[OR] [AmB] [E2] [P2] [S3] [C11] Establishing Impact Tolerance

Establishing Impact Tolerance: Implementing Operational Resilience at AmBank Malaysia

(Stage of the “Implement” Phase – Operational Resilience Planning Methodology for Metrobank)

Introduction

Operational resilience is a critical component of financial institutions, ensuring that essential business services can withstand and recover from disruptions.

The financial industry, including banks like AmBank Malaysia, operates in an increasingly complex and interconnected environment where threats such as cyberattacks, IT failures, third-party service disruptions, and regulatory changes can pose significant risks.

 Ensuring resilience is no longer just about recovery after an incident—it is about proactively defining the boundaries within which a business can operate before experiencing an unacceptable level of harm.

In the Implement phase of AmBank Malaysia’s Operational Resilience Planning Methodology, one of the key stages is Establishing Impact Tolerance.

This stage involves defining the maximum acceptable level of disruption that a critical business service can endure before it causes intolerable harm to customers, market integrity, or financial stability.

By setting clear impact tolerances, AmBank ensures that it can maintain financial stability, regulatory compliance, and customer trust, even in the face of unexpected disruptions.

The process involves identifying critical business services, assessing risks, defining acceptable disruption limits, conducting stress testing, and continuously improving resilience measures.

Implementation Steps

Step 1: Identifying Critical Business Services

Before setting impact tolerances, AmBank must first determine which business services are critical. A critical business service is one that, if disrupted, would have a significant impact on customers or the financial system.

Example:

• Retail Banking Payment Services: If AmBank’s online banking platform experiences an outage, customers may be unable to perform fund transfers, make bill payments, or check account balances.
• Corporate Treasury Operations: If disruptions affect liquidity management, large corporate clients may struggle to execute transactions, affecting their cash flow.

Step 2: Defining the Maximum Tolerable Disruption

For each critical service, AmBank must define a threshold beyond which the disruption becomes unacceptable. This threshold could be measured in terms of time, volume, or service capacity.

Example:

• Online Banking Downtime: The bank may establish that online banking services must not be unavailable for more than 4 hours, beyond which there could be significant customer dissatisfaction and regulatory scrutiny.
• Cheque Clearing Services: A delay of more than one business day in clearing cheques could impact corporate clients’ cash flows and damage trust in the banking system.

Step 3: Assessing Potential Scenarios and Impacts

AmBank must analyze different disruption scenarios and their potential impact on business services, customers, and market confidence. These scenarios should be based on past incidents, industry trends, and regulatory expectations.

Example:

• Cyberattack Scenario: If a ransomware attack encrypts critical banking systems, how long can AmBank sustain operations using contingency measures?
• Third-Party Failure: If a key third-party payment processor experiences downtime, how will it affect AmBank’s ability to process transactions?

Step 4: Stress Testing Against Impact Tolerances

To validate the established impact tolerances, AmBank must conduct stress testing and simulation exercises. These tests assess whether the bank’s existing controls and mitigation strategies can keep disruptions within acceptable limits.

Example:

• Business Continuity Simulation: A mock cyberattack is simulated to assess whether AmBank can restore online banking services within the predefined 4-hour impact tolerance.
• Third-Party Risk Exercise: The bank tests an alternative payment routing system in case its main third-party provider fails.

Step 5: Embedding Tolerances into Response Strategies

Once impact tolerances are validated, they must be integrated into AmBank’s incident response, crisis management, and recovery planning processes. Clear escalation protocols and decision-making frameworks should be established to ensure that the bank can act swiftly when an incident occurs.

Example:

• Incident Response Protocol: If a critical system failure exceeds the set impact tolerance, automated escalation to senior management and regulators must be triggered.
• Customer Communication Plan: If an outage occurs, predefined communication strategies ensure that customers are informed promptly to maintain trust.

Step 6: Continuous Monitoring and Improvement

Impact tolerances should not be static; they must evolve based on changing business environments, regulatory updates, and emerging risks. AmBank should establish a regular review cycle to reassess and refine its impact tolerances.

Example:

• Annual Review: Reviewing tolerance levels annually to ensure they remain aligned with customer expectations and market conditions.
• Regulatory Compliance: Adjusting impact tolerances to comply with Bank Negara Malaysia’s (BNM) Operational Resilience Guidelines.

Impact Tolerance Review Template

To facilitate a structured review process, AmBank Malaysia’s management can utilise the following template to document impact tolerances across all critical business services:

By establishing well-defined impact tolerances, AmBank Malaysia ensures that its critical business services remain resilient, even in the face of operational disruptions.

This proactive approach strengthens financial stability, regulatory compliance, and customer trust, ensuring that the bank can respond swiftly and effectively to any crisis.

The process of defining impact tolerances is not a one-time activity but an ongoing effort that requires continuous assessment, scenario planning, and adaptation to emerging risks.

As financial institutions face an increasingly complex risk landscape, operational resilience must be embedded into the core of business continuity and risk management frameworks.

AmBank’s commitment to refining its impact tolerance methodology ensures that it remains at the forefront of resilience planning, safeguarding its reputation and the financial well-being of its customers.

By continuously improving and stress testing its operational resilience framework, AmBank Malaysia can confidently navigate disruptions and maintain its role as a trusted financial institution in Malaysia’s banking sector.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.