[OR] [AmB] [E2] [P1] [S1-S5] [C2] Five Stages of the Plan Phase

Operational Resilience Planning Methodology: The Five Stages of the “Plan” Phase for AmBank Malaysia

Introduction

Operational resilience is a crucial aspect of financial institutions, enabling them to withstand disruptions and maintain essential services.

At AmBank Malaysia, the “Plan” phase of the Operational Resilience Planning Methodology consists of five structured stages:

1. Assess Capability and Maturity
2. Analyse Gap
3. Develop Strategy and Roadmap
4. Confirm Risk Appetite
5. Develop and Embed Governance

Each stage plays a vital role in shaping AmBank Malaysia’s resilience framework, aligning with regulatory expectations and industry best practices.

Below is a summary of the implementation process for each stage, along with practical examples.

Stage 1: Assess Capability and Maturity

[Plan Phase – Stage 1]

Objective:

Evaluate the bank’s current operational resilience capabilities, maturity level, and preparedness against regulatory and industry benchmarks.

Implementation Process:

• Conduct a Resilience Maturity Assessment using a structured framework (e.g., Basel Committee on Banking Supervision, Bank Negara Malaysia’s Operational Resilience Guidelines).
• Assess critical business services, their interdependencies, and existing resilience measures.
• Identify strengths in resilience and areas that require improvement.
• Engage key stakeholders, including risk management, IT, and business continuity teams, to provide insights.

Example:

AmBank Malaysia utilizes a Resilience Maturity Model to assess its preparedness, ranging from Level 1 (Basic) to Level 5 (Optimised). The assessment highlights gaps in third-party risk management and IT disaster recovery planning, prompting further analysis.

Stage 2: Analyse Gap

[Plan Phase – Stage 2]

Objective:

Identify gaps between the bank’s current resilience capabilities and the target state based on regulatory and business requirements.

Implementation Process:

• Compare findings from the capability assessment against regulatory guidelines (e.g., Bank Negara Malaysia’s Resilience Framework).
• Conduct a Business Impact Analysis (BIA) to evaluate vulnerabilities in key operational areas.
• Review past incidents and stress test results to identify areas of resilience weakness.
• Prioritise identified gaps based on potential risk exposure and business impact.

Example:

A gap analysis reveals that while AmBank has robust cybersecurity measures, its incident response plans lack integration with third-party service providers, which could delay recovery in the event of a major cyberattack.

Stage 3: Develop Strategy and Roadmap

[Plan Phase – Stage 3]

Objective:

Formulate a strategic approach and an implementation roadmap to enhance AmBank’s operational resilience over time.

Implementation Process:

• Define short-term (1 year), medium-term (3 years), and long-term (5 years) resilience goals.
• Develop an implementation roadmap outlining key initiatives, milestones, and required investments.
• Align resilience strategy with broader risk management and digital transformation goals.
• Identify key performance indicators (KPIs) and metrics for tracking progress.

Example:

AmBank has developed a three-year Operational Resilience Roadmap, focusing on:

• Year 1: Enhancing cyber resilience and third-party risk management.
• Year 2: Strengthening cloud-based disaster recovery and crisis communication protocols.
• Year 3: Achieving full operational resilience automation with AI-driven threat detection.

Stage 4: Confirm Risk Appetite

[Plan Phase – Stage 4]

Objective:

Define and validate the bank’s operational resilience risk appetite, ensuring alignment with business strategy and regulatory expectations.

Implementation Process:

• Establish risk appetite thresholds for service downtime, data loss, and financial losses due to disruptions.
• Conduct scenario analysis to assess potential resilience risks and their financial impact.
• Obtain approval from senior management and board committees.
• Ensure risk appetite statements are embedded into business and risk management processes.

Example:

AmBank determines that for critical payment processing systems, the acceptable maximum downtime is 30 minutes, and data loss should not exceed 5 minutes of transaction records. These thresholds guide resilience investments and incident response strategies.

Stage 5: Develop and Embed Governance

[Plan Phase – Stage 5]

Objective:

Establish a governance structure to ensure ongoing oversight of resilience, accountability, and compliance with regulations.

Implementation Process:

• Define roles and responsibilities for operational resilience at various levels (e.g., Board, Risk Committees, Operational Resilience Teams).
• Integrate resilience governance within Enterprise Risk Management (ERM) and IT governance frameworks.
• Implement regular resilience testing, including penetration testing, tabletop exercises, and full-scale simulations.
• Establish a continuous monitoring mechanism to track and report resilience performance.

Example:

AmBank creates an Operational Resilience Committee chaired by the Chief Risk Officer (CRO). The committee reviews resilience metrics quarterly, conducts annual scenario exercises, and reports directly to the Board Risk Committee.

AmBank Malaysia’s five-stage “Plan” phase provides a structured and strategic approach to operational resilience. By assessing current capabilities, identifying gaps, developing a strategic roadmap, confirming risk appetite, and embedding governance, the bank ensures its ability to withstand disruptions while meeting regulatory expectations.

This proactive approach strengthens AmBank’s resilience posture, safeguards critical financial services, and reinforces trust among customers, regulators, and stakeholders.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.