[OR] [CAPM] [BNM] Operational Resilience Capability-level Assessment Aligned to Bank Negara Malaysia

Operational Resilience Capability Assessment (BNM-Aligned)

This chapter contains a comprehensive Operational Resilience Capability Assessment Questionnaire tailored for banks in Malaysia, aligned to:

• The 2025 Bank Negara Malaysia Operational Resilience Discussion Paper (emerging regulatory expectations) 

• BCM Institute OR planning methodology ([OR] [P1-S1]) 

• Capability assessment principles from BCM Institute and BCMPedia 

The questions are structured to reflect BNM’s emphasis on governance, critical services, interdependencies, technology, and third-party risks, as well as increasing accountability and resilience integration 

emphasis on:

• Sustaining critical business services (CBS)
• Ability to prevent, respond, recover, and adapt to disruptions
• Strong governance, accountability, and interdependency management
• Focus on customer impact and systemic stability

1. Governance, Oversight and Accountability

Board and Senior Management Oversight

• Has the Board formally approved an Operational Resilience framework and strategy?
• Is there a clearly designated accountable executive (e.g., CRO / Head of OR)?
• Does the Board receive regular reporting on resilience posture and disruptions?
• Are resilience objectives integrated into enterprise risk management (ERM)?

Policy and Governance Structure

• Are there documented policies covering:
• Operational resilience
• Business continuity
• Crisis management
• Third-party risk management
• Are governance roles clearly defined across the three lines of defence?

Culture and Accountability

• Are KPIs/KRIs aligned to resilience outcomes (not just compliance)?
• Is there evidence of cross-functional accountability for critical services?

2. Identification of Critical Business Services (CBS)

• Has the bank formally identified Critical Business Services (CBS)?
• Are CBS defined based on:
• Customer impact
• Financial stability impact
• Regulatory expectations
• Are CBS clearly distinguished from:
• Processes
• Systems
• Functions

CBS Governance

• Are CBS owners formally assigned?
• Are CBS definitions periodically reviewed and approved?

👉 BNM emphasises that resilience must focus on critical services and customer impact, not just internal recovery

3. Impact Tolerance and Service Resilience Objectives

• Has the bank defined impact tolerances for each CBS?
• Are tolerances measurable (e.g., downtime, backlog, data loss)?
• Are tolerances aligned with:
• Customer expectations
• Regulatory requirements

• Are tolerance breaches:
• Monitored
• Escalated
• Reported to senior management

4. Mapping Interdependencies (End-to-End Visibility)

Dependency Mapping

• Has the bank mapped dependencies for each CBS across:
• People
• Processes
• Technology
• Third parties

Connectivity and Complexity

• Are interconnections between systems and services documented?
• Are single points of failure identified and mitigated?

Data and Documentation

• Are mapping outputs:
• Documented
• Maintained
• Regularly updated

👉 BNM highlights complex interdependencies and digital ecosystems as a key resilience challenge

5. Scenario Testing and Resilience Validation

Scenario Design

• Are severe but plausible scenarios (SbPS) defined?
• Do scenarios include:
• Cyber incidents
• Technology failures
• Third-party disruptions
• Pandemic/people's unavailability

Testing Execution

• Are scenarios tested against:
• CBS
• Impact tolerances
• Are tests conducted:
• End-to-end
• Across business and technology layers

Outcomes and Improvement

• Are test results:
• Documented
• Reviewed by senior management
• Are lessons learned translated into:
• Control improvements
• Capability enhancements

6. Technology and Cyber Resilience Capability

• Are critical systems supporting CBS:
• Redundant
• Recoverable within tolerance

• Is there alignment with:
• Cyber resilience practices
• Technology risk management frameworks

• Are cloud and digital dependencies:
• Identified
• Risk assessed

Monitoring and Detection

• Are real-time monitoring capabilities in place for:
• System performance
• Disruptions

• Are early warning indicators defined?

7. Third-Party and Supply Chain Resilience

Third-Party Risk Management

• Are third parties supporting CBS identified and classified?
• Are critical vendors subject to:
• Enhanced due diligence
• Contractual resilience requirements

Concentration and Substitution Risk

• Are concentration risks (e.g., single cloud provider) assessed?
• Are exit and substitution strategies defined?

Integration into Testing

• Are third parties included in:
• Scenario testing
• Crisis exercises

👉 BNM stresses the importance of third-party and ecosystem resilience due to increasing reliance on outsourcing and cloud

8. Incident Management and Crisis Response Capability

• Is there a formal incident management framework?
• Are escalation protocols clearly defined?
• Is there an established crisis management structure (e.g., command centre)?

Communication Capability

• Are communication plans defined for:
• Customers
• Regulators
• Stakeholders

• Are communication protocols tested?

9. Recovery, Continuity and Adaptation Capability

• Are business continuity plans:
• CBS-aligned (service-centric, not process-centric)?

• Are recovery strategies:
• Tested regularly
• Aligned with impact tolerances

Adaptive Capacity

• Can the organisation:
• Operate in degraded mode?
• Prioritise critical transactions?

10. Data, Metrics and Continuous Improvement

Metrics and Monitoring

• Are resilience KPIs/KRIs defined for:
• CBS availability
• Incident response time
• Recovery performance

Continuous Improvement

• Is there a structured process for:
• Lessons learned
• Post-incident reviews
• Are improvements tracked and reported?

11. Integration Across Risk Domains (Holistic Capability)

• Is operational resilience integrated with:
• Operational risk management
• Business continuity management
• Cyber resilience
• Third-party risk management

Enterprise Alignment

• Is resilience embedded into:
• Strategic planning
• Technology transformation
• Product development

👉 BNM emphasises holistic and enterprise-wide resilience, not siloed practices

12. Capability Level Assessment (Scoring Dimension)

Maturity Rating Guide (Scoring Model)

 Use a 7-level maturity scale: 

For each question, assign:

1. Level 0: Undefined: No evidence of capability 

2. Level 1: Initial: Informal, inconsistent practices

3. Level 2: Managed: Defined but not consistently applied 

4. Level 3: Defined: Documented and consistently implemented 

5. Level 4: Well-defined: Measured, monitored, and controlled 

6. Level 5: Optimising: Continuously improved and integrated  

7. Level 6: Innovative: Industry leadership through innovation.

How to Use This Capability Assessment

Step 1: Assess Capability

• Evaluate each question
• Assign capability level (0–6)

Step 2: Identify Gaps

• Focus on:
• CBS definition gaps
• Dependency visibility gaps
• Testing weaknesses

Step 3: Align to BNM Expectations

• Prioritise:
• Governance accountability
• End-to-end service resilience
• Third-party risk integration

Key Takeaways (Aligned to BNM Direction)

This capability assessment reflects BNM’s shift toward:

• Service-centric, end-to-end, and accountable operational resilience

• Banks are expected to move beyond traditional BCM into:

• Integrated resilience capabilities

• Customer-impact driven design

• Continuous testing and improvement