Chapter 2
Comparison with Plan Phase [P1] of OR Planning Methodology
![[OR] [BNM] [C2] Comparison with BNM OR Paper [Plan Phase]](https://no-cache.hubspot.com/cta/default/3893111/9c143a3c-c106-4a97-b462-99cf81f1c5ff.png)
BNM’s Discussion Paper articulates high-level principles and focus areas to strengthen operational resilience across financial institutions.
It reflects the realities of increased digital reliance, interconnected systems, and reliance on external parties, with the aim of ensuring the continuity of critical services during significant disruptions, such as cyber incidents, system outages, or external shocks.
Key themes include:
- Need to identify and maintain critical services that, if disrupted, could harm customers or systemic stability.
- Focus on interdependencies, especially third-party and technology relationships.
- Governance and Board Accountability for Resilience Outcomes.
- Moving beyond internal recovery metrics toward customer-centric tolerances of disruption.
- Importance of scenario testing across people, process, technology and ecosystem levels.
Overview of the BCM Institute’s “Plan” Phase (OR-P1)
The BCM Institute’s Plan phase (the first of three phases in operational resilience planning) establishes the foundational thinking and organisational preparedness necessary before detailed resilience work begins. It comprises five sequential stages:
- Assess Capability & Maturity – Establish current resilience capabilities and gaps.
- Analyse Gap – Identify and prioritise where resilience capabilities require strengthening.
- Develop Strategy & Roadmap – Develop a strategic plan to enhance resilience capabilities, aligned with organisational directives.
- Confirm Risk Appetite – Establish risk appetite and thresholds (KPIs/KRIs) aligned to organisational objectives and resilience outcomes.
- Develop & Embed Governance – Embed operational resilience within governance and decision-making structures.
Detailed Comparison: Plan Phase vs. BNM Expectations
|
Component |
BNM Discussion Paper Expectations |
BCM Institute Plan Phase Activities |
Comparison/Alignment |
|
[P1-S1] Assess Capability & Maturity |
Implied need for institutions to understand the maturity of existing practices vs. resilience outcomes |
Assess Capability & Maturity directly establishes a baseline |
Both require understanding where you are today before planning forward |
|
[P1-S2] Analyse Gap |
Regulators expect firms to recognise limitations in current practices (e.g., reliance on third parties, outdated recovery assumptions). |
Analyse Gap identifies resilience gaps relative to desired outcomes |
Both frameworks emphasise gap analysis, though BNM’s is broader and outcome-oriented |
|
[P1-S3] Develop Strategy & Roadmap |
BNM calls for high-level strategic thinking—“identify critical services,” “map interdependencies,” “define tolerances”—though not within a formal strategy roadmap template. |
Develop Strategy & Roadmap creates a formal plan with executive approval to enhance resilience |
BNM’s principles provide inputs into an operational resilience strategy, but the BCM Institute formalises it into a roadmap tied to capabilities |
|
[P1-S4] Confirm Risk Appetite |
BNM explicitly promotes impact tolerances based on customer-centric outcomes rather than internal metrics. |
Confirm Risk Appetite sets organisational risk appetite and related KPIs/KRIs early in planning |
Both stress the importance of defining acceptable levels of disruption, though BNM situates it more in terms of service impact |
|
[P1-S5] Develop & Embed Governance |
Strong emphasis on board/senior-management accountability and governance structures. |
Develop & Embed Governance integrates resilience into governance and oversight mechanisms |
Very close alignment: both require governance structures that support ongoing oversight and accountability |
|
External Dependencies / Third Parties [P2-S2] |
BNM highlights interconnected dependencies (cloud, vendors) as systemic vulnerabilities. |
Not explicitly a separate Plan activity, but dependencies will be uncovered in strategy and gap analysis |
The BCM Institute plan lays the groundwork, but deeper dependency analysis is part of the later Implementation phase |
|
Scenario Planning & Testing [P2-S5] |
BNM expects scenario testing, including severe but plausible stress testing across functions. |
Not part of Plan; builds into the Implement phase |
BNM’s testing expectations influence strategy development, but are operationalised later in the methodology |
Key Observations
Shared Orientation Toward Outcomes
Both BNM’s discussion paper and the BCM Institute’s Plan phase recognise that traditional resilience (recovery times, backups) is insufficient on its own. What matters is maintaining customer-facing critical services within tolerable limits during disruptions.
Governance and Accountability Are Central
BNM’s emphasis on board and senior management's responsibility aligns closely with the Plan phase’s requirement to embed governance and secure executive approval for the resilience strategy and risk appetite.
Strategic Thinking Is a Foundation
While BNM provides high-level expectations, the BCM Institute’s Plan phase provides a structured process for translating those expectations into executable plans, including maturity assessments, gap analyses, and strategic roadmaps.
Risk Appetite vs Impact Tolerances
BCM Institute’s Plan phase begins with the risk appetite, expressed in general terms (KPIs/KRIs).
BNM specifically advocates defining impact tolerances for critical services, thereby pushing organisations toward tolerances based on external impact rather than internal operational metrics.
Planning vs Implementation Timing
BNM’s Discussion Paper sets out requirements that span both planning and implementation (e.g., dependency mapping and scenario testing).
In BCM Institute’s model, these deeper analytical and tactical activities (e.g., mapping, testing) are intentionally reserved for the Implement phase (P2), underscoring that Plan is about strategic readiness, not execution.
Practical Implications
If an organisation is using the BCM Institute’s Plan phase as its methodological start:
- BNM’s expectations validate the Plan phase’s activities and provide regulatory impetus for organisations to take them seriously.
- The outputs of the Plan phase (maturity baseline, gap analysis, resilience strategy, risk appetite, and governance) will be foundational for meeting BNM’s evolving expectations.
- BNM’s emphasis on impact tolerances and customer-centric tolerances should be embedded in the Plan phase’s strategy and risk appetite formulation, even if the detailed implementation (mapping and testing) occurs later.
- The governance work of the Plan phase should explicitly reference board oversight and accountability mechanisms for operational resilience, as required by BNM.
|
Dimension |
BNM Discussion Paper |
BCM Institute Plan Phase |
Alignment |
|
Direction |
High-level principles guiding resilience expectations |
Structured planning steps to prepare a resilience programme |
Complementary |
|
Strategy |
Implicit in expectations (identify, tolerate, respond) |
Explicit strategy roadmap development |
BCM Institute adds structure |
|
Risk Appetite |
Focuses on service impact tolerances |
KPIs/KRIs and risk appetite scoping |
Can be harmonised |
|
Governance |
Strong regulator emphasis |
Integral planning stage |
Strongly aligned |
|
Action |
Includes mapping/testing expectations |
The planning phase sets the stage, but leaves the action to implement |
Sequentially aligned |
Note from Author/Speaker
Author Comment: This is a detailed comparison between Bank Negara Malaysia’s (BNM) Discussion Paper on Operational Resilience (the regulator’s emerging expectations for financial institutions) and the “Plan” phase of the BCM Institute’s Operational Resilience Planning Methodology (as laid out in the OR-P1 guidance).
![[OR] [BNM] [C1] Executive Summary of the BNM Discussion Paper](https://no-cache.hubspot.com/cta/default/3893111/2726ae74-56b9-4cb7-9255-428edd7e2847.png)
![[OR] [BNM] [C3] Comparison with BNM OR Paper [Implement Phase]](https://no-cache.hubspot.com/cta/default/3893111/77b70a13-3440-473d-9aa8-4fd79b89226d.png)
![[OR] [BNM] [C4] Comparison with BNM OR Paper [Sustain Phase]](https://no-cache.hubspot.com/cta/default/3893111/5d29733b-d9be-4527-8e7b-24041f1e99dc.png)
![[OR] [BNM] [C5] OR Planning BCMI 3-Phase Method [BNM-Aligned]](https://no-cache.hubspot.com/cta/default/3893111/13cb1435-674a-42ed-8386-4be7d289f431.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About Operational Resilience Course OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer [OR-3] course and the OR-5000 Operational Resilience Expert Implementer [OR-5] course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
