[OR] [AmB] [E2] [P1] [S5] [C7] Developing and Embedding Governance

Develop and Embed Governance in Operational Resilience Planning at AmBank Malaysia

(Part of the “Plan” Phase in Operational Resilience for Metrobank)

Introduction

Governance is the backbone of any operational resilience framework. In the “Develop and Embed Governance” stage of the “Plan” phase of AmBank Malaysia’s Operational Resilience Planning Methodology, the focus is on establishing clear structures, roles, responsibilities, and policies to ensure resilience is integrated into the bank’s operations.

Effective governance provides strategic direction, oversight, and accountability for resilience efforts, ensuring that the bank can anticipate, prepare for, and respond to disruptions.

This article outlines the implementation steps for embedding governance within AmBank’s operational resilience framework, along with practical examples.

Implementation Steps

Step 1: Establish the Operational Resilience Governance Structure

Objective: Define clear accountability and decision-making authority for resilience management across the bank.

Actions:

• Assign executive sponsorship to a senior leader (e.g., Chief Risk Officer or Chief Operating Officer).
• Form an Operational Resilience Steering Committee with representatives from risk management, compliance, IT, business operations, and customer service.
• Define governance layers, including board oversight, senior management roles, and business unit responsibilities.

Example:

AmBank’s Board Risk Management Committee (BRMC) oversees the operational resilience strategy, while the Operational Resilience Steering Committee (ORSC) ensures policies and frameworks are executed effectively at the business unit level.

Step 2: Define Policies, Standards, and Frameworks

Objective: Establish a policy framework that aligns with regulatory expectations and best practices.

Actions:

• Develop an Operational Resilience Policy outlining the bank’s approach, objectives, and regulatory compliance requirements (e.g., Bank Negara Malaysia’s Risk Management in Technology [RMiT] guidelines).
• Define resilience standards for impact tolerances, critical business services, and third-party risk management.
• Integrate resilience governance with existing frameworks, such as Business Continuity Management (BCM) and Enterprise Risk Management (ERM).

Example:

AmBank’s Operational Resilience Policy mandates that all critical business services must have defined impact tolerances and undergo annual resilience testing to ensure they can withstand disruptions.

Step 3: Assign Roles and Responsibilities

Objective: Ensure key stakeholders understand their responsibilities in resilience governance.

Actions:

• Define roles for board members, senior management, business unit heads, and risk officers.
• Develop a Resilience Accountability Matrix (RACI model) mapping responsibilities for policy enforcement, monitoring, and reporting.
• Conduct awareness training to embed resilience governance in everyday decision-making.

Example:

• The Board of Directors is accountable for setting the resilience strategy and risk appetite.
• Business unit heads are responsible for identifying critical services and implementing resilience measures.
• IT and cybersecurity teams ensure systems supporting critical services meet resilience thresholds.

Step 4: Establish Reporting and Monitoring Mechanisms

Objective: Implement monitoring frameworks to track resilience performance and compliance.

Actions:

• Define Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) for resilience (e.g., system downtime, recovery times, customer impact).
• Implement a Resilience Dashboard for real-time monitoring of disruptions.
• Conduct regular board-level reporting on resilience status and incidents.

Example:

AmBank’s Resilience Dashboard provides real-time visibility into critical system performance, cyber threats, and third-party risks. This enables senior management to take proactive measures to mitigate disruptions.

Step 5: Embed Resilience into Risk Culture and Decision-Making

Objective: Make resilience a core part of business strategy, risk management, and operational decision-making.

Actions:

• Integrate resilience considerations into new product launches, technology upgrades, and outsourcing decisions.
• Conduct resilience scenario planning and tabletop exercises with business leaders.
• Include resilience KPIs in performance evaluations for senior management.

Example:

Before launching a new digital banking service, AmBank’s risk management team assesses its resilience by conducting cyber resilience testing and validating cloud service providers’ ability to meet the bank’s impact tolerances.

Developing and embedding governance in operational resilience ensures that AmBank Malaysia can proactively manage risks, protect critical business services, and maintain financial stability.

By implementing a structured governance approach with clear policies, accountability, monitoring, and a strong risk culture, the bank strengthens its ability to withstand disruptions while maintaining customer trust and regulatory compliance.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.