[OR] [BNM] [C2] Comparison Between BNM OR Paper with “Plan” Phase (P1) of the BCM Institute’s Operational Resilience Planning Methodology

Written by Moh Heng Goh | Jan 15, 2026 6:16:47 AM

Chapter 2 Comparison with Plan Phase [P1] of OR Planning Methodology

BNM’s Discussion Paper articulates high-level principles and focus areas to strengthen operational resilience across financial institutions.

It reflects the realities of increased digital reliance, interconnected systems, and reliance on external parties, with the aim of ensuring the continuity of critical services during significant disruptions, such as cyber incidents, system outages, or external shocks.

Key themes include:

Need to identify and maintain critical services that, if disrupted, could harm customers or systemic stability.
Focus on interdependencies, especially third-party and technology relationships.
Governance and Board Accountability for Resilience Outcomes.
Moving beyond internal recovery metrics toward customer-centric tolerances of disruption.
Importance of scenario testing across people, process, technology and ecosystem levels.

Overview of the BCM Institute’s “Plan” Phase (OR-P1)

The BCM Institute’s Plan phase (the first of three phases in operational resilience planning) establishes the foundational thinking and organisational preparedness necessary before detailed resilience work begins. It comprises five sequential stages:

Assess Capability & Maturity – Establish current resilience capabilities and gaps.
Analyse Gap – Identify and prioritise where resilience capabilities require strengthening.
Develop Strategy & Roadmap – Develop a strategic plan to enhance resilience capabilities, aligned with organisational directives.
Confirm Risk Appetite – Establish risk appetite and thresholds (KPIs/KRIs) aligned to organisational objectives and resilience outcomes.
Develop & Embed Governance – Embed operational resilience within governance and decision-making structures.

Detailed Comparison: Plan Phase vs. BNM Expectations

Component	BNM Discussion Paper Expectations	BCM Institute Plan Phase Activities	Comparison/Alignment
[P1-S1] Assess Capability & Maturity	Implied need for institutions to understand the maturity of existing practices vs. resilience outcomes	Assess Capability & Maturity directly establishes a baseline	Both require understanding where you are today before planning forward
[P1-S2] Analyse Gap	Regulators expect firms to recognise limitations in current practices (e.g., reliance on third parties, outdated recovery assumptions).	Analyse Gap identifies resilience gaps relative to desired outcomes	Both frameworks emphasise gap analysis, though BNM’s is broader and outcome-oriented
[P1-S3] Develop Strategy & Roadmap	BNM calls for high-level strategic thinking—“identify critical services,” “map interdependencies,” “define tolerances”—though not within a formal strategy roadmap template.	Develop Strategy & Roadmap creates a formal plan with executive approval to enhance resilience	BNM’s principles provide inputs into an operational resilience strategy, but the BCM Institute formalises it into a roadmap tied to capabilities
[P1-S4] Confirm Risk Appetite	BNM explicitly promotes impact tolerances based on customer-centric outcomes rather than internal metrics.	Confirm Risk Appetite sets organisational risk appetite and related KPIs/KRIs early in planning	Both stress the importance of defining acceptable levels of disruption, though BNM situates it more in terms of service impact
[P1-S5] Develop & Embed Governance	Strong emphasis on board/senior-management accountability and governance structures.	Develop & Embed Governance integrates resilience into governance and oversight mechanisms	Very close alignment: both require governance structures that support ongoing oversight and accountability
External Dependencies / Third Parties [P2-S2]	BNM highlights interconnected dependencies (cloud, vendors) as systemic vulnerabilities.	Not explicitly a separate Plan activity, but dependencies will be uncovered in strategy and gap analysis	The BCM Institute plan lays the groundwork, but deeper dependency analysis is part of the later Implementation phase
Scenario Planning & Testing [P2-S5]	BNM expects scenario testing, including severe but plausible stress testing across functions.	Not part of Plan; builds into the Implement phase	BNM’s testing expectations influence strategy development, but are operationalised later in the methodology

Key Observations

Shared Orientation Toward Outcomes

Both BNM’s discussion paper and the BCM Institute’s Plan phase recognise that traditional resilience (recovery times, backups) is insufficient on its own. What matters is maintaining customer-facing critical services within tolerable limits during disruptions.

Governance and Accountability Are Central

BNM’s emphasis on board and senior management's responsibility aligns closely with the Plan phase’s requirement to embed governance and secure executive approval for the resilience strategy and risk appetite.

Strategic Thinking Is a Foundation

While BNM provides high-level expectations, the BCM Institute’s Plan phase provides a structured process for translating those expectations into executable plans, including maturity assessments, gap analyses, and strategic roadmaps.

Risk Appetite vs Impact Tolerances

BCM Institute’s Plan phase begins with the risk appetite, expressed in general terms (KPIs/KRIs).

BNM specifically advocates defining impact tolerances for critical services, thereby pushing organisations toward tolerances based on external impact rather than internal operational metrics.

Planning vs Implementation Timing

BNM’s Discussion Paper sets out requirements that span both planning and implementation (e.g., dependency mapping and scenario testing).

In BCM Institute’s model, these deeper analytical and tactical activities (e.g., mapping, testing) are intentionally reserved for the Implement phase (P2), underscoring that Plan is about strategic readiness, not execution.

Practical Implications

If an organisation is using the BCM Institute’s Plan phase as its methodological start:

BNM’s expectations validate the Plan phase’s activities and provide regulatory impetus for organisations to take them seriously.
The outputs of the Plan phase (maturity baseline, gap analysis, resilience strategy, risk appetite, and governance) will be foundational for meeting BNM’s evolving expectations.
BNM’s emphasis on impact tolerances and customer-centric tolerances should be embedded in the Plan phase’s strategy and risk appetite formulation, even if the detailed implementation (mapping and testing) occurs later.
The governance work of the Plan phase should explicitly reference board oversight and accountability mechanisms for operational resilience, as required by BNM.

Dimension	BNM Discussion Paper	BCM Institute Plan Phase	Alignment
Direction	High-level principles guiding resilience expectations	Structured planning steps to prepare a resilience programme	Complementary
Strategy	Implicit in expectations (identify, tolerate, respond)	Explicit strategy roadmap development	BCM Institute adds structure
Risk Appetite	Focuses on service impact tolerances	KPIs/KRIs and risk appetite scoping	Can be harmonised
Governance	Strong regulator emphasis	Integral planning stage	Strongly aligned
Action	Includes mapping/testing expectations	The planning phase sets the stage, but leaves the action to implement	Sequentially aligned

Note from Author/Speaker

Author Comment: This is a detailed comparison between Bank Negara Malaysia’s (BNM) Discussion Paper on Operational Resilience (the regulator’s emerging expectations for financial institutions) and the “Plan” phase of the BCM Institute’s Operational Resilience Planning Methodology (as laid out in the OR-P1 guidance).

Comparison with BNM OR Paper with BCM Institute's Operational Resilience Planning Methodology
C1	C2	C3	C4	C5

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About Operational Resilience Course OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer [OR-3] course and the OR-5000 Operational Resilience Expert Implementer [OR-5] course.



	If you have any questions, click to contact us.

View full post