. .
Operational Resilience Framework: A Case Study of AmBank Malaysia
OR BB_v4_3

[OR] [AmB] [E2] [P3] [S4] [C18] Providing Self-Assessment

Ambank Logo

In the Sustain phase of AmBank Malaysia’s Operational Resilience Planning Methodology, the Provide Self-Assessment stage plays a crucial role in ensuring that resilience strategies remain effective, relevant, and aligned with the bank’s risk landscape. 

This stage focuses on continuous improvement through structured self-evaluation, identifying gaps, and implementing corrective actions.

Self-assessments

Moh Heng Goh
Operational Resilience Certified Planner-Specialist-Expert

x [OR] [AmB] Legal Disclaimer Banner

Self-assessments

Provide Self-Assessment: Strengthening Operational Resilience at AmBank Malaysia

Introduction

[OR] [AmB] [E2] [P3] [S4] [C18] Providing Self-AssessmentIn the Sustain phase of AmBank Malaysia’s Operational Resilience Planning Methodology, the Provide Self-Assessment stage plays a crucial role in ensuring that resilience strategies remain effective, relevant, and aligned with the bank’s risk landscape. 

This stage focuses on continuous improvement through structured self-evaluation, identifying gaps, and implementing corrective actions.

Key Implementation Steps

1. Establish a Self-Assessment Framework

The first step involves developing a structured self-assessment framework tailored to AmBank’s operational resilience objectives. This framework should include:

  • Assessment Criteria: Align with regulatory requirements, such as Bank Negara Malaysia’s (BNM) Operational Resilience guidelines, and global standards like ISO 22316 (Organizational Resilience).
  • Evaluation Metrics: Define key resilience indicators (KRIs) such as system uptime, recovery time objectives (RTOs), and incident response effectiveness.
  • Frequency of Assessments: Determine assessment intervals (e.g., quarterly, semi-annually, or annually) based on risk exposure and operational changes.

Example: AmBank establishes a self-assessment checklist focusing on business service resilience, third-party dependencies, and cyber resilience, ensuring that all critical business functions are evaluated regularly.

2. Conduct Business Service Resilience Evaluations

Each critical business service should be assessed against predefined resilience objectives. The evaluation should include:

  • Scenario-based Reviews: Test the ability of key services to withstand disruptions (e.g., cyberattacks, system failures).
  • Stress Testing and Simulations: Use tabletop exercises to validate recovery capabilities.
  • Gap Analysis: Identify weaknesses in business continuity strategies and operational resilience plans.

Example: AmBank conducts a cyber resilience self-assessment, simulating a ransomware attack on its online banking platform to measure its response effectiveness. The assessment reveals a delay in data recovery, prompting the enhancement of backup processes.

3. Assess Third-Party and Supply Chain Resilience

Operational resilience extends beyond internal processes to third-party service providers (e.g., cloud vendors, payment gateways). The assessment should include:

  • Reviewing Vendor Business Continuity Plans (BCPs): Ensure third-party providers have robust resilience plans.
  • Monitoring Service Level Agreements (SLAs): Validate compliance with resilience and recovery time requirements.
  • Conducting Supplier Risk Assessments: Identify vulnerabilities in supply chain dependencies.

Example: AmBank evaluates its cloud service provider’s disaster recovery plan and finds that the recovery site is in a high-risk location. The bank works with the provider to establish a secondary backup site in a more secure region.

4. Evaluate Cyber and IT Resilience Capabilities

Given the digital nature of banking operations, cyber resilience is critical. The self-assessment should focus on:

  • Incident Detection and Response Maturity: Assess the effectiveness of cybersecurity monitoring and response teams.
  • Data Protection and Backup Strategies: Ensure encrypted, off-site backups are available and tested regularly.
  • System Redundancy and Failover Mechanisms: Evaluate the ability to switch to backup systems without service disruption.

Example: AmBank conducts a self-assessment of its digital banking infrastructure, discovering that certain legacy systems lack real-time failover mechanisms. As a result, an upgrade strategy is developed to enhance system redundancy.

5. Review Crisis Communication and Incident Response Plans

An effective operational resilience strategy includes strong communication protocols during crises. This assessment should cover:

  • Stakeholder Notification Timelines: Ensure timely communication with customers, regulators, and internal teams.
  • Crisis Management Training: Evaluate staff preparedness through drills and scenario-based training.
  • Public Relations and Reputation Management: Assess the effectiveness of messaging during disruptions.

Example: After conducting a mock crisis communication drill, AmBank identifies delays in notifying stakeholders about a simulated IT outage. The response plan is revised to improve coordination between teams.

6. Document Findings and Implement Corrective Actions

The final step involves consolidating assessment results, identifying recurring gaps, and implementing improvements. This should include:

  • Developing Action Plans: Assign responsibilities and timelines for closing identified gaps.
  • Tracking Progress: Use dashboards to monitor the implementation of resilience enhancements.
  • Continuous Improvement Cycle: Establish feedback loops for ongoing refinement of resilience measures.

Example: Following its self-assessment of ATM network resilience, AmBank enhances alternative cash withdrawal options (e.g., mobile cash services) after identifying dependency risks in specific regions.

[Banner] [Summing] [OR] [E2] [C18] Providing Self-Assessment

By systematically conducting self-assessments, AmBank Malaysia can sustain and enhance its operational resilience. This ongoing evaluation process ensures the bank remains prepared for disruptions, strengthens regulatory compliance, and builds customer trust.

Through structured self-assessments and continuous improvements, AmBank reinforces its position as a resilient and secure financial institution.

 

Operational Resilience Framework: A Case Study of AmBank Malaysia
"Sustain" Phase of the Operational Resilience Planning Methodology
C14 C15 C16 C17 C18 C19
[OR] [AmB] [P3] [S1-S5] [C14] Five Stages of the Sustain Phase [OR] [AmB] [E2] [P3] [S1] [C15] Introducing Cultural Change Management [OR] [AmB] [E2] [P3] [S2] [C16] Developing a Communication Strategy [OR] [AmB] [E2] [P3] [S3] C17] Implementing Training and Awareness [OR] [AmB] [E2] [P3] [S4] [C18] Providing Self-Assessment [OR] [AmB] [E2] [P3] [S5] [C19] Conducting Independent Quality Reviews

 

New call-to-actionGain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300

If you have any questions, click to contact us.Email to Sales Team [BCM Institute]

 FAQ BL-OR-5 OR-5000
OR Implementer Landing Page

New call-to-action

 New call-to-action

 

Comments:

 
CTA Banner_OR
CTA Banner_ORA
CTA Banner_BCM
CTA Banner_ITDR
CTA Banner_CM
BCMIWhiteLogoSmall.png
All rights reserved. Copyright 2026