Establishing impact tolerances for CBS-3 Retail Financing Services aligns with the principles outlined in BNM’s 2025 Discussion Paper on Operational Resilience and industry guidance on operational resilience impact tolerances. Rather than focusing solely on recovery time objectives (RTOs), impact tolerances define the maximum level of disruption that can be tolerated before causing intolerable harm to customers, regulatory compliance, financial soundness, or Shariah integrity.
This chapter defines appropriate impact tolerances for each Sub-CBS under CBS-3 Retail Financing Services. It aims to:
Identify the maximum tolerable downtime (MTD) and maximum tolerable data loss (MTDL) for each detailed process.
Assess the potential customer and regulatory impacts if disruptions exceed tolerance levels.
Evaluate current resilience posture and highlight required remediation actions.
Support Board and Senior Management oversight in meeting BNM’s expectations on operational resilience and Shariah governance.
|
Sub-CBS Code |
Sub-CBS |
Maximum Tolerable Downtime (MTD) |
Maximum Tolerable Data Loss (MTDL) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
3.1 |
Product Structuring & Shariah Governance |
5 working days |
Zero tolerance for Shariah rulings; ≤ 1 hour working drafts |
Delay in new product launch |
Shariah non-compliance risk; breach of Shariah Governance Policy |
Reputational / Compliance |
Moderate – reliant on committee scheduling |
Strengthen digital documentation & version control; alternate Shariah quorum |
|
3.2 |
Customer Application Intake & Submission |
24 hours |
≤ 15 minutes |
Inability to submit applications; customer dissatisfaction |
Potential breach of fair treatment obligations |
Customer / Conduct |
Strong digital redundancy in place |
Enhance surge capacity & channel failover testing |
|
3.3 |
Credit Assessment & Approval |
48 hours |
≤ 30 minutes |
Delayed approvals; lost business opportunities |
Credit risk misstatement; governance breach |
Financial / Prudential |
Moderate – partial automation |
Improve system integration & decision engine resilience |
|
3.4 |
Financing Documentation & Legal Perfection |
3 working days |
Zero tolerance for executed legal docs |
Delay in disbursement; legal exposure |
Legal enforceability risk; audit findings |
Legal / Compliance |
Moderate |
Digital vault backup & dual-site legal repository |
|
3.5 |
Disbursement Processing |
24 hours |
≤ 15 minutes |
Customer unable to access approved financing |
Regulatory breach on customer funds handling |
Customer / Financial |
Strong controls but dependent on core banking uptime |
Strengthen payment gateway redundancy |
|
3.6 |
Account Setup & Maintenance |
24 hours |
≤ 15 minutes |
Incorrect account status; billing errors |
Reporting inaccuracies to BNM |
Financial / Regulatory |
Moderate |
Improve reconciliation automation & data validation controls |
|
3.7 |
Instalment Collection & Payment Processing |
4 hours (peak cycle); 24 hours (non-peak) |
≤ 5 minutes |
Missed instalments; penalty miscalculation |
Consumer protection & Shariah profit issues |
Customer / Shariah |
Strong – high automation |
Enhance real-time monitoring & fallback batch processing |
|
3.8 |
Profit Calculation & Statement Generation |
24 hours |
Zero tolerance for calculation errors; ≤ 5 minutes of data |
Incorrect statements; trust erosion |
Shariah and financial misstatement risk |
Financial / Shariah / Reputational |
Moderate |
Strengthen parallel recalculation & audit trail validation |
|
3.9 |
Arrears Monitoring & Early Intervention |
3 working days |
≤ 30 minutes |
Delayed outreach; worsening delinquency |
Credit risk provisioning misalignment |
Prudential / Financial |
Moderate |
Automate early-warning triggers; backup MIS dashboards |
|
3.10 |
Recovery & Collection Management |
5 working days |
≤ 1 hour |
Slower recovery; financial losses |
Governance & conduct risk |
Financial / Conduct |
Moderate |
Develop remote access recovery workflows |
|
3.11 |
Customer Service & Complaint Handling |
24 hours |
≤ 15 minutes |
Increased complaints; reputational damage |
Breach of complaint handling guidelines |
Conduct / Reputational |
Strong multi-channel support |
Enhance disaster recovery for CRM platform |
|
3.12 |
Regulatory, Risk & Shariah Reporting |
48 hours (interim); 5 working days (final) |
Zero tolerance for submitted regulatory data |
Supervisory concern; potential penalties |
Breach of BNM reporting requirements |
Regulatory / Prudential |
Moderate |
Strengthen regulatory reporting data lineage & backup reporting site |
Consistent with BNM’s expectations:
Establishing impact tolerances for CBS-3 Retail Financing Services enables Bank Islam to clearly define the boundary between acceptable disruption and intolerable harm. By setting measurable downtime and data loss thresholds for each Sub-CBS, the Bank strengthens its ability to prioritise resilience investments, allocate resources effectively, and demonstrate compliance with BNM’s operational resilience expectations.
The next step involves rigorous scenario testing against these tolerances, validating whether existing controls, redundancy arrangements, and third-party dependencies can ensure disruptions remain within defined limits. Continuous review and Board-level oversight will ensure that the Bank’s retail financing services remain resilient, Shariah-compliant, and customer-centric even under severe but plausible stress scenarios.
|
Implementing Operational Resilience for Bank Islam: Aligning with BNM and Global Best Practices |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-3 Retail Financing Services | |||||
| CBS-3 DP | CBS-3 MD | CBS-3 MPR | CBS-3 ITo | CBS-3 SuPS | CBS-3 ST |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|