[OR] [BCPC] [C2] The Evolving Risk Landscape in ASEAN

Chapter 2

The Evolving Risk Landscape in Malaysia & ASEAN

Introduction

Organisations operating in Malaysia and across the ASEAN region are navigating an increasingly complex and interconnected risk environment. 

The nature of disruptions has evolved significantly—from isolated, predictable incidents to multifaceted crises that cut across technology, supply chains, regulatory domains, and environmental systems.

In this context, Business Continuity Management (BCM) can no longer rely on traditional assumptions of linear disruptions and predefined recovery paths. Instead, organisations must recognise that risks are dynamic, interdependent, and often simultaneous. 

This chapter explores the key drivers of this evolving landscape and explains why a fundamental shift—from compliance-driven BCM to resilience-driven organisations—is necessary.

Purpose of the Chapter

The purpose of this chapter is to:

• Examine the key risk trends shaping Malaysia and ASEAN 

• Highlight the increasing complexity and interconnectivity of disruptions 

• Identify the limitations of traditional BCM approaches 

• Introduce the need for a resilience-driven organisational mindset 

By the end of this chapter, readers will understand why adapting to the evolving risk landscape requires more than updated plans—it requires a transformation in how organisations anticipate, respond to, and recover from disruptions.

Increasing Complexity in the Risk Environment

The ASEAN region, including Malaysia, is characterised by rapid economic growth, digital transformation, and increasing regional integration.

While these developments create opportunities, they also introduce new vulnerabilities.

Modern organisations are no longer self-contained entities. They operate within ecosystems of:

• Digital platforms
• Outsourced service providers
• Cross-border supply chains
• Regulatory frameworks spanning multiple jurisdictions

This interconnectedness means that a disruption in one area can quickly cascade across the organisation and beyond. The following risk domains illustrate this growing complexity.

Cyber Threats: A Persistent and Escalating Risk

Cyber risk has emerged as one of the most significant threats to organisational continuity.

In Malaysia and ASEAN, increased digital adoption—particularly in financial services, e-commerce, and digital banking—has expanded the attack surface for cybercriminals.

Key characteristics of cyber threats include:

• Speed and scale: Attacks can spread rapidly across systems and geographies
• Sophistication: Advanced persistent threats (APTs), ransomware, and supply chain attacks are becoming more common
• Business impact: Cyber incidents can disrupt critical business services, compromise data integrity, and damage customer trust

Unlike traditional disruptions, cyber incidents often evolve in real time, requiring organisations to make rapid decisions with incomplete information.

This challenges static BCM plans and highlights the need for adaptive response capabilities.

Third-Party Dependencies: Extending the Risk Perimeter

Organisations increasingly rely on third parties for critical services, including:

• Cloud computing and data storage
• Payment processing and fintech integrations
• Outsourced operations and shared service centres

While these partnerships enhance efficiency and innovation, they also introduce dependencies that are often outside direct organisational control.

Key challenges include:

• Limited visibility into third-party resilience capabilities
• Concentration risk (e.g., reliance on a small number of critical vendors)
• Cross-border regulatory and operational complexities

A disruption affecting a key third party can have immediate and widespread consequences, as seen in global supply chain disruptions and technology outages.

Traditional BCM approaches, which focus primarily on internal processes, are insufficient to address these extended risks.

Climate and Environmental Disruptions

Malaysia and the broader ASEAN region are particularly vulnerable to climate-related risks, including:

• Flooding and extreme weather events
• Rising temperatures affecting infrastructure and workforce productivity
• Environmental degradation impacting supply chains and resource availability

These disruptions are:

• Increasing in frequency and severity
• Difficult to predict with precision
• Capable of affecting multiple locations simultaneously

Climate risks challenge the traditional assumption that disruptions are localised and temporary. Instead, organisations must prepare for prolonged and widespread impacts that require coordinated, multi-site responses.

Regulatory Expectations: The Rise of Operational Resilience

Regulators across ASEAN are placing greater emphasis on operational resilience, moving beyond traditional compliance requirements.

In Malaysia, Bank Negara Malaysia (BNM) has been at the forefront of this shift. Through its evolving guidance and discussion papers on operational resilience, BNM emphasises:

• Identification of Critical Business Services (CBS)
• Mapping of dependencies and interconnections
• Establishment of impact tolerances
• Conduct of severe but plausible scenario testing

This represents a significant shift in regulatory expectations:

• From ensuring the existence of plans → to demonstrating the ability to maintain service continuity
• From periodic testing → to continuous resilience validation
• From siloed risk management → to integrated, enterprise-wide resilience

Similar trends are observed across ASEAN regulators, reflecting a broader global movement towards resilience-focused supervision.

Why Traditional BCM Approaches Are Insufficient

Given the evolving risk landscape, traditional BCM approaches face several limitations:

Static Planning in a Dynamic Environment

Traditional BCM relies heavily on predefined scenarios and documented procedures. However:

• Disruptions are increasingly unpredictable
• Scenarios may not reflect real-world complexity
• Plans may become outdated quickly

Siloed Implementation

BCM is often managed as a standalone function, separate from:

• Operational risk management
• Cybersecurity
• Third-party risk management

This fragmentation limits the organisation’s ability to respond holistically to interconnected risks.

Compliance-Driven Mindset

In many organisations, BCM is treated as a regulatory requirement rather than a strategic capability:

• Focus on documentation rather than effectiveness
• Exercises conducted to satisfy audit requirements
• Limited engagement from business units

This approach creates a false sense of preparedness without ensuring real resilience.

Limited Focus on People and Behaviour

Traditional BCM emphasises processes and systems, but often overlooks:

• Decision-making under pressure
• Cross-functional collaboration
• Leadership behaviour during crises

As a result, organisations may have well-documented plans but lack the capability to execute them effectively.

The Shift: From Compliance-Driven BCM to Resilience-Driven Organisations

To address these limitations, organisations must undergo a fundamental shift in mindset and approach.

From Plans to Outcomes

• Focus on maintaining critical business services, not just recovering processes
• Define acceptable levels of disruption (impact tolerances)

From Siloed Functions to Integrated Resilience

• Align BCM with:
• Operational Risk Management
• Cyber Resilience
• Third-Party Risk Management
• Break down organisational silos

From Periodic Testing to Continuous Readiness

• Conduct dynamic, scenario-based exercises
• Incorporate real-time learning and improvement

From Compliance to Culture

• Embed resilience into organisational values and behaviours
• Encourage proactive risk awareness and accountability
• Empower employees to act decisively during disruptions

Setting the Foundation for Cultural Transformation

The evolving risk landscape makes one reality clear: resilience cannot be achieved through frameworks alone.

Organisations must cultivate a culture that:

• Recognises the importance of resilience at all levels
• Encourages collaboration across functions and partners
• Supports rapid, informed decision-making
• Continuously adapts to emerging risks

This cultural transformation is not optional—it is essential for navigating the complexities of the modern risk environment.

Malaysia and ASEAN organisations are operating in a risk landscape defined by complexity, interdependence, and rapid change.

Cyber threats, third-party dependencies, climate disruptions, and evolving regulatory expectations have fundamentally altered the nature of business continuity challenges.

Traditional BCM approaches, while still relevant, are no longer sufficient on their own.

They must be complemented by a broader, more integrated approach to resilience—one that focuses on outcomes, embraces complexity, and prioritises adaptability.

At the heart of this transformation lies culture. Culture determines whether organisations can move beyond compliance and achieve true resilience.

As the next chapters will explore, building a resilience-driven culture is the key to navigating this evolving landscape and ensuring continuity in an increasingly uncertain world.