Scenario testing is a core operational resilience activity that enables AmBank to assess whether its Critical Business Services (CBS) can remain within defined impact tolerances when subjected to severe but plausible disruptions.
For CBS-1 Retail & Digital Banking, scenario testing goes beyond traditional IT disaster recovery by examining end-to-end service continuity, customer harm, regulatory obligations, and systemic risks arising from cyber threats, ICT failures, third-party dependencies, and process breakdowns.
This chapter presents recommended scenario testing themes for each detailed process (Sub-CBS), explicitly integrating cyber and ICT risk considerations and highlighting evidence of proactive risk management actions.
The objective is to demonstrate how AmBank can operationalise scenario testing as a forward-looking control to strengthen resilience, validate preparedness, and meet regulatory expectations under operational resilience frameworks.
|
Sub-CBS Code |
Sub-CBS |
Recommended Scenario Test Themes |
Impact / Effect |
Evidence of Proactive Risk Management Action |
|
1.1 |
Customer Onboarding & KYC |
Mass identity fraud attempt combined with the outage of the e-KYC biometric verification system (cyber + ICT failure) |
Inability to onboard customers, regulatory breach of AML/KYC timelines, and reputational damage |
Regular red-team testing on e-KYC systems; manual fallback KYC procedures tested; cyber-fraud detection thresholds reviewed |
|
1.2 |
Digital Banking Platform Provisioning |
Core digital banking platform unavailable due to cloud service provider outage and misconfigured failover |
Customers unable to access accounts; service unavailability beyond tolerance |
Multi-region DR testing; cloud exit and substitution plans; ICT resilience testing with CSP |
|
1.3 |
Transaction Processing Services |
Core banking system latency caused by a ransomware attack on the transaction middleware |
Delayed or failed transactions; financial losses; customer harm |
Ransomware simulation exercises, network segmentation, and immutable backups were tested |
|
1.4 |
Digital Payments & Settlement |
Real-time payment gateway disruption during peak hours due to a DDoS attack |
Payment failures, settlement delays, and potential systemic risk |
DDoS mitigation drills; alternate payment routing tested; coordination with payment network operators |
|
1.5 |
Loan & Credit Product Management |
Credit decision engines are unavailable due to data integrity corruption |
Loan approvals delayed; breach of service commitments |
Data validation controls tested; manual credit approval workflows rehearsed |
|
1.6 |
Deposit & Savings Product Management |
Interest calculation batch failure caused by an incorrect system patch |
Incorrect balances and customer complaints |
Pre-deployment ICT change testing; reconciliation controls and customer remediation playbooks |
|
1.7 |
Customer Support & Service Resolution |
Contact centre systems are unavailable following a cyber incident affecting the CRM platform |
Inability to respond to customer issues; escalation of harm |
Alternate customer communication channels tested; cyber incident call-handling drills |
|
1.8 |
Compliance, Risk & Security Monitoring |
Security monitoring tools fail during coordinated cyber intrusion |
Delayed detection of threats; regulatory non-compliance |
SOC resilience testing; dual monitoring tools; incident response tabletop exercises |
|
1.9 |
Data Analytics & Personalisation |
Data lake unavailable due to third-party hosting failure |
Loss of personalisation, degraded customer experience |
Third-party ICT risk assessments; data replication and recovery tests |
|
1.10 |
Back-office Support & Reconciliation |
End-of-day reconciliation is delayed due to the ICT outage and staff unavailability |
Financial misstatements; delayed reporting |
Cross-training of staff; reconciliation automation tested; manual contingency procedures exercised |
Scenario testing for CBS-1 Retail & Digital Banking enables AmBank to move from assumption-based resilience to evidence-based preparedness.
By testing severe but plausible scenarios that combine cyber threats, ICT failures, people constraints, and third-party disruptions, AmBank can validate whether critical services remain within impact tolerances and where vulnerabilities persist.
The structured scenarios and proactive actions outlined in this chapter demonstrate how scenario testing supports continuous improvement, informs investment decisions, and strengthens regulatory confidence.
When embedded as a recurring discipline, scenario testing becomes a strategic tool that enhances AmBank’s ability to protect customers, maintain trust, and sustain essential retail and digital banking services under stress.
|
Operational Resilience Framework: A Case Study of AmBank Malaysia |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-1 Retail & Digital Banking | |||||
| CBS-1 DP | CBS-1 MD | CBS-1 MPR | CBS-1 ITo | CBS-1 SuPS | CBS-1 ST |
To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|