eBook OR

[OR] [CIMB] [E1] [C5] Identifying Critical Business Services

Written by Dr Goh Moh Heng | Feb 10, 2026 4:58:47 AM

eBook 1: Chapter 5

Critical Business Services (CBS) of CIMB Bank in an Operational Resilience Program

Introduction

A Critical Business Service (CBS) is a service provided by an organisation that, if disrupted, would likely have a significant negative impact on the organisation’s safety and soundness, its customers, and potentially other financial institutions that depend on the service.

In the context of operational resilience, CBSs are services that must be maintained or quickly restored during and after disruptive events to minimise harm to the financial system and the economy. 

Operational resilience frameworks recognise that disruptions — whether from cyberattacks, IT outages, natural events, or third-party failures — are inevitable. What matters is the bank’s ability to anticipate, absorb, respond to, recover, and learn from such events while still delivering its critical services. 

Critical business services underpin a resilience program. They inform impact tolerances, scenario testing, governance decisions, and recovery strategies. Without a clear CBS map, resilience planning cannot be tailored to an organisation’s most essential functions.

Regulatory and Best-Practice Drivers

Globally — and particularly in Malaysia — central banks are emphasising operational resilience as a key supervisory focus.

Bank Negara Malaysia’s 2025 Discussion Paper on Operational Resilience highlights the importance of ensuring continuity of critical financial services to preserve confidence, financial stability, and trust in the financial system.

In addition, international principles (e.g., Basel Committee on Banking Supervision, MAS guidelines, and other supervisory regimes) explicitly call for:

  • identification of services that have a meaningful impact if disrupted;

  • setting impact tolerances for those services;

  • mapping dependencies among processes, people, technology, and third parties; and assessing resilience under severe yet plausible scenarios. 

These expectations mean that CBS identification for CIMB must be strategic and evidence-based, linking operational resilience planning with enterprise risk management and business continuity planning.

Criteria for Identifying Critical Business Services

A service should be classified as critical based on factors such as:

  1. Safety and soundness of the bank — Disruption could materially impair financial position or regulatory compliance.

  2. Impact on customers — Significant numbers or types of customers (retail, corporate, SME, etc.) would face intolerable harm or financial loss.

  3. Systemic or inter-institutional impact — Disruptions that could affect payment systems, market functioning, or interbank operations.

  4. Legal and regulatory obligations — Services tied to time-sensitive reporting, settlement, or compliance. 

Importantly, a critical service is not merely an ongoing business line; it is defined by the impact of its failure to be delivered.

Critical Business Services for CIMB Bank

Below are examples of CBSs relevant to a major ASEAN bank like CIMB. These align with industry norms and supervisory expectations for financial institutions of similar scale and complexity:

Critical Business Services (CBS) for CIMB Bank

CBS Code

Critical Business Service

Service Description

Why It Is Critical (Impact of Disruption)

Primary Impact Area

CBS-1

Retail & Digital Banking Access

Provision of online and mobile banking services, including authentication, balance enquiries, and customer-initiated transactions

Loss of access would cause widespread customer harm, reputational damage, and erosion of trust due to CIMB’s large retail and digital customer base

Customers, Reputation

CBS-2

Payment & Fund Transfer Services

Processing of domestic and cross-border payments, real-time transfers, and interbank settlements

Disruption could prevent customers and businesses from meeting financial obligations and may impact financial system stability

Customers, Financial Stability

CBS-3

Cash Access & Branch Services

Availability of cash withdrawals and deposits via ATMs and branch counters

Extended unavailability would affect daily financial needs, particularly for cash-reliant customers and businesses

Customers, Financial Inclusion

CBS-4

Loan Origination & Disbursement

End-to-end processing of retail, SME, and corporate lending, including approval and fund disbursement

Inability to disburse loans would harm customers’ liquidity and CIMB’s revenue generation and contractual obligations

Customers, Financial Soundness

CBS-5

Treasury & Liquidity Management

Management of liquidity, funding, and market operations to meet obligations

Disruption may threaten CIMB’s solvency, liquidity position, and compliance with prudential requirements

Safety & Soundness

CBS-6

Card & Merchant Acquiring Services

Processing of debit/credit card transactions and merchant acquiring services

Failure would disrupt retail commerce and expose CIMB to financial, contractual, and reputational risk

Customers, Financial Stability

CBS-7

Risk Management & Regulatory Reporting

Monitoring of risks and submission of accurate, timely regulatory and prudential reports

Failure could lead to regulatory breaches, penalties, and supervisory intervention

Regulatory Compliance

CBS-8

Customer Support & Contact Centre Services

Customer assistance through call centres and digital support channels during normal operations and incidents

Service disruption would amplify customer harm during outages and weaken crisis communication effectiveness

Customers, Reputation

CBS-9

Corporate & Institutional Banking Transaction Services

Execution of high-value corporate payments, trade finance, and institutional banking transactions

Disruption could affect corporate liquidity, trade flows, and interconnected financial counterparties

Customers, Systemic Risk

How This Table Supports Operational Resilience
  • Customer-outcome focused: Each CBS is defined by the harm caused if the service fails, not by internal organisational structure
  • BNM-aligned: Emphasises continuity of essential financial services, safety and soundness, and systemic stability
  • Operationally actionable: Each CBS can be used as the basis for:
    • impact tolerance setting
    • dependency mapping
    • severe but plausible scenario testing
    • board-level resilience oversight

Operationalisation of CBS in Resilience Planning

Onceidentified, each CBS for CIMB must be documented with:

  • Impact tolerances: Maximum allowable downtime or degradation before intolerable harm occurs.
  • Dependency mapping: Understanding people, technology, facilities, third parties, data and systems underpinning the CBS.
  • Scenario testing: Severe but plausible events tested to ensure CBS remain within impact tolerances.
  • Governance oversight: Board and senior management approval of the list, impact tolerances, and resilience outcomes.

This structured approach ensures that resilience planning is risk-based, evidence-driven, and aligned with regulatory expectations.

Identifying and safeguarding Critical Business Services is the cornerstone of CIMB’s operational resilience strategy.

These services constitute CIMB’s mission-critical capabilities, whose uninterrupted delivery protects the bank’s financial health, stakeholder confidence, and its contributions to broader financial stability.

Integrating CBS into resilience planning — from impact tolerances to scenario testing —ensures CIMB can withstand and recover from disruptions while continuing to serve its customers and markets effectively.

Blogs marked [x] are under construction.

Operational Resilience in Practice: The CIMB Bank Approach

eBook 1: Understanding Your Organisation: CIMB Bank
C1 C2 [x] C3 [x] C4 [x]
C5 C6 [x] C7 [x] C8 [x]
 

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.