eBook OR

[OR] [CIMB] [E3] [CBS] [1] [ITo] Establish Impact Tolerances

Written by Dr Goh Moh Heng | Feb 16, 2026 6:01:09 AM

CBS-1 Retail & Digital Banking Access

Introduction

For CIMB Bank, CBS-1: Retail & Digital Banking Access represents a customer-facing critical business service that directly affects financial access, payments, onboarding, and digital engagement.

In line with operational resilience principles and expectations set out in the 2025 Bank Negara Malaysia (BNM) Discussion Paper on Operational Resilience, impact tolerances must define the maximum level of disruption the bank is willing to tolerate before causing intolerable harm to customers, market integrity, or regulatory compliance.


Establishing measurable thresholds — such as Maximum Tolerable Downtime (MTD) and Maximum Tolerable Data Loss (MTDL) — ensures CIMB can prioritise recovery strategies, technology investments, and scenario testing. The tolerances below reflect regulatory expectations for availability, integrity, confidentiality, and financial stability while remaining realistic and testable.

Table P4: Establish Impact Tolerance for CBS-1

Sub-CBS Code

Sub-CBS

Maximum Tolerable Downtime (MTD)

Maximum Tolerable Data Loss (MTDL)

Customer Impact

Regulatory Impact

Impact Type

Current Resilience Status

Action Required

1.1

Online Banking Login & Authentication

2 hours

0 minutes

High – Customers unable to access accounts

Moderate – Access control & audit trail obligations

Availability & Security

Strong but capacity-sensitive

Enhance MFA redundancy, geo-distributed authentication servers

1.2

Account Dashboard & Balance Inquiry

4 hours

0 minutes

High – Inability to view balances affects decision-making

Moderate – Data accuracy expectations

Availability & Integrity

Moderate

Strengthen database replication & real-time monitoring

1.3

Funds Transfer & Payment Services

1 hour

0 minutes

Very High – Financial loss, reputational damage

High – Payment system compliance & reporting

Availability & Integrity

Moderate

Strengthen payment engine failover, alternate routing & liquidity buffers

1.4

Mobile App Transaction Processing

2 hours

0 minutes

High – App users are unable to transact

Moderate – Consumer protection obligations

Availability

Moderate

Improve auto-scaling infrastructure & DDoS protection

1.5

Retail Digital Onboarding

6 hours

0 minutes

Medium – New customers are unable to open accounts

High – KYC/AML regulatory compliance

Availability & Compliance

Moderate

Maintain backup e-KYC providers, offline fallback workflows

1.6

Digital Alerts & Notification Services

8 hours

0 minutes

Medium – Customers are unaware of transactions

Moderate – Regulatory alert obligations

Availability

Moderate

Implement multi-channel redundancy & telecom failover

1.7

Customer Support & Chatbot Interface

12 hours

0 minutes

Medium – Delayed issue resolution

Low to Moderate – Complaint handling standards

Availability

Moderate

Expand call centre surge capacity & chatbot failover

1.8

API Gateway & Third-Party Integrations

2 hours

0 minutes

High – Partner services disrupted

Moderate – Outsourcing & ICT risk management obligations

Availability & Operational Dependency

Moderate

Implement API clustering, enhanced SLA oversight

1.9

Access Monitoring & Security Event Logging

24 hours (monitoring visibility)

1 hour

Low immediate customer impact but high risk exposure

High – Regulatory breach reporting & cybersecurity obligations

Integrity & Security

Moderate

Deploy redundant SIEM, immutable offsite logging

1.10

Back-End Data Synchronisation & Recovery

4 hours

15 minutes

High Risk of data inconsistency or prolonged outage

High – Regulatory reporting & data retention obligations

Availability & Integrity

Moderate

Increase replication frequency, conduct regular DR simulation tests

By establishing defined impact tolerances for CBS-1: Retail & Digital Banking Access, CIMB Bank demonstrates alignment with regulatory expectations and international best practices in operational resilience. The tolerances differentiate between customer harm thresholds, regulatory exposure, and financial system stability considerations, ensuring proportional recovery priorities.

Regular review, scenario testing, and validation against severe but plausible disruptions are essential to confirm that these tolerances remain appropriate. As digital banking dependency increases, maintaining strong availability, zero data loss for transactional services, and robust cyber monitoring will remain critical. Clearly defined impact tolerances, therefore, serve not only as compliance tools but also as strategic resilience benchmarks that safeguard customer trust and institutional stability.

 

Operational Resilience in Practice: The CIMB Bank Approach
eBook 3: Starting Your OR Implementation
CBS-1 Retail & Digital Banking Access
CBS-1 DP CBS-1 MD CBS-1 MPR CBS-1 ITo CBS-1 SuPS CBS-1 ST

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 



More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

 
View full post