[OR] [CIMB] [E3] [CBS] [1] [ITo] Establish Impact Tolerances

CBS-1 Retail & Digital Banking Access

Introduction

For CIMB Bank, CBS-1: Retail & Digital Banking Access represents a customer-facing critical business service that directly affects financial access, payments, onboarding, and digital engagement.

In line with operational resilience principles and expectations set out in the 2025 Bank Negara Malaysia (BNM) Discussion Paper on Operational Resilience, impact tolerances must define the maximum level of disruption the bank is willing to tolerate before causing intolerable harm to customers, market integrity, or regulatory compliance.

Establishing measurable thresholds — such as Maximum Tolerable Downtime (MTD) and Maximum Tolerable Data Loss (MTDL) — ensures CIMB can prioritise recovery strategies, technology investments, and scenario testing. The tolerances below reflect regulatory expectations for availability, integrity, confidentiality, and financial stability while remaining realistic and testable.

Table P4: Establish Impact Tolerance for CBS-1

Sub-CBS Code	Sub-CBS	Maximum Tolerable Downtime (MTD)	Maximum Tolerable Data Loss (MTDL)	Customer Impact	Regulatory Impact	Impact Type	Current Resilience Status	Action Required
1.1	Online Banking Login & Authentication	2 hours	0 minutes	High – Customers unable to access accounts	Moderate – Access control & audit trail obligations	Availability & Security	Strong but capacity-sensitive	Enhance MFA redundancy, geo-distributed authentication servers
1.2	Account Dashboard & Balance Inquiry	4 hours	0 minutes	High – Inability to view balances affects decision-making	Moderate – Data accuracy expectations	Availability & Integrity	Moderate	Strengthen database replication & real-time monitoring
1.3	Funds Transfer & Payment Services	1 hour	0 minutes	Very High – Financial loss, reputational damage	High – Payment system compliance & reporting	Availability & Integrity	Moderate	Strengthen payment engine failover, alternate routing & liquidity buffers
1.4	Mobile App Transaction Processing	2 hours	0 minutes	High – App users are unable to transact	Moderate – Consumer protection obligations	Availability	Moderate	Improve auto-scaling infrastructure & DDoS protection
1.5	Retail Digital Onboarding	6 hours	0 minutes	Medium – New customers are unable to open accounts	High – KYC/AML regulatory compliance	Availability & Compliance	Moderate	Maintain backup e-KYC providers, offline fallback workflows
1.6	Digital Alerts & Notification Services	8 hours	0 minutes	Medium – Customers are unaware of transactions	Moderate – Regulatory alert obligations	Availability	Moderate	Implement multi-channel redundancy & telecom failover
1.7	Customer Support & Chatbot Interface	12 hours	0 minutes	Medium – Delayed issue resolution	Low to Moderate – Complaint handling standards	Availability	Moderate	Expand call centre surge capacity & chatbot failover
1.8	API Gateway & Third-Party Integrations	2 hours	0 minutes	High – Partner services disrupted	Moderate – Outsourcing & ICT risk management obligations	Availability & Operational Dependency	Moderate	Implement API clustering, enhanced SLA oversight
1.9	Access Monitoring & Security Event Logging	24 hours (monitoring visibility)	1 hour	Low immediate customer impact but high risk exposure	High – Regulatory breach reporting & cybersecurity obligations	Integrity & Security	Moderate	Deploy redundant SIEM, immutable offsite logging
1.10	Back-End Data Synchronisation & Recovery	4 hours	15 minutes	High Risk of data inconsistency or prolonged outage	High – Regulatory reporting & data retention obligations	Availability & Integrity	Moderate	Increase replication frequency, conduct regular DR simulation tests

By establishing defined impact tolerances for CBS-1: Retail & Digital Banking Access, CIMB Bank demonstrates alignment with regulatory expectations and international best practices in operational resilience. The tolerances differentiate between customer harm thresholds, regulatory exposure, and financial system stability considerations, ensuring proportional recovery priorities.

Regular review, scenario testing, and validation against severe but plausible disruptions are essential to confirm that these tolerances remain appropriate. As digital banking dependency increases, maintaining strong availability, zero data loss for transactional services, and robust cyber monitoring will remain critical. Clearly defined impact tolerances, therefore, serve not only as compliance tools but also as strategic resilience benchmarks that safeguard customer trust and institutional stability.

Operational Resilience in Practice: The CIMB Bank Approach
eBook 3: Starting Your OR Implementation
CBS-1 Retail & Digital Banking Access
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

Operational Resilience in Practice: The CIMB Bank Approach

[OR] [CIMB] [E3] [CBS] [1] [ITo] Establish Impact Tolerances

Operational Resilience Certified Planner-Specialist-Expert

CBS-1 Retail & Digital Banking Access

Introduction

Table P4: Establish Impact Tolerance for CBS-1

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Your Comments Here:

Operational Resilience in Practice: The CIMB Bank Approach

[OR] [CIMB] [E3] [CBS] [1] [ITo] Establish Impact Tolerances

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '0430108a-ef49-43aa-ac7d-ee6bb474eba8', {"useNewLoader":"true","region":"na1"});

Operational Resilience Certified Planner-Specialist-Expert

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '11714c89-3f47-430e-82af-f61521f1677c', {"useNewLoader":"true","region":"na1"});

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '0430108a-ef49-43aa-ac7d-ee6bb474eba8', {"useNewLoader":"true","region":"na1"});

CBS-1 Retail & Digital Banking Access

Introduction

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '627c33a8-714d-40af-9a2b-0d7957fb8afa', {"useNewLoader":"true","region":"na1"});

Table P4: Establish Impact Tolerance for CBS-1

hbspt.cta._relativeUrls=true;hbspt.cta.load(3893111, '5e80e50f-5e3e-44ea-8c43-16bf42d4f3b5', {"useNewLoader":"true","region":"na1"});

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Your Comments Here: