[OR] [AmB] [E2] [P2] [S4] [C12] Performing Scenario Testing

Performing Scenario Testing in Operational Resilience Planning for AmBank Malaysia

(Stage of the “Implement” Phase – Operational Resilience Planning Methodology for Metrobank)

Introduction

Operational resilience is no longer just a regulatory requirement—it is a strategic necessity for financial institutions like AmBank Malaysia. In an era where cyber threats, technological failures, and external disruptions are increasing in complexity and frequency, banks must proactively ensure their ability to continue delivering critical services during and after disruptions.

As part of the "Implement" phase of AmBank Malaysia’s Operational Resilience Planning Methodology, scenario testing plays a pivotal role in assessing the bank’s preparedness against real-world incidents. This process goes beyond theoretical planning by simulating disruptive events, allowing the organisation to evaluate response mechanisms, identify gaps, and refine strategies.

Scenario testing provides valuable insights into how AmBank’s resilience framework holds up under pressure. By stress-testing different scenarios—such as cyberattacks, IT outages, third-party failures, or physical disruptions—the bank can validate its incident response, crisis management, and recovery strategies.

More importantly, scenario testing ensures compliance with Bank Negara Malaysia's operational resilience guidelines while strengthening customer trust in AmBank’s ability to manage risks effectively.

This article explores the structured approach to performing scenario testing in AmBank’s operational resilience framework, outlining the key implementation steps along with real-world examples relevant to the bank’s operations.

Implementation Steps for Performing Scenario Testing

1. Define Objectives and Scope

The first step in scenario testing is to clearly establish what needs to be tested and why. AmBank must align its scenario testing objectives with its broader resilience goals, ensuring that the focus is on mission-critical services and regulatory compliance.

Key Objectives:

• Evaluate AmBank’s ability to maintain essential banking services during disruptions.
• Assess the effectiveness of incident response teams in managing crises.
• Test the bank’s business continuity and disaster recovery (BC/DR) strategies.
• Identify vulnerabilities in third-party dependencies.

Example:

If the objective is to test resilience against a cyberattack, the scenario could simulate a ransomware attack targeting AmBank’s core banking systems. The exercise would assess how quickly the IT security team detects and mitigates the threat while ensuring minimal impact on customer transactions.

2. Identify Critical Business Services and Impact Tolerances

Before designing the test scenarios, AmBank must determine which services are most critical to customers and the financial system. Setting impact tolerances helps define how much disruption can be tolerated before significant harm occurs.

Example Critical Business Services and Impact Tolerances:

• Online Banking Platform → Must be restored within two hours to avoid major financial losses and reputational damage.
• ATM Network → Cannot experience downtime exceeding four hours to prevent widespread customer inconvenience.
• SWIFT Payments System → Must remain operational at all times due to its role in cross-border transactions.

By establishing clear impact tolerances, AmBank ensures that scenario testing focuses on the most vital operations.

3. Develop Realistic Scenario Testing Plans

Scenarios must be carefully designed to reflect real-world risks that could impact AmBank’s operations. A well-structured scenario considers:

• The type of disruption (cyberattack, IT outage, operational failure, third-party issue, etc.)
• The affected business service (payments, loans, ATM services, internet banking, etc.)
• The response and recovery mechanisms to be evaluated
• Key stakeholders involved (IT teams, risk management, crisis management, compliance, etc.)

Example Scenarios:

• Cyberattack Scenario: A phishing attack compromises employee credentials, allowing hackers to infiltrate AmBank’s customer database.
• IT System Failure: A software glitch crashes the bank’s online banking platform during peak hours.
• Third-Party Service Disruption: A cloud service provider experiences a failure, affecting AmBank’s digital services.
• Regulatory Compliance Scenario: A sudden change in Bank Negara Malaysia’s cybersecurity regulations forces AmBank to adapt its operational processes within a short timeframe.

4. Execute the Scenario Testing

Scenario testing can be performed in different ways:

• Tabletop Exercises → Discussion-based simulations where teams walk through a hypothetical scenario and assess their response.
• Live Testing → Real-time simulations that evaluate the actual performance of systems, processes, and teams.
• Technical Stress Tests → Simulations involving IT infrastructure, such as disaster recovery drills and penetration testing for cybersecurity resilience.

Example Execution Plan:

1. Cyberattack Drill

• IT security triggers a simulated ransomware attack.
• The cybersecurity team detects and mitigates the threat.
• The crisis management team coordinates internal communication.
• Customer service handles inquiries and ensures transparency.

• AmBank’s core banking system is deliberately switched to a backup data center.
• IT teams validate the failover process and assess downtime.
• Business units confirm whether essential transactions remain operational.

5. Assess Performance and Identify Gaps

After executing the scenario test, performance is measured against predefined KPIs such as response time, recovery time, customer impact, and regulatory compliance.

Example Findings:

• Cyberattack Drill Outcome: The IT team successfully contained the ransomware, but internal communications were delayed by 15 minutes due to confusion over reporting protocols.
• System Failover Test Result: The alternate data centre was activated, but some transaction processing services took longer than expected to resume, requiring manual intervention.

These findings highlight areas where AmBank can improve its resilience strategies.

6. Refine and Enhance Resilience Strategies

Based on the findings, AmBank should implement corrective actions and refine its resilience framework. This includes updating response plans, enhancing employee training, and improving technological redundancies.

Example Improvements:

• Deploy an automated incident notification system to reduce communication delays.
• Strengthen third-party risk management by requiring vendors to participate in resilience tests.
• Upgrade IT disaster recovery capabilities to minimize manual intervention during system failovers.

Scenario testing is a cornerstone of AmBank Malaysia’s Operational Resilience Planning Methodology. By simulating real-world disruptions, the bank ensures that its critical business services remain functional even in the face of cyberattacks, IT failures, and operational shocks.

The insights gained from scenario testing allow AmBank to continuously refine its resilience strategies, enhance risk mitigation capabilities, and comply with regulatory expectations. More importantly, these exercises reinforce customer confidence by demonstrating AmBank’s commitment to maintaining uninterrupted banking services.

Moving forward, AmBank must adopt a proactive approach to scenario testing, integrating emerging risks like AI-driven cyber threats, geopolitical disruptions, and climate-related events into its resilience framework. By doing so, the bank will not only comply with Bank Negara Malaysia’s operational resilience guidelines but also stay ahead of evolving risks in an increasingly volatile financial landscape.

Through regular scenario testing, continuous improvement, and strategic foresight, AmBank Malaysia strengthens its position as a resilient and trusted financial institution, capable of withstanding any crisis.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.