[OR] [AmB] [E2] [P2] [S1-S5] [C8] Five Stages of the "Implement" Phase

Implement Phase of Metrobank’s Operational Resilience Planning Methodology

Introduction

The Five Stages of the “Implement” Phase in Operational Resilience Planning for AmBank Malaysia

Operational resilience is a critical priority for financial institutions like AmBank Malaysia, ensuring they can withstand, adapt to, and recover from disruptions.

The “Implement” phase in AmBank’s Operational Resilience Planning Methodology consists of five key stages, each designed to build a strong resilience framework.

These stages include Identifying Critical Business Services, Mapping Processes and Resources, Setting Impact Tolerance, Conducting Scenario Testing, and Improving Lessons Learned.

This article provides a detailed overview of each stage, outlining its importance, implementation process, and relevant examples.

Stage 1: Identify Critical Business Services

[Implement Phase – Stage 1]

Objective:

The first step in implementing operational resilience is identifying Critical Business Services (CBS)—services that, if disrupted, could significantly impact customers, financial stability, and regulatory compliance.

Implementation Process:

• Conduct an enterprise-wide assessment to identify essential services.
• Evaluate services based on factors such as customer dependency, regulatory obligations, and financial impact.
• Engage stakeholders, including business heads, risk managers, and IT teams, to validate selections.

Example:

For AmBank Malaysia, real-time payment processing is a critical business service. A failure in this service could prevent customers from making or receiving payments, affecting businesses and individuals nationwide. Identifying such services ensures that resilience measures are prioritised accordingly.

Stage 2: Map Processes and Resources

[Implement Phase – Stage 2]

Objective:

After identifying critical business services, the next step is to map the underlying processes, systems, people, and third-party dependencies supporting these services. This allows the bank to understand vulnerabilities and interdependencies.

Implementation Process:

• Break down each critical business service into sub-processes and workflows.
• Identify the IT systems, data centers, applications, and human resources that support these processes.
• Assess third-party dependencies, such as cloud service providers and external payment networks.

Example:

For the real-time payment processing service, mapping may reveal dependencies on:

• A core banking system hosted on an external cloud platform.
• Network infrastructure that enables communication between internal banking applications and payment gateways.
• A third-party fraud detection system that monitors suspicious transactions in real-time.

By understanding these dependencies, AmBank can develop contingency measures to ensure service continuity even if one component fails.

Stage 3: Set Impact Tolerance

[Implement Phase – Stage 3]

Objective:

Impact tolerance defines the maximum level of disruption a critical business service can withstand before causing intolerable harm to customers, financial markets, or regulatory compliance.

Implementation Process:

• Define maximum allowable downtime (e.g., how long a service can be unavailable before severe consequences arise).
• Establish thresholds for degraded performance (e.g., how much delay in processing transactions is acceptable).
• Align impact tolerance with regulatory expectations, such as those set by Bank Negara Malaysia (BNM).

Example:

For real-time payment processing, AmBank may set an impact tolerance as follows:

• Maximum downtime: 15 minutes before customer complaints escalate and financial transactions fail.
• Transaction failure rate: No more than 0.5% of total transactions.
• Customer notification threshold: If delays exceed 10 minutes, an automated message is triggered.

These thresholds help guide recovery strategies and resource allocation.

Stage 4: Conduct Scenario Testing

[Implement Phase – Stage 4]

Objective:

Testing resilience through realistic disruption scenarios ensures AmBank’s critical business services can withstand and recover from various threats, such as cyberattacks, system failures, or operational errors.

Implementation Process:

• Develop test scenarios simulating cyber incidents, power failures, third-party outages, and system overloads.
• Conduct tabletop exercises and technical drills to assess response capabilities.
• Measure the bank’s ability to stay within impact tolerance levels.
• Identify weaknesses and gaps in response mechanisms.

Example:

A cyberattack simulation on AmBank’s real-time payment processing system could test:

• How quickly can IT security teams detect and isolate the threat?
• Whether transaction processing remains within impact tolerance.
• The effectiveness of communication between cybersecurity, risk management, and customer support teams.

Results from such tests guide improvements in security protocols, backup strategies, and crisis response coordination.

Stage 5: Improve Lessons Learnt

[Implement Phase – Stage 5]

Objective:

Continuous improvement is essential in operational resilience. AmBank must analyze the results of scenario tests, past incidents, and industry developments to refine its resilience strategies.

Implementation Process:

• Conduct post-incident reviews and document key findings.
• Update business continuity and disaster recovery plans based on test results.
• Implement corrective actions and train employees on revised protocols.
• Stay updated on regulatory changes and industry best practices.

Example:

Following a real-time payment disruption caused by a third-party cloud service outage, AmBank may:

• Establish backup cloud providers to reduce reliance on a single vendor.
• Enhance customer notification protocols to improve transparency.
• Improve real-time monitoring of third-party service levels.

These improvements strengthen AmBank’s ability to respond effectively to future disruptions.

The “Implement” phase of AmBank Malaysia’s Operational Resilience Planning Methodology is a structured approach to ensuring critical business services remain resilient amid disruptions. By following these five stages:

1. Identifying Critical Business Services – Understanding which services are essential.
2. Mapping Processes and Resources – Documenting dependencies and vulnerabilities.
3. Setting Impact Tolerance – Defining acceptable service disruption limits.
4. Conducting Scenario Testing – Validating resilience strategies through real-world simulations.
5. Improving Lessons Learned – Continuously refining response mechanisms.

Through these steps, AmBank Malaysia can proactively manage operational risks, comply with Bank Negara Malaysia’s resilience requirements, and enhance customer trust in its services.

Operational Resilience Framework: A Case Study of AmBank Malaysia
C1	C2	C8	C14

Operational Resilience Framework: A Case Study of AmBank Malaysia
"Implement" Phase of the Operational Resilience Planning Methodology
C8	C9	C10	C11	C12	C13

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.