[OR] [AmB] [E2] [P3] [S5] [C19] Conducting Independent Quality Reviews

Conduct an Independent Quality Review in the “Sustain” Phase of AmBank Malaysia’s Operational Resilience Planning Methodology

Introduction

Operational resilience is not a one-time implementation but an ongoing process that requires continuous improvement. In AmBank Malaysia’s Operational Resilience Planning Methodology, the “Sustain” phase ensures that the resilience framework remains effective and adaptive to emerging risks and regulatory changes.

A key step in this phase is conducting an Independent Quality Review, which provides an objective assessment of the resilience framework’s effectiveness, identifies gaps, and ensures alignment with industry best practices and regulatory expectations.

Implementation Steps for Conducting an Independent Quality Review

Step 1: Define the Scope and Objectives of the Quality Review

Before initiating the review, AmBank must clearly define the scope and objectives.

The review should assess whether the bank’s operational resilience framework aligns with regulatory guidelines, such as Bank Negara Malaysia’s Risk Management in Technology (RMiT) Policy Document, and global standards like the Basel Committee on Banking Supervision (BCBS) principles on operational resilience.

Example:

If AmBank has recently implemented new resilience measures for its core banking platform, the review should focus on evaluating their effectiveness, particularly in handling cyber threats, third-party risks, and incident response capabilities.

Step 2: Engage an Independent Reviewer

The review must be conducted by an independent function, such as internal audit, external consultants, or a third-party risk assurance firm. Independence ensures that the review is objective and free from conflicts of interest.

Example:

AmBank’s Group Internal Audit (GIA) team can review if they were not involved in implementing resilience measures. Alternatively, an external consultancy specialising in operational resilience (e.g., Deloitte or PwC) could provide an unbiased assessment.

Step 3: Assess Governance, Policies, and Procedures

The independent reviewer must evaluate the bank’s governance structure, policies, and operational resilience procedures. This involves checking whether:

• Roles and responsibilities for resilience management are well-defined.
• Policies align with regulatory requirements and industry standards.
• The bank has an escalation process for resilience incidents.

Example:

If AmBank’s policy states that a system outage must be reported within 30 minutes, but the review finds that past incidents were reported after 2 hours, this would highlight a gap in adherence to the resilience policy.

Step 4: Test the Effectiveness of Resilience Measures

The review should include a functional testing phase, where key resilience measures are assessed for effectiveness. This may involve:

• Scenario Testing: Simulating disruptions (e.g., cyberattacks, data center failures) to evaluate response times.
• Tabletop Exercises: Engaging key stakeholders to test crisis management procedures.
• Third-Party Risk Assessments: Ensuring that vendors meet AmBank’s resilience requirements.

Example:

During a scenario test, the bank simulates a ransomware attack. If AmBank’s IT recovery team fails to restore critical banking services within the established Recovery Time Objective (RTO) of 2 hours, the review will highlight this as a major issue requiring remediation.

Step 5: Review Critical Third-Party Dependencies

Operational resilience depends on the bank’s ability to manage third-party risks, including cloud service providers, payment processors, and technology vendors. The quality review should assess:

• Whether third-party contracts include resilience requirements.
• If the bank conducts regular due diligence and resilience testing on key vendors.

Example:

If AmBank outsources its mobile banking platform to a third-party provider, but the review finds that the vendor does not have a Business Continuity Plan (BCP) for cyber incidents, this would be a critical gap requiring corrective action.

Step 6: Analyse Past Incidents and Lessons Learned

An independent review should examine historical incident reports and assess whether AmBank has effectively learned from past disruptions. This includes:

• Analysing root cause reports of past IT outages, cyberattacks, or operational failures.
• Checking whether identified issues have been properly remediated.
• Assessing how lessons learned are integrated into resilience improvements.

Example:

If a power outage previously disrupted AmBank’s online banking services, but the review finds that no alternative backup power source has been implemented, this would indicate a failure to apply lessons learned.

Step 7: Provide Recommendations and Ensure Continuous Improvement

At the conclusion of the quality review, the independent reviewer should provide:

• A detailed report with key findings, gaps, and risks.
• Recommendations for improving resilience measures.
• An action plan with specific timelines for remediation.

Example:

If the review finds that incident response drills are not conducted frequently, the recommendation could be to increase their frequency to quarterly instead of annually.

Step 8: Establish Ongoing Monitoring and Reporting Mechanisms

Operational resilience is a continuous process. AmBank should:

• Implement regular quality reviews (e.g., annually or semi-annually).
• Track progress on remediation efforts using Key Risk Indicators (KRIs).
• Ensure that findings are reported to senior management and the Board Risk Committee.

Example:

AmBank’s Operational Resilience Committee could review quarterly reports on resilience improvements and escalate major concerns to the Board of Directors for decision-making.

Conducting an independent quality review is a critical step in sustaining operational resilience at AmBank Malaysia. By implementing a structured review process—including defining scope, engaging independent assessors, testing resilience measures, and ensuring continuous monitoring—AmBank can maintain robust resilience capabilities.

This ensures compliance with regulatory requirements, mitigates emerging risks, and enhances the bank’s ability to withstand operational disruptions, ultimately safeguarding customer trust and financial stability.

Ultimately, by institutionalising a culture of independent review and continuous improvement, Metrobank embeds resilience into its operational DNA and positions itself to thrive in a world of ever-increasing complexity.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.