[OR] [AmB] [E2] [P3] [S4] [C18] Providing Self-Assessment

Provide Self-Assessment: Strengthening Operational Resilience at AmBank Malaysia

Introduction

In the Sustain phase of AmBank Malaysia’s Operational Resilience Planning Methodology, the Provide Self-Assessment stage plays a crucial role in ensuring that resilience strategies remain effective, relevant, and aligned with the bank’s risk landscape. 

This stage focuses on continuous improvement through structured self-evaluation, identifying gaps, and implementing corrective actions.

Key Implementation Steps

1. Establish a Self-Assessment Framework

The first step involves developing a structured self-assessment framework tailored to AmBank’s operational resilience objectives. This framework should include:

• Assessment Criteria: Align with regulatory requirements, such as Bank Negara Malaysia’s (BNM) Operational Resilience guidelines, and global standards like ISO 22316 (Organizational Resilience).
• Evaluation Metrics: Define key resilience indicators (KRIs) such as system uptime, recovery time objectives (RTOs), and incident response effectiveness.
• Frequency of Assessments: Determine assessment intervals (e.g., quarterly, semi-annually, or annually) based on risk exposure and operational changes.

Example: AmBank establishes a self-assessment checklist focusing on business service resilience, third-party dependencies, and cyber resilience, ensuring that all critical business functions are evaluated regularly.

2. Conduct Business Service Resilience Evaluations

Each critical business service should be assessed against predefined resilience objectives. The evaluation should include:

• Scenario-based Reviews: Test the ability of key services to withstand disruptions (e.g., cyberattacks, system failures).
• Stress Testing and Simulations: Use tabletop exercises to validate recovery capabilities.
• Gap Analysis: Identify weaknesses in business continuity strategies and operational resilience plans.

Example: AmBank conducts a cyber resilience self-assessment, simulating a ransomware attack on its online banking platform to measure its response effectiveness. The assessment reveals a delay in data recovery, prompting the enhancement of backup processes.

3. Assess Third-Party and Supply Chain Resilience

Operational resilience extends beyond internal processes to third-party service providers (e.g., cloud vendors, payment gateways). The assessment should include:

• Reviewing Vendor Business Continuity Plans (BCPs): Ensure third-party providers have robust resilience plans.
• Monitoring Service Level Agreements (SLAs): Validate compliance with resilience and recovery time requirements.
• Conducting Supplier Risk Assessments: Identify vulnerabilities in supply chain dependencies.

Example: AmBank evaluates its cloud service provider’s disaster recovery plan and finds that the recovery site is in a high-risk location. The bank works with the provider to establish a secondary backup site in a more secure region.

4. Evaluate Cyber and IT Resilience Capabilities

Given the digital nature of banking operations, cyber resilience is critical. The self-assessment should focus on:

• Incident Detection and Response Maturity: Assess the effectiveness of cybersecurity monitoring and response teams.
• Data Protection and Backup Strategies: Ensure encrypted, off-site backups are available and tested regularly.
• System Redundancy and Failover Mechanisms: Evaluate the ability to switch to backup systems without service disruption.

Example: AmBank conducts a self-assessment of its digital banking infrastructure, discovering that certain legacy systems lack real-time failover mechanisms. As a result, an upgrade strategy is developed to enhance system redundancy.

5. Review Crisis Communication and Incident Response Plans

An effective operational resilience strategy includes strong communication protocols during crises. This assessment should cover:

• Stakeholder Notification Timelines: Ensure timely communication with customers, regulators, and internal teams.
• Crisis Management Training: Evaluate staff preparedness through drills and scenario-based training.
• Public Relations and Reputation Management: Assess the effectiveness of messaging during disruptions.

Example: After conducting a mock crisis communication drill, AmBank identifies delays in notifying stakeholders about a simulated IT outage. The response plan is revised to improve coordination between teams.

6. Document Findings and Implement Corrective Actions

The final step involves consolidating assessment results, identifying recurring gaps, and implementing improvements. This should include:

• Developing Action Plans: Assign responsibilities and timelines for closing identified gaps.
• Tracking Progress: Use dashboards to monitor the implementation of resilience enhancements.
• Continuous Improvement Cycle: Establish feedback loops for ongoing refinement of resilience measures.

Example: Following its self-assessment of ATM network resilience, AmBank enhances alternative cash withdrawal options (e.g., mobile cash services) after identifying dependency risks in specific regions.

By systematically conducting self-assessments, AmBank Malaysia can sustain and enhance its operational resilience. This ongoing evaluation process ensures the bank remains prepared for disruptions, strengthens regulatory compliance, and builds customer trust.

Through structured self-assessments and continuous improvements, AmBank reinforces its position as a resilient and secure financial institution.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.