[OR] [CIMB] [E2] [P1 to P3] [C1] OR Planning Methodology

Operational Resilience in Practice: The  CIMB Bank's Three-Phase Framework

Introduction

In today’s fast-evolving financial landscape, where digital transformation, third-party ecosystems, and cyber threats are redefining risk boundaries, operational resilience has shifted from a “nice-to-have” discipline to an absolute imperative for financial institutions. 

For banks like CIMB Bank — one of Malaysia’s leading financial services groups with a strong regional footprint — operational resilience is central to safeguarding customer trust, maintaining continuous delivery of critical banking services, and fulfilling robust regulatory expectations.

Operational resilience refers to the ability of a financial institution to anticipate, withstand, recover from, and adapt to operational disruptions across people, processes, technology, and third-party dependencies. 

This capability ensures that critical business services — from retail banking systems and payment channels to credit processing and liquidity operations — continue operating or rapidly recover from disruptions.

Global standard-setters and regulatory authorities have increasingly formalised expectations on operational resilience. In Malaysia, Bank Negara Malaysia (BNM) has spearheaded this agenda. 

In December 2025, BNM issued a Discussion Paper on strengthening operational resilience, which outlines high-level principles and regulatory direction for financial institutions operating in Malaysia. 

The paper emphasises strong governance, impact tolerance frameworks, scenario testing, third-party dependencies, and dynamic recovery strategies, drawing on international best practices while contextualising them for Malaysia’s market conditions. 

CIMB Bank’s Operational Resilience Planning Methodology is structured into three integrated phases — Plan, Implement, and Sustain — each comprising five detailed stages that collectively define its lifecycle-oriented resilience journey. 

This structured methodology not only supports internal operational excellence but also aligns with regulatory expectations, including those articulated in BNM’s evolving operational resilience guidelines.

Overview of the Three-Phase OR Planning Methodology 

Operational resilience at CIMB Bank is anchored in a methodical framework that institutionalises resilience across strategy, operations, and culture. 

The methodology recognises that building resilience isn’t a one-off tick-box exercise; it is a strategic, multidisciplinary, and continuously improving capability embedded into CIMB’s core governance and operations.

Phase 1: Plan

The Plan phase establishes foundational preparedness and strategic alignment. It ensures that CIMB’s resilience priorities are grounded in maturity-based assessment and regulatory intent:

1. Assess Capability and Maturity

CIMB Bank assesses existing resilience competencies (BCM, technology recovery, risk culture) and benchmarks them against industry best practices and BNM expectations for governance and risk management.

This assessment identifies maturity levels and helps prioritise gaps relative to expected regulatory outcomes (e.g., BCM and RMiT compliance).

2. Analyse Gap

Gap analysis systematically evaluates where CIMB currently stands relative to its desired future-state resilience objectives, covering governance accountabilities, third-party risk controls, and impact tolerances. Findings inform a structured blueprint for resilience improvement.

3. Develop Strategy and Roadmap

Based on the gap analysis, a targeted roadmap is developed. It balances immediate regulatory compliance (e.g., response times and risk-reporting requirements) with strategic investments in automation, monitoring, and oversight of third-party dependencies.

4. Confirm Risk Appetite

CIMB leadership calibrates its operational risk appetite to define acceptable levels of service disruption and recovery time objectives that align with both business priorities and BNM's regulatory expectations.

5. Develop and Embed Governance

Strong governance ensures resilient outcomes are endorsed, owned, and monitored at the board and executive levels.

This stage embeds resilience roles, responsibilities, and reporting lines into CIMB’s organisational architecture — a key expectation in BNM’s operational resilience discourse. 

Phase 2: Implement

In the Implement phase, planning turns into execution. CIMB translates strategic priorities into tangible resilience capabilities that protect critical services:

1. Identify Critical Business Services

CIMB identifies business services considered “critical” to its operations and customers — for example, retail banking platforms, payment systems, and liquidity support functions — and documents them with clear service definitions.

2. Map Processes and Resources

Detailed process mapping links services to underlying infrastructure, people, vendors, and data — enabling CIMB to understand dependencies and failure points across its operational ecosystem.

3. Set Impact Tolerance

Impact tolerance thresholds define the maximum acceptable outages for identified critical services. These tolerances inform scenario planning and recovery objectives — a key principle highlighted in BNM’s expectations for operational resilience.

4. Conduct Scenario Testing

Regular stress scenarios — including cyber incidents, system failures, and prolonged third-party disruptions — are simulated to validate the effectiveness of response and recovery. These exercises ensure preparedness beyond theoretical plans.

5. Improve Lessons Learnt

Post-exercise reviews and real incident analyses feed into continuous improvement cycles — reinforcing weak controls, adjusting impact tolerances, and updating recovery playbooks.

Phase 3: Sustain

.The Sustain phase embeds resilience into CIMB’s corporate culture and the “business as usual” mindset:

1. Introduce Cultural Change

Operational resilience must be understood and valued across all levels. CIMB drives cultural initiatives that encourage proactive risk awareness, clear communication, and cross-functional collaboration.

2. Develop Communication Strategy

Transparent, consistent communication — internally with staff and externally with stakeholders — reinforces clarity on resilience roles, expectations, and escalation protocols during disruptions.

3. Implement Training and Awareness

Ongoing training programs ensure that teams are adept in resilience protocols, crisis response, and recovery procedures.

4. Provide Self-assessment

Routine self-assessments and internal audits help CIMB monitor adherence to resilience standards and proactively identify areas for improvement.

5. Conduct Independent Quality Review

Independent reviews — whether through internal audit or external assessments — validate the effectiveness of CIMB’s operational resilience framework and compliance with regulatory expectations

Operational resilience is no longer a peripheral risk discipline — it is a business-critical strategic capability. 

For CIMB Bank, implementing a structured three-phase Operational Resilience Planning Methodology enables the bank to navigate the complex, dynamic risk landscape of modern banking while safeguarding the continuity of critical services.

The framework’s phased approach — from rigorous planning and disciplined implementation to sustainability and culture embedding — reflects a best-practice alignment with emerging regulatory guidance from Bank Negara Malaysia and international supervisory expectations. 

BNM’s 2025 Operational Resilience Discussion Paper underscores the need for financial institutions to strengthen their ability to withstand disruptions in an increasingly digital and interconnected environment. 

It encourages institutions to develop clear governance frameworks, robust impact-tolerance frameworks, and effective recovery mechanisms for systemic shocks. 

Real-world examples of regulatory enforcement—such as administrative penalties imposed on CIMB and other Malaysian banks for operational disruptions exceeding prescribed thresholds—demonstrate that lapses in resilience have tangible consequences and underscore the importance of a proactive, comprehensive resilience strategy. 

By embedding resilience into governance, strategy, and culture, CIMB Bank not only meets regulatory expectations but also enhances stakeholder confidence, protects customer trust, and strengthens its competitive position in an era defined by volatility and change.

Blogs marked [x] are under construction.

Operational Resilience in Practice: The CIMB Bank Approach
C1	C2 [x]	C8 [x]	C14 [x]

 

	Operational Resilience in Practice: The CIMB Bank Approach
	ebook 2: Implementing Operational Resilience for CIMB Bank
	C1	eBook 1	eBook 2	eBook 3	c20 [x]	C21 [x]
	"Plan" Phase of the Operational Resilience Planning Methodology
	C2 [x]	C3 [x]	C4 [x]	C5 [x]	C6 [x]	C7 [x]
	"Implement" Phase of the Operational Resilience Planning Methodology
	C8 [x]	C9 [x]	C10 [x]	C11 [x]	C12 [x]	C13 [x]
	"Sustain" Phase of the Operational Resilience Planning Methodology
	C14 [x]	C15 [x]	C16 [x]	C17 [x]	C18 [x]	C19 [x]

  

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.