. .
Implementing Operational Resilience for Bank Islam: Aligning with BNM and Global Best Practices
OR BB FI MY Gen-8

[OR] [BI] [E3] [CBS] [3] [SuPS] Identify Severe but Plausible Scenarios

Bank Islam Logo

In line with the principles outlined in the Bank Negara Malaysia 2025 Discussion Paper on Operational Resilience and the guidance described in the BCM Institute article on Severe but Plausible Scenarios, this chapter identifies disruption scenarios that are extreme in impact yet realistically possible for Bank Islam Malaysia Berhad’s CBS-3 Retail Financing Services.

Severe but plausible scenarios are not hypothetical extremes with negligible probability; rather, they reflect credible operational, cyber, third-party, Shariah, regulatory, and technology-related events that could materially disrupt critical retail financing processes.

The objective of this chapter is to ensure that each Sub-CBS under Retail Financing Services is tested against meaningful stress conditions, strengthening preparedness, response capability, and resilience in accordance with regulatory expectations.

New call-to-action

Moh Heng Goh
Operational Resilience Certified Planner-Specialist-Expert

[OR] [BI] Legal Disclaimer Banner

New call-to-actionCBS-3 Retail Financing Services

Introduction

[OR] [BI] [E3] [CBS] [3] [SuPS] Retail Financing Services

In line with the principles outlined in the Bank Negara Malaysia 2025 Discussion Paper on Operational Resilience and the guidance described in the BCM Institute article on Severe but Plausible Scenarios, this chapter identifies disruption scenarios that are extreme in impact yet realistically possible for Bank Islam Malaysia Berhad’s CBS-3 Retail Financing Services.

Severe but plausible scenarios are not hypothetical extremes with negligible probability; rather, they reflect credible operational, cyber, third-party, Shariah, regulatory, and technology-related events that could materially disrupt critical retail financing processes.

The objective of this chapter is to ensure that each Sub-CBS under Retail Financing Services is tested against meaningful stress conditions, strengthening preparedness, response capability, and resilience in accordance with regulatory expectations.

Banner [Table] [OR] [E3] Identify Severe but Plausible Scenarios

Table P5: Identify Severe but Plausible Scenarios for CBS-3

Sub-CBS Code

Sub-CBS

Severe but Plausible Scenario

Impact / Effect

Proactive Risk Management Action (Evidence)

Link to Integration of Cyber and ICT Risks

3.1

Product Structuring & Shariah Governance

Shariah non-compliance was identified post-product launch due to a system configuration error affecting profit calculation logic

Reputational damage, suspension of product, financial restitution, and regulatory scrutiny

Pre-launch Shariah validation checklist, automated rule validation testing, Shariah audit trails, annual independent Shariah review

ICT change management failure, configuration error risk, inadequate system testing controls

3.2

Customer Application Intake & Submission

Prolonged digital channel outage (mobile/web financing application portal) due to Distributed Denial of Service (DDoS) attack

Inability to submit applications, customer dissatisfaction, and revenue delay

DDoS protection, traffic monitoring, alternate manual/branch submission workflow, BCP-tested failover environment

Cybersecurity monitoring, network resilience, and cloud hosting redundancy

3.3

Credit Assessment & Approval

Core credit scoring engine unavailable following ransomware infection

Delayed approvals, backlog accumulation, and credit risk misjudgment if manual override is used

Segregated credit systems, regular data backups, endpoint detection response (EDR), and ransomware playbook exercises

Malware protection, secure data backup, privileged access management

3.4

Financing Documentation & Legal Perfection

Nationwide disruption to the e-signature platform or the third-party legal documentation vendor

Inability to perfect security documents, legal unenforceability risk

Dual-vendor legal panel, offline documentation fallback, periodic vendor resilience assessment

Third-party ICT risk management, vendor system integration dependency

3.5

Disbursement Processing

Payment interface failure between the financing system and the core banking system

Delayed or erroneous disbursement, financial loss, and customer complaints

Interface monitoring dashboards, reconciliation automation, and pre-disbursement control checks

API integration controls, system interface resilience testing

3.6

Account Setup & Maintenance

Data corruption during batch processing is affecting newly onboarded accounts

Incorrect balances, customer disputes, and operational rework

Automated data validation scripts, maker-checker controls, and daily reconciliation reporting

Database integrity monitoring, batch job resilience, disaster recovery testing

3.7

Instalment Collection & Payment Processing

Failure of auto-debit processing due to core banking outage during the peak cycle

Missed collections, liquidity mismatch, customer penalty disputes

Payment cycle contingency plan, grace-period policy activation, customer notification protocol

Core banking availability, real-time system monitoring, and recovery time objective (RTO) testing

3.8

Profit Calculation & Statement Generation

Incorrect profit computation due to a system patch defect

Financial misstatement, Shariah breach risk, regulatory reporting impact

Parallel run testing post-system patch, automated reconciliation of profit tables, and internal audit review

ICT patch management, change governance, and regression testing

3.9

Arrears Monitoring & Early Intervention

Failure of the early warning trigger system due to data feed disruption

Delayed arrears action, higher impairment levels

Automated exception reporting, manual watchlist review trigger, periodic stress testing

Data integration risk, data warehouse availability

3.10

Recovery & Collection Management

Cyber breach exposing customer recovery data

Confidentiality breach, regulatory penalties, litigation risk

Data encryption, restricted access controls, regular penetration testing, and incident response drills

Data protection controls, SOC monitoring, cyber incident management

3.11

Customer Service & Complaint Handling

CRM system outage during a high complaint surge following a financing disruption

Inability to log/track complaints, reputational impact

CRM backup system, manual complaint register protocol, overflow call centre arrangement

Cloud CRM resilience, third-party SaaS dependency risk

3.12

Regulatory, Risk & Shariah Reporting

Inaccurate regulatory submission due to data aggregation failure

Regulatory breach, supervisory action from BNM

Pre-submission validation scripts, independent risk review, regulatory reporting contingency process

Data governance controls, reporting system redundancy

 Banner [Summing] [OR] [E3] Identify Severe but Plausible Scenarios

The identification of severe but plausible scenarios for CBS-3 Retail Financing Services enables Bank Islam Malaysia Berhad to move beyond traditional risk identification toward operational resilience thinking. By deliberately stress-testing each detailed process against credible operational, cyber, third-party, Shariah, and regulatory disruptions, the Bank strengthens its ability to remain within defined impact tolerances even under adverse conditions.

The integration of Cyber and ICT risks across all Sub-CBS processes reflects the regulatory direction set by Bank Negara Malaysia, emphasising that digital dependency is inseparable from service resilience. Proactive risk management actions — including testing, monitoring, governance controls, redundancy planning, and scenario exercises — serve as tangible evidence that resilience is embedded within day-to-day operations rather than treated as a reactive compliance requirement.

Collectively, these scenarios form a structured foundation for scenario testing, impact tolerance validation, and continuous improvement of Retail Financing Services under CBS-3.

 

Implementing Operational Resilience for Bank Islam: Aligning with BNM and Global Best Practices

eBook 3: Starting Your OR Implementation
CBS-3 Retail Financing Services
CBS-3 DP CBS-3 MD CBS-3 MPR CBS-3 ITo CBS-3 SuPS CBS-3 ST
[OR] [BI] [E3] [CBS] [3] [DP] Retail Financing Services [OR] [BI] [E3] [CBS] [3] [MD] Retail Financing Services [OR] [BI] [E3] [CBS] [3] [MPR] Retail Financing Services [OR] [BI] [E3] [CBS] [3] [ITo] Retail Financing Services [OR] [BI] [E3] [CBS] [3] [SuPS] Retail Financing Services [OR] [BI] [E3] [CBS] [3] [ST] Retail Financing Services

New call-to-actionNew call-to-actionGain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More  [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300

If you have any questions, click to contact us.Email to Sales Team [BCM Institute]

FAQ BL-OR-5 OR-5000
OR Implementer Landing Page

New call-to-action

New call-to-action

 

Comments:

 

CTA Banner_OR

CTA Banner_ORA

CTA Banner_BCM

CTA Banner_ITDR

CTA Banner_CM