planning.
• There is active engagement with external partners and industry groups to enhance resilience.

Requirements

• Integrate resilience into the organisation’s strategic objectives.
• Collaborate with external stakeholders to strengthen resilience capabilities.

Example

AmBank partners with other financial institutions and government agencies to share threat intelligence and coordinate responses to systemic risks.

Level 5: Optimised

Characteristics

• Operational resilience is fully embedded in the organisational culture.
• The organisation demonstrates industry leadership in resilience practices.
• Continuous improvement processes are well-established and yield measurable benefits.

Requirements

• Maintain and enhance resilience practices through innovation and leadership.
• Benchmark and share best practices within the industry.

Example

AmBank not only meets all regulatory resilience standards but also pioneers new methodologies, such as utilising artificial intelligence to predict and mitigate potential disruptions.

Summary for Seven-Level Maturity Model

By aligning with this seven-level maturity model, AmBank Malaysia can conduct a thorough assessment of its operational resilience, systematically identify areas for improvement, and develop targeted strategies to better withstand and recover from disruptions.

A maturity model provides a structured approach to measure the bank’s resilience capabilities. AmBank can adopt a five-level maturity scale:

1. Ad-hoc – No formal resilience strategy; responses are reactive.
2. Developing – Some resilience measures exist, but they are not standardised.
3. Defined – Policies and frameworks are established, but implementation is inconsistent.
4. Managed – A proactive approach with regular testing and refinement.
5. Optimised – Resilience is embedded across the organisation, with continuous improvement.

Example

AmBank evaluates its cyber resilience maturity and finds that while it has established frameworks (Level 3: Defined), testing and response capabilities need to improve to reach

Step 3: Conduct a Capability Assessment

This involves evaluating AmBank’s existing controls, policies, and response mechanisms in key areas:

• Governance and Leadership – How resilience is managed at the board and executive levels.
• Incident Response and Crisis Management – The effectiveness of response plans.
• Technology and Cyber Resilience – Ability to withstand cyber threats.
• Third-Party Risk Management – Oversight of external service providers.

Example

AmBank assesses its disaster recovery readiness and finds that while IT systems have backup solutions, failover testing is infrequent.

Step 4: Identify Gaps and Areas for Improvement

Once the assessment is complete, AmBank identifies resilience gaps and prioritises improvements. These may include:

• Enhancing governance structures by establishing a dedicated Operational Resilience Committee.
• Improving IT redundancy by implementing real-time failover mechanisms.
• Strengthening third-party risk assessments to ensure critical vendors meet resilience requirements.

Example

The assessment reveals that vendor resilience monitoring is inconsistent. AmBank enhances due diligence by requiring vendors to provide annual resilience test reports.

Step 5: Benchmark Against Industry Standards

AmBank compares its resilience capabilities with regulatory guidelines and industry best practices, such as:

• Bank Negara Malaysia’s Operational Resilience Framework - currently BCM policy and OR Discussion Paper
• Basel Committee’s Principles for Operational Resilience
• ISO 22316 (Organisational Resilience)

Example

Benchmarking shows AmBank aligns with Basel’s risk management principles but needs improvement in scenario-based stress testing for resilience validation.

Step 6: Develop a Roadmap for Improvement

Based on assessment findings, AmBank develops a Resilience Enhancement Roadmap, detailing:

• Short-term actions (3-6 months) – E.g., conducting resilience training.
• Medium-term initiatives (6-12 months) – E.g., upgrading incident response automation.
• Long-term strategies (12+ months) – E.g., embedding resilience into business strategy.

Example

AmBank plans to implement an automated resilience dashboard that integrates risk data from multiple departments to provide real-time monitoring.

Assessing capability and maturity is a foundational step in AmBank Malaysia’s Operational Resilience Planning Methodology.

Through structured evaluation, benchmarking, and a targeted improvement roadmap, the bank strengthens its ability to anticipate, respond to, and recover from disruptions—ensuring stability for customers and stakeholders.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.