[OR] [CCB] [E3] [CBS] [1] [ST] Perform Scenario Testing

CBS-1 Core Deposit & Account Services

Introduction

China Construction Bank (Malaysia) Berhad (CCB Malaysia) delivers CBS-1 Core Deposit & Account Services as a critical business service underpinning customer trust, liquidity management, regulatory compliance, and financial stability.

In line with the principles of Scenario Testing in Operational Resilience, scenario testing assesses the organisation’s ability to remain within its defined impact tolerances during severe but plausible disruptions.

For CBS-1, scenario testing must go beyond technical failure simulations and incorporate cyber threats, ICT outages, third-party failures, operational errors, data integrity issues, and regulatory shocks.

The objective is to validate resilience capabilities, identify vulnerabilities, and demonstrate proactive risk management across people, processes, technology, facilities, and external dependencies.

Table P6: Detailed Processes for CBS-1

Sub-CBS Code

Sub-CBS

Recommended Scenario Test Themes

Impact / Effect

Evidence of Proactive Risk Management Action

1.1

Account Opening & Onboarding

• Core banking system outage during onboarding

• Cyberattack compromising KYC data

• Digital channel failure (e-KYC disruption)

• Regulatory change requiring urgent KYC enhancement

• Inability to open new accounts

• Data breach & reputational damage

• AML non-compliance risk

• Tested manual onboarding fallback procedures

• Data encryption & DLP controls

• Cyber incident response drill records

• Updated KYC playbooks & staff training logs

1.2

Deposit Maintenance & Account Administration

• Unauthorised account modification due to insider threat

• IAM system failure

• Ransomware affecting customer data

• Fraud risk

• Customer complaints

• Regulatory sanctions

• Segregation of duties testing

• Privileged access reviews

• Regular backup & restoration test evidence

• SOC monitoring reports

1.3

Deposit Transactions Processing

• Core banking batch processing failure

• Payment switch outage

• Distributed Denial of Service (DDoS) attack

• Transaction backlog

• Liquidity disruption

• Financial loss exposure

• Business Continuity Plan test results

• Alternate processing site test

• DDoS mitigation simulation

• RTO/RPO validation reports

1.4

Interest & Charges Calculation & Posting

• Data corruption affecting the interest calculation engine

• System patch causing miscalculation

• Parameter configuration error

• Financial misstatement

• Customer compensation costs

• Reputational damage

• Parallel run reconciliation tests

• Change management approval records

• Independent validation checks

• Audit trail documentation

1.5

Account Inquiry & Statement Services

• Internet banking portal outage

• API failure with mobile banking

• Data leakage via customer statements

• Customer dissatisfaction

• Increased call centre load

• Data privacy breach

• Digital channel resilience testing

• Statement encryption controls

• Penetration testing reports

• Customer communication templates tested

1.6

Transfer & Payment Execution

• SWIFT network disruption

• Malware affecting the payment gateway

• Third-party correspondent bank failure

• Failed outward transfers

• Cross-border settlement delays

• Liquidity and reputational impact

• SWIFT contingency procedures tested

• Sanctions screening resilience drills

• Third-party risk assessments

• Liquidity stress scenario documentation

1.7

Foreign Currency Deposit Services

• FX rate feed disruption

• Geopolitical sanctions affecting currency settlement

• Treasury system outage

• Incorrect FX postings

• Settlement risk

• Market risk exposure

• Backup FX data provider testing

• Sanctions scenario simulations

• Treasury BCP test evidence

• Hedging policy review documentation

1.8

Account Closure & Dormancy Management

• Failure in the dormant account monitoring system

• Fraudulent reactivation attempts

• Data archival system corruption

• Fraud exposure

• Regulatory non-compliance

• Data integrity risk

• Dormancy control testing reports

• Fraud detection scenario drills

• Secure archival verification tests

• Periodic compliance attestation

Integration of Cyber and ICT Risks

Scenario testing for CBS-1 must explicitly integrate Cyber Security Risk and ICT Risk Management, including:

Core banking system resilience
Network & infrastructure redundancy
Cyber incident detection and response
Data integrity and backup restoration capability
Third-party technology service provider resilience
Cloud service outage simulations (if applicable)
Identity & Access Management stress testing

Each scenario test should validate:

Defined Impact Tolerance (maximum tolerable disruption).
Recovery Time Objective (RTO) and Recovery Point Objective (RPO).
Communication escalation procedures.
Board and senior management oversight effectiveness.

Documented test outcomes, lessons learned, remediation plans, and retesting cycles serve as demonstrable evidence of proactive risk management.

Performing structured and severe but plausible Scenario Testing for CBS-1 Core Deposit & Account Services enables China Construction Bank (Malaysia) to validate its operational resilience posture against cyber threats, ICT disruptions, third-party failures, and operational breakdowns.

By aligning scenario testing with defined impact tolerances and integrating cyber and ICT risk considerations, the bank strengthens its ability to continue delivering critical deposit and account services even under stress conditions.

Documented evidence of testing, remediation, governance oversight, and continuous improvement demonstrates that resilience is not reactive but embedded within the organisation’s risk management framework.

This approach ensures sustained customer confidence, regulatory compliance, and institutional stability in an increasingly complex risk environment.

Building a Resilient Banking Institution: Operational Resilience Implementation at China Construction Bank (Malaysia)
eBook 3: Starting Your OR Implementation
CBS-1 Core Deposit & Account Services
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST	eBook 2

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

Building a Resilient Banking Institution: Operational Resilience Implementation at China Construction Bank (Malaysia)

[OR] [CCB] [E3] [CBS] [1] [ST] Perform Scenario Testing

Operational Resilience Certified Planner-Specialist-Expert

CBS-1 Core Deposit & Account Services

Introduction

Table P6: Detailed Processes for CBS-1

Integration of Cyber and ICT Risks

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Comments:

Building a Resilient Banking Institution: Operational Resilience Implementation at China Construction Bank (Malaysia)

[OR] [CCB] [E3] [CBS] [1] [ST] Perform Scenario Testing

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '3c32e9b3-ea88-44c3-9182-fa3e6a9aadee', {"useNewLoader":"true","region":"na1"});

Operational Resilience Certified Planner-Specialist-Expert

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '6b0c36e9-6fb9-4705-a42a-089010976426', {"useNewLoader":"true","region":"na1"});

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '3c32e9b3-ea88-44c3-9182-fa3e6a9aadee', {"useNewLoader":"true","region":"na1"});

CBS-1 Core Deposit & Account Services

Introduction

Table P6: Detailed Processes for CBS-1

Integration of Cyber and ICT Risks

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Comments: