In the context of operational resilience, impact tolerance is the maximum level of disruption a business service can withstand without causing intolerable harm to customers, the institution, or the financial system.
This concept goes beyond traditional recovery time objectives (RTO) to encompass broader customer and regulatory impacts, including compliance with AML/CFT, payment system obligations, and systemic stability.
For CIMB Bank, CBS‑2: Payment & Fund Transfer Services is a core service that supports transactions for retail, corporate, and institutional customers.
In designing impact tolerances for this service and its sub‑components, CIMB must consider both internal priorities and regulatory expectations emerging from frameworks such as the 2025 Bank Negara Malaysia discussion paper on operational resilience, which emphasises embedding operational resilience across people, processes, systems, and third‑party dependencies.
This chapter defines impact tolerance criteria for each Sub‑CBS within CBS‑2, articulating quantitative and qualitative thresholds that reflect both customer and regulatory impact considerations.
This enables a defensible resilience strategy that aligns with international best practices and emerging Malaysian regulatory expectations.
The tolerances below reflect regulatory expectations for availability, integrity, confidentiality, and financial stability while remaining realistic and testable.
|
Sub‑CBS Code |
Sub‑CBS |
MTD (hrs) |
MTDL |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
2.1 |
Customer-Initiated Transfers |
2 |
≤ 1 hr data loss |
High — inability to initiate payments causes immediate customer harm (funds movement delayed) |
Medium — service interruption reporting, payment obligations |
Service Availability |
Redundant systems in place; some batch dependencies |
Strengthen parallel processing & active standby |
|
2.2 |
Internal Processing & Routing |
4 |
≤ 1 hr data loss |
Medium — internal delays affect downstream settlement timing |
High — requires timely routing to clearing/settlement interfaces |
Processing Delay |
Resilience testing is conducted quarterly |
Increase real‑time monitoring & fallback logic |
|
2.3 |
Clearing & Settlement Interface |
2 |
≤ 30 min |
High — failed clearing delays settlement, affecting liquidity |
High regulatory settlement timing requirements |
System Outage |
Tested with key counterparties |
Implement additional settlement windows & contingency queues |
|
2.4 |
Foreign & Cross‑Border Payments |
6 |
≤ 1 hr |
High — cross‑border latency impacts corporates & forex |
Medium — compliance with TFS/AML |
External Dependency |
Multiple FX corridors available |
Strengthen third‑party SLAs, increase real‑time reconciliation |
|
2.5 |
Payment & Transfer Compliance Controls |
8 |
≤ 30 min |
High — compliance break can lead to regulatory sanctions |
Very High — AML/CFT, sanctions screening, regulatory reporting |
Control Failure |
Automated control systems; periodic model updates |
Enhance machine‑learning detection, tighter change governance |
|
2.6 |
Notification & Status Reporting |
3 |
≤ 2 hrs |
Medium — customers lack transaction status feedback |
Low |
Availability & Accuracy |
Real‑time push notifications |
Align to guaranteed queue persistence & resend logic |
|
2.7 |
Exception Handling & Remediation |
12 |
≤ 4 hrs |
Medium — slower handling may erode trust |
Medium — delayed exception reporting |
Operational Backlog |
Exceptions routed to central case management |
Increase automated remediation & SLA policing |
|
2.8 |
Settlement & Reconciliation Accounting |
4 |
≤ 1 hr |
Medium — accounting discrepancies affect financial accuracy |
High — accounting/reporting obligations |
Financial Accuracy |
Daily reconciliation; some real‑time checking |
Expand real‑time reconciliation coverage |
|
2.9 |
Service & Channel Monitoring |
1 |
N/A |
High — early detection prevents escalations |
High — regulator expects proactive monitoring |
Detection Latency |
Central monitoring platform |
Extend predictive analytics & cross‑channel correlation |
|
2.10 |
Customer Support & Dispute Resolution |
24 |
N/A |
High customer trust and dispute turnaround |
Medium — required responsiveness |
Service Responsiveness |
24×7 support available |
Implement omni‑channel escalation pathways |
Defining and implementing impact tolerances for CIMB Bank’s Payment & Fund Transfer Services enables the bank to clarify thresholds for acceptable disruption, align internal capabilities with regulatory expectations, and maintain stakeholder trust during service interruptions.
The tolerance settings above are intended to balance customer expectations, regulatory requirements, and operational realities, providing structured guidance on where investment and process strengthening are most needed.
Articulating these tolerances also drives scenario testing, governance oversight, and resilience planning, all of which are essential under frameworks emphasised by regulators such as Bank Negara Malaysia, which is increasingly moving towards impact‑based regulatory expectations in operational resilience discussions.
In practice, these tolerances should be periodically reviewed through stress testing and scenario exercises to ensure they remain aligned with evolving threats, technology changes, and regulatory developments.
|
Operational Resilience in Practice: The CIMB Bank Approach |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-2 Payment & Fund Transfer Services | |||||
| CBS-2 DP | CBS-2 MD | CBS-2 MPR | CBS-2 ITo | CBS-2 SuPS | CBS-2 ST |
| |
|
|
|
||
For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|