[OR] [BCPC] [C11] Aligning with Regulatory Expectations

Chapter 11

Aligning with Regulatory Expectations

Introduction

Regulatory expectations across Malaysia and the broader ASEAN region are evolving rapidly.

Supervisory authorities are no longer satisfied with organisations simply demonstrating the existence of Business Continuity Management (BCM) frameworks.

Instead, they increasingly expect institutions to prove that they can maintain critical services under stress.

This shift reflects a broader move toward operational resilience—a discipline that emphasises outcomes, not just processes.

While regulations may not explicitly mandate “culture,” they are increasingly assessing it implicitly through how organisations behave, respond, and improve.

This chapter explores how organisations can align with these expectations and demonstrate credible evidence of a resilience-driven culture during audits and regulatory reviews.

Purpose of the Chapter

The purpose of this chapter is to:

• Explain the regulatory shift toward operational resilience
• Highlight key areas of regulatory focus
• Describe how regulators assess culture indirectly
• Provide guidance on demonstrating evidence of culture in audits and reviews

By the end of this chapter, readers will understand how to align cultural initiatives with regulatory expectations and strengthen audit readiness.

The Shift Toward Operational Resilience

Regulators are moving beyond traditional BCM compliance to focus on whether organisations can withstand and recover from disruptions while continuing to deliver critical services.

In Malaysia, this shift is strongly influenced by Bank Negara Malaysia (BNM), which has emphasised operational resilience through its evolving guidelines and discussion papers.

Key Regulatory Themes

Across Malaysia and ASEAN, regulators are increasingly emphasising:

• Outcome-Based Resilience
  Organisations must demonstrate the ability to maintain service continuity, not just document recovery plans
• End-to-End Service Perspective
  Focus on critical business services rather than isolated processes
• Integration Across Risk Domains
  Alignment of BCM with operational risk, cyber resilience, and third-party risk
• Continuous Testing and Improvement
  Regular validation of resilience capabilities through scenario testing

Increasing Emphasis Areas

Operational Resilience

Operational resilience requires organisations to:

• Identify and prioritise critical services
• Understand dependencies and interconnections
• Build the capability to absorb and recover from disruptions

Cultural implication:

• Resilience must be embedded across all levels
• Employees must understand their role in maintaining service continuity

Critical Business Services (CBS)

Regulators now expect organisations to:

• Define their critical business services
• Assess the impact of disruptions on these services
• Establish tolerances for disruption

Cultural implication:

• Business units must take ownership of their services
• Decisions must prioritise service continuity over internal convenience

Scenario Testing

Scenario testing is a key regulatory requirement for validating resilience.

Organisations are expected to:

• Conduct severe but plausible scenarios
• Test cross-functional coordination
• Evaluate decision-making under stress

Cultural implication:

• Employees must engage actively in exercises
• Leadership must demonstrate decisiveness and accountability
• Learning must be continuous and transparent

How Regulators Are Implicitly Assessing Culture

While culture is rarely assessed directly, regulators evaluate it through observable behaviours and outcomes.

Indicators Used by Regulators

Regulators assess culture indirectly by examining:

• Leadership Engagement
• Are senior leaders actively involved in resilience initiatives?
• Do they participate in scenario testing?
• Decision-Making Effectiveness
• Are decisions timely and aligned with resilience objectives?
• Is there clarity in authority and escalation?
• Cross-Functional Coordination
• Do teams collaborate effectively during disruptions?
• Are silos evident in response efforts?
• Quality of Exercises
• Are exercises realistic and challenging?
• Do they lead to meaningful improvements?
• Continuous Improvement
• Are lessons learned implemented?
• Is there evidence of ongoing capability enhancement?

Behaviour vs Documentation

Regulators increasingly differentiate between:

• What is documented (policies, plans)
• What is demonstrated (actual performance)

An organisation with strong documentation but weak execution may still be viewed as high risk.

Demonstrating “Evidence of Culture” in Audits and Reviews

To meet regulatory expectations, organisations must provide tangible evidence that culture supports resilience.

Types of Evidence

Evidence of culture can be demonstrated through:

1. Exercise Outcomes

• Detailed reports showing:
• Decision-making effectiveness
• Coordination across teams
• Identified gaps and improvements

2. Incident Response Records

• Documentation of real incidents, including:
• Timelines of actions taken
• Communication logs
• Lessons learned and corrective actions

3. Training and Awareness Metrics

• Participation rates in BCM training
• Feedback from employees
• Evidence of role-based capability development

4. Governance and Oversight

• Board and management meeting minutes
• Evidence of leadership engagement in resilience discussions
• Oversight of critical business services

Behavioural Evidence

Beyond documentation, organisations should demonstrate:

• Empowered decision-making at operational levels
• Effective cross-functional collaboration
• Proactive identification and escalation of risks

This can be captured through:

• Exercise observations
• Post-incident reviews
• Internal assessments

Linking Evidence to Outcomes

Regulators are particularly interested in outcomes such as:

• Ability to maintain critical services
• Reduced recovery times
• Improved response coordination

Organisations should clearly link:

• Cultural initiatives → behavioural improvements → resilience outcomes

Integrating Culture into Regulatory Compliance

To align culture with regulatory expectations, organisations should:

Embed Culture into BCM Frameworks

• Align policies with behavioural expectations
• Integrate cultural objectives into resilience programs

Strengthen Leadership Accountability

• Ensure leadership actively participates in resilience initiatives
• Link resilience outcomes to performance metrics

Enhance Scenario Testing

• Use realistic and challenging scenarios
• Focus on behaviour, not just process validation

Establish Continuous Feedback Loops

• Capture lessons learned from exercises and incidents
• Implement improvements consistently

From Compliance to Demonstrated Capability

The ultimate goal of regulatory alignment is not just compliance, but demonstrated capability.

This requires organisations to:

• Move beyond documentation
• Focus on execution and outcomes
• Embed resilience into culture and behaviour

Organisations that achieve this will not only meet regulatory expectations but also gain a competitive advantage through enhanced resilience.

Regulatory expectations in Malaysia and ASEAN are increasingly focused on operational resilience, critical business services, and scenario testing.

While culture may not always be explicitly defined in regulations, it is implicitly assessed through behaviour, performance, and outcomes.

Organisations must therefore demonstrate not only that they have frameworks in place, but that they can execute effectively during disruptions.

This requires providing clear evidence of a resilience-driven culture—through exercises, incident responses, governance, and continuous improvement.

Ultimately, aligning with regulatory expectations is not about meeting minimum requirements. It is about building an organisation that can consistently deliver critical services under stress.

And at the heart of this capability lies culture—the true linchpin of business continuity and operational resilience.

 

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.