![BB OR [C] 12](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20C/BB%20OR%20%5BC%5D%2012.jpg?width=2000&height=1333&name=BB%20OR%20%5BC%5D%2012.jpg "BB OR [C] 12")
![x [OR] [AmB] Legal Disclaimer Banner](https://no-cache.hubspot.com/cta/default/3893111/c17ea734-ce39-46d1-9b00-ce39367ccfc1.png)
Analysing Gaps in Operational Resilience: A Critical Step for AmBank Malaysia
(Part of the “Plan” Phase in Operational Resilience for Metrobank)
Introduction
![[OR] [AmB] [E2] [P1] [S2] [C4] Analysing Gaps](https://no-cache.hubspot.com/cta/default/3893111/756b2d4c-674f-43a9-b5b3-c1dab5a00db3.png)
The “Analyse Gap” stage in the Plan phase of AmBank Malaysia’s Operational Resilience Planning Methodology is a crucial step in identifying discrepancies between the bank’s current resilience capabilities and regulatory or industry best practices.
This gap analysis enables AmBank to pinpoint weaknesses in its operational resilience framework and take corrective measures to strengthen its ability to withstand disruptions.
This article elaborates on the implementation steps for conducting a structured gap analysis, supported by relevant examples.
Implementation Steps for Gap Analysis
Step 1: Define the Scope of the Gap Analysis
The first step involves defining the scope of the gap analysis by identifying key business services, critical operations, and supporting assets (e.g., technology, third-party vendors, and human resources) that are essential for maintaining operational resilience.
Example:
AmBank’s core banking services, such as payments processing, trade finance, and ATM network operations, would be classified as critical.
The scope of the analysis should focus on these services, ensuring that resilience gaps are assessed comprehensively.
Step 2: Establish Benchmarking Criteria
The next step is to define benchmarking criteria by aligning operational resilience requirements with regulatory expectations (such as the Bank Negara Malaysia [BNM] guidelines), international standards (ISO 22316 for Organisational Resilience, ISO 22301 for Business Continuity Management), and best practices in the financial sector.
Example:
AmBank should compare its existing resilience framework against BNM’s Operational Resilience Guidance Note and assess whether it meets the expectations for impact tolerance, incident response, and third-party risk management.
Step 3: Conduct Current State Assessment
AmBank needs to evaluate its current resilience posture by reviewing policies, procedures, incident reports, risk assessments, and technology infrastructure to determine existing capabilities.
This process involves engaging with business units, IT, risk management, and compliance teams to collect relevant data.
Example:
A review of past cybersecurity incidents (e.g., system outages due to ransomware attacks) can reveal gaps in AmBank’s incident response time, data recovery mechanisms, and communication strategies during disruptions.
Step 4: Identify Gaps and Areas for Improvement
Once the current state is assessed, AmBank can identify gaps between its existing resilience measures and the established benchmark criteria.
Gaps may include deficiencies in impact tolerance thresholds, recovery time objectives (RTOs), governance structures, or third-party resilience capabilities.
Example:
If AmBank’s core payment system has a maximum downtime tolerance of 30 minutes, but the current disaster recovery plan allows for a recovery time of 2 hours, this gap indicates a need for enhanced recovery strategies.
Step 5: Prioritise Gaps Based on Risk and Impact
Not all identified gaps have the same level of urgency. AmBank should prioritise them based on business impact analysis (BIA), regulatory compliance risk, and customer impact. This step ensures that critical vulnerabilities are addressed first.
Example:
A gap in third-party risk management affecting an outsourced cloud-based transaction system might be prioritised over a minor documentation deficiency in internal policies, as the former poses a higher risk to operational continuity.
Step 6: Develop Actionable Recommendations
Based on the prioritised gaps, AmBank should develop actionable recommendations that include remediation strategies, process enhancements, technology upgrades, or policy revisions.
Example:
If a gap is identified in incident response coordination, AmBank can enhance its resilience by implementing an automated alerting system to escalate critical incidents faster across departments.
Step 7: Validate Findings with Key Stakeholders
To ensure the accuracy and feasibility of the identified gaps and proposed solutions, AmBank must validate the findings with key stakeholders, including senior management, risk and compliance teams, and business continuity leads.
Example:
A resilience gap in cross-border payment processing should be discussed with both the operations and IT teams to determine whether it requires system redundancy enhancements or regulatory approvals.
Step 8: Document and Integrate into the Resilience Strategy
The final step is to document the gap analysis findings and integrate them into AmBank’s Operational Resilience Strategy.
This documentation serves as a reference for remediation planning, regulatory reporting, and resilience program enhancements.
Example:
The report should clearly outline:
- Identified gaps (e.g., lack of stress testing for cyber resilience).
- Recommended actions (e.g., conduct quarterly cyber resilience tests).
- Owners responsible for implementation (e.g., Chief Information Security Officer).
![[Banner] [Summing] [OR] [E2] [C4] Analysing Gaps](https://no-cache.hubspot.com/cta/default/3893111/9cd6cbcd-5b03-46c5-95be-53a06547266f.png)
The “Analyse Gap” stage is a fundamental component of AmBank Malaysia’s Operational Resilience Planning Methodology, providing a structured approach to identify and address resilience weaknesses.
By following these implementation steps, AmBank can proactively mitigate risks, enhance operational resilience, and ensure compliance with regulatory expectations, ultimately safeguarding its critical financial services.
| Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide | |||||
| "Plan" Phase of the Operational Resilience Planning Methodology | |||||
![[OR] [AmB] [P1] [S1-S5] [C2] Five Stages of the _Plan_ Phase](https://no-cache.hubspot.com/cta/default/3893111/7713cc8c-f0f2-4c0b-90ca-577cb08e33af.png) |
![[OR] [AmB] [E2] [P1] [S1] [C3] Assessing Capability and Maturity](https://no-cache.hubspot.com/cta/default/3893111/fa566c3f-d706-4cf6-82eb-8c994905ed23.png) |
|
![[OR] [AmB] [E2] [P1] [S3] [C5] Developing Strategy and Roadmap](https://no-cache.hubspot.com/cta/default/3893111/f243b851-ff78-4975-9015-f50e66e5bf40.png) |
![[OR] [AmB] [E2] [P1] [S4] [C6] Confirming Risk Appetite](https://no-cache.hubspot.com/cta/default/3893111/1a2599aa-80c2-4b29-b583-40d84faca3a4.png) |
![[OR] [AmB] [E2] [P1] [S5] [C7] Developing and Embedding Governance](https://no-cache.hubspot.com/cta/default/3893111/b352e6f5-94ee-4370-a13c-d09222bcf7f0.png) |
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
