.
Operational Resilience in Practice: The CIMB Bank Approach
OR BB FI MY Gen-11

[OR] [CIMB] [E3] [CBS] [1] [MPR] Map Processes and Resources

CIMB Logo

For CIMB Bank, CBS-1: Retail & Digital Banking Access is a mission-critical service enabling customers to securely access accounts, perform transactions, receive alerts, and interact through digital channels. In line with expectations outlined in the 2025 Bank Negara Malaysia (BNM) Discussion Paper on Operational Resilience, mapping processes and resources ensures the Bank clearly understands the end-to-end operational ecosystem supporting this service.

Regulatory guidance emphasises that financial institutions must identify the people, processes, technology, facilities, and third parties necessary to deliver critical business services, including upstream and downstream dependencies. This structured mapping supports impact tolerance setting, scenario testing, outsourcing risk management, and ICT resilience oversight.

New call-to-action

Dr Goh Moh Heng
Operational Resilience Certified Planner-Specialist-Expert
[OR] [CIMB] Legal Disclaimer Banner

New call-to-action

CBS-1 Retail & Digital Banking Access

Introduction

[OR] [GEN] [E3] [CBS] [MPR] Map Processes and ResourcesFor CIMB Bank, CBS-1: Retail & Digital Banking Access is a mission-critical service enabling customers to securely access accounts, perform transactions, receive alerts, and interact through digital channels. In line with expectations outlined in the 2025 Bank Negara Malaysia (BNM) Discussion Paper on Operational Resilience, mapping processes and resources ensures the Bank clearly understands the end-to-end operational ecosystem supporting this service.

Regulatory guidance emphasises that financial institutions must identify the people, processes, technology, facilities, and third parties necessary to deliver critical business services, including upstream and downstream dependencies. This structured mapping supports impact tolerance setting, scenario testing, outsourcing risk management, and ICT resilience oversight.

Below is the detailed mapping for each Sub-CBS under CBS-1.

Banner [Table] [OR] [E3] Map Dependency

Table P3: Map Processes and Resources for CBS-1  

Sub-CBF Code

Sub-CBS

Processes

People

Technology (Applications & Infrastructure)

Third-Party Vendors

Upstream / Downstream Dependencies

1.1

Online Banking Login & Authentication

Customer credential validation, MFA issuance, session management, password reset workflows

IT Security Team, IAM Administrators, SOC Analysts

Identity & Access Management (IAM), Single Sign-On (SSO), Authentication servers, Web application firewall (WAF), Data centres/cloud infrastructure

OTP SMS providers, Email service providers

Upstream: Customer master data, network connectivity; Downstream: Dashboard access, transaction services

1.2

Account Dashboard & Balance Inquiry

Real-time account retrieval, transaction history display, and caching management

Application Support, Database Administrators, DevOps

Core banking system, Middleware/API services, Database clusters, Load balancers

Cloud hosting provider (if hybrid), Infrastructure maintenance vendors

Upstream: Successful authentication; Downstream: Funds transfer, reporting, alerts

1.3

Funds Transfer & Payment Services

Payment initiation, validation, fraud screening, clearing & settlement, reconciliation

Payments Operations Team, Fraud Monitoring Team, Compliance Officers

Payment engine, Core banking integration, SWIFT/FAST/RTGS connectivity, Anti-fraud systems

Clearing houses, SWIFT network, and payment gateway providers

Upstream: Account balance confirmation; Downstream: Alerts, audit logs, regulatory reporting

1.4

Mobile App Transaction Processing

API request handling, mobile session control, transaction orchestration

Mobile Development Team, IT Operations, Cybersecurity Team

Mobile backend APIs, Microservices architecture, App servers, DDoS protection systems

App Store/Google Play, Push notification services

Upstream: Authentication services; Downstream: Payments engine, notification services

1.5

Retail Digital Onboarding

e-KYC verification, AML screening, e-signature capture, account creation workflow

KYC/AML Officers, Digital Onboarding Team, Risk Management

Digital onboarding platform, Biometric verification tools, Document capture systems

Identity verification vendors, AML screening providers

Upstream: Customer data submission; Downstream: Core banking account creation, login provisioning

1.6

Digital Alerts & Notification Services

Trigger-based alert generation, SMS/email/push dispatch, escalation management

IT Messaging Team, Customer Communications Team

Alert engine, Messaging servers, Email/SMS gateways, Telecom links

Telcos, Email delivery vendors

Upstream: Payment or account event triggers; Downstream: Customer devices, CRM updates

1.7

Customer Support & Chatbot Interface

Query routing, chatbot response management, ticket escalation

Customer Service Officers, Chatbot Supervisors, IT Support

CRM platform, Chatbot AI engine, Knowledge base systems, Call centre systems

AI/NLP solution providers, Contact centre vendors

Upstream: Customer interaction requests; Downstream: Case resolution workflows, complaints management

1.8

API Gateway & Third-Party Integrations

API authentication, rate limiting, traffic monitoring, partner onboarding

API Development Team, Integration Specialists, Vendor Management

API gateway platform, Developer portal, Encryption tools, Network firewalls

Fintech partners, Aggregators, Open banking service providers

Upstream: Core banking services; Downstream: External partner platforms, regulatory data interfaces

1.9

Access Monitoring & Security Event Logging

Log aggregation, anomaly detection, and incident escalation

SOC Analysts, IT Risk Management, Cybersecurity Team

SIEM platform, Log servers, Threat intelligence feeds, Intrusion detection systems

Cybersecurity monitoring vendors

Upstream: All digital channel activity; Downstream: Incident response, regulatory breach reporting

1.10

Back-End Data Synchronisation & Recovery

Real-time replication, scheduled backup, and disaster recovery (DR) activation

Infrastructure Team, Database Administrators, BCM Team

Data replication tools, DR site infrastructure, Backup storage systems, Cloud recovery solutions

Cloud backup providers, DR hosting vendors

Upstream: Core banking and transaction systems; Downstream: Recovery environment, regulatory reporting systems

Banner [Summing] [OR] [E3] Map Processes and Resources

Mapping processes and resources for CBS-1: Retail & Digital Banking Access enables CIMB Bank to gain full visibility over the operational ecosystem supporting customer access and digital services. In accordance with the 2025 BNM Discussion Paper on Operational Resilience, this structured mapping identifies:

  • Critical internal capabilities (people and technology),

  • Key third-party dependencies and outsourcing risks,

  • Interconnected upstream and downstream systems,

  • Potential single points of failure.

This end-to-end view forms the foundation for impact tolerance setting, severe-but-plausible scenario design, third-party risk management, and disaster recovery planning. By continuously reviewing and validating these mapped dependencies through scenario testing, CIMB Bank strengthens its ability to maintain digital banking access even during operational, cyber, or systemic disruptions — preserving customer trust and regulatory compliance.

Operational Resilience in Practice: The CIMB Bank Approach
eBook 3: Starting Your OR Implementation
CBS-1 Retail & Digital Banking Access
CBS-1 DP CBS-1 MD CBS-1 MPR CBS-1 ITo CBS-1 SuPS CBS-1 ST
[OR] [CIMB] [E3] [CBS] [1] [DP] Detailed Business Processes [OR] [GEN] [E3] [CBS] [MD] Map Dependency [OR] [GEN] [E3] [CBS] [MPR] Map Processes and Resources [OR] [GEN] [E3] [CBS] [ITo] Establish Impact Tolerances [OR] [GEN] [E3] [CBS] [SuPS] Identify Severe but Plausible Scenarios [OR] [GEN] [E3] [CBS] [ST] Perform Scenario Testing

New call-to-actionNew call-to-action

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 



More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300

If you have any questions, click to contact us.Email to Sales Team [BCM Institute]

 FAQ BL-OR-5 OR-5000
OR Implementer Landing Page

New call-to-action

 New call-to-action

 

Your Comments Here:

 
CTA Banner_OR
CTA Banner_ORA
CTA Banner_BCM
CTA Banner_ITDR
CTA Banner_CM
BCMIWhiteLogoSmall.png
All rights reserved. Copyright 2026