[OR] [CMM] [P1] [S2] [BNM] Regulatory Audit OR Capability Checklist: BNM BCM, RMiT, ORM

Operational Resilience Capability Assessment (BNM-Aligned)

BNM BCM, RMiT, ORM (Operational Resilience)

This chapter is a Regulatory Audit Checklist: Operational Resilience Capability Assessment (Malaysia), fully aligned to:

Bank Negara Malaysia (BNM) 2025 Discussion Paper on Operational Resilience
Integration with BNM PD-BCM (Business Continuity Management Policy Document)
RMiT (Risk Management in Technology)
Operational Risk Management (ORM) expectations
BCM Institute [OR] [P1-S1] Capability Assessment methodology

The checklist follows your preferred audit-ready table structure with:

Evaluation Criteria
Expectation (Regulatory Alignment)
Evidence Required
Score (Fully / Partially / Not Demonstrated)
Audit Comments

1. Governance, Oversight and Accountability

Evaluation Criteria	Expectation (BNM PD-BCM / ORM Alignment)	Evidence Required	Score	Audit Comments
Board-approved Operational Resilience Framework	Board provides oversight and approves resilience strategy (BNM OR DP, ORM governance)	Board minutes, approved OR framework
Senior Management Accountability	Clear accountability for operational resilience at the senior level	Organisation chart, job descriptions, accountability matrix
Integration with ERM	OR integrated into the enterprise risk management framework	ERM framework, risk appetite statements
Three Lines of Defence Structure	Roles and responsibilities defined across 3LOD	Governance framework, RACI matrix
Resilience Reporting to Board	Regular reporting on resilience posture and incidents	Board reports, dashboards

2. Identification of Critical Business Services (CBS)

Evaluation Criteria	Expectation (BNM OR DP)	Evidence Required	Score	Audit Comments
CBS Identification Methodology	Bank identifies CBS based on customer, financial, and systemic impact	CBS methodology document
Approved CBS Inventory	Formal list of CBS approved by management	CBS register
CBS Ownership	Each CBS has an assigned accountable owner	Ownership records
Periodic Review of CBS	CBS reviewed periodically	Review records, governance minutes
Distinction from Processes/Systems	CBS is clearly distinguished from internal processes and IT systems	CBS definitions and mapping documents

3. Impact Tolerance Setting

Evaluation Criteria	Expectation (BNM OR DP / PD-BCM)	Evidence Required	Score	Audit Comments
Defined Impact Tolerances per CBS	Measurable tolerance thresholds established	Impact tolerance tables
Metrics Defined (RTO, Backlog, etc.)	Quantitative thresholds defined	KPI/KRI documents
Alignment with Risk Appetite	Impact tolerance aligned with enterprise risk appetite	Risk appetite statement
Monitoring of Tolerance Breaches	Breaches tracked and escalated	Incident logs, escalation reports

4. Mapping Interdependencies

Evaluation Criteria	Expectation (BNM OR DP / RMiT)	Evidence Required	Score	Audit Comments
End-to-End CBS Mapping	Full mapping of CBS across processes and systems	Mapping documentation
Dependency Identification (People, Process, Tech, Third Party)	Comprehensive dependency mapping	Dependency tables
Identification of Single Points of Failure	Critical vulnerabilities identified	Risk assessments, mapping outputs
Maintenance of Mapping	Mapping updated regularly	Version control records

5. Scenario Testing and Resilience Validation

Evaluation Criteria	Expectation (BNM OR DP / PD-BCM)	Evidence Required	Score	Audit Comments
Severe but Plausible Scenarios Defined	Scenario library established	Scenario inventory
End-to-End CBS Testing	Testing conducted at the service level	Test plans, reports
Inclusion of Multi-Domain Risks	Cyber, technology, and third-party risks are included	Scenario design documents
Lessons Learned Process	Improvements tracked post-testing	Post-exercise reports, action logs

6. Technology and Cyber Resilience (RMiT Alignment)

Evaluation Criteria	Expectation (RMiT / OR DP)	Evidence Required	Score	Audit Comments
Resilience of Critical Systems	Systems support CBS within tolerance levels	System architecture, DR test results
Redundancy and Recovery Capability	Systems designed with redundancy	DR/BCP documentation
Monitoring and Detection	Real-time monitoring in place	Monitoring dashboards, alerts
Cloud and Digital Risk Management	Cloud dependencies assessed and managed	Cloud risk assessments

7. Third-Party Risk Management (TPRM)

Evaluation Criteria	Expectation (BNM OR DP / Outsourcing Guidelines)	Evidence Required	Score	Audit Comments
Identification of Critical Third Parties	Third parties supporting CBS were identified	Vendor inventory
Due Diligence and Risk Assessment	Enhanced due diligence for critical vendors	Vendor risk assessments
Contractual Resilience Clauses	Contracts include resilience requirements	Vendor contracts
Concentration Risk Assessment	Concentration risks identified and mitigated	Risk reports
Inclusion in Testing	Third parties included in scenario testing	Exercise reports

8. Incident and Crisis Management Capability

Evaluation Criteria	Expectation (PD-BCM / ISO 22361 alignment)	Evidence Required	Score	Audit Comments
Incident Management Framework	Structured incident response process	Incident management policy
Crisis Management Structure	Defined crisis governance (command structure)	Crisis management plan
Escalation Protocols	Clear escalation thresholds defined	Escalation matrix
Crisis Communication Plans	Stakeholder communication plans defined	Communication plans
Testing of Crisis Response	Crisis exercises conducted	Exercise reports

9. Recovery and Continuity Capability (PD-BCM Alignment)

Evaluation Criteria	Expectation (PD-BCM)	Evidence Required	Score	Audit Comments
CBS-Aligned BCM Plans	Plans aligned to CBS, not just functions	BCM plans
Recovery Strategies Tested	Recovery strategies validated	Test results
Ability to Operate in Degraded Mode	Capability to prioritise critical services	Operational procedures
Alignment with Impact Tolerance	Recovery meets defined tolerance	Test evidence

10. Metrics, Monitoring and Continuous Improvement

Evaluation Criteria	Expectation (ORM / OR DP)	Evidence Required	Score	Audit Comments
Defined Resilience KPIs/KRIs	Metrics aligned to CBS resilience	KPI/KRI dashboards
Post-Incident Review Process	Lessons learned process in place	Incident review reports
Continuous Improvement Tracking	Actions tracked and implemented	Action logs
Reporting to Senior Management	Regular reporting of resilience metrics	Management reports

11. Integration Across Risk Domains (Holistic OR Model)

Evaluation Criteria	Expectation (BNM OR DP Integrated Approach)	Evidence Required	Score	Audit Comments
Integration with ORM	OR aligned with operational risk management	ORM framework
Integration with BCM	BCM embedded within OR framework	BCM policy and linkage documents
Integration with Cyber Resilience	Cyber resilience integrated into OR	Cyber framework
Integration with TPRM	Third-party risk integrated into OR	TPRM framework
Enterprise-wide Embedding	OR embedded in strategy and operations	Strategic plans, transformation programmes

12. Scoring Rubric (Capability Level Alignment)

Score	Rating	Level	Description
6	Fully Demonstrated	Innovative	Industry leadership through innovation.
5	Fully Demonstrated	Optimising	Capability is fully implemented, measured, and optimised (Continuously improved and integrated)
4	Largely Demonstrated	Well-defined	Minor gaps, largely effective (Measured, monitored, and controlled)
3	Partially Demonstrated	Defined	Documented and consistently implemented
2	Limited Demonstration	Managed	Ad hoc or fragmented practices ( Defined but not consistently applied )
1	Not Demonstrated	Initial	Informal, inconsistent practices
0	Not Demonstrated	Undefined	No evidence of capability

Usage

For auditor: Score only for Level 1 to 5

For reviewer: Score from 0 to 6 to report on capability

Level 0: Undefined: No evidence of capability
Level 1: Initial: Informal, inconsistent practices
Level 2: Managed: Defined but not consistently applied
Level 3: Defined: Documented and consistently implemented
Level 4: Well-defined: Measured, monitored, and controlled
Level 5: Optimising: Continuously improved and integrated
Level 6: Innovative: Industry leadership through innovation.

13. Audit Summary (To be Completed by Auditor)

Overall Capability Level

Average Score: _______
Target Score: _______

Key Strengths

Key Gaps

Priority Recommendations

Strengthen CBS identification and governance
Enhance end-to-end scenario testing
Improve third-party resilience integration
Align impact tolerance with business strategy

Scoring and Audit Interpretation

Rating Scale

Maturity Rating Guide (Scoring Model)

Use a 7-level maturity scale:

For each question, assign:

Level 0: Undefined: No evidence of capability
Level 1: Initial: Informal, inconsistent practices
Level 2: Managed: Defined but not consistently applied
Level 3: Defined: Documented and consistently implemented
Level 4: Well-defined: Measured, monitored, and controlled
Level 5: Optimising: Continuously improved and integrated
Level 6: Innovative: Industry leadership through innovation.

Audit Outcome Categories

Regulatory Gap (L0–L2): Immediate remediation required
Compliant (L3-L4): Meets MAS minimum expectations
Mature (L5–L6): Demonstrates strong resilience capability

Key Takeaways (Aligned to BNM Direction)

This checklist reflects BNM’s direction toward:

Integrated, service-centric, and outcome-driven operational resilience

It ensures alignment across:

PD-BCM → Continuity capability
RMiT → Technology resilience
ORM → Risk governance
Operational Resilience → End-to-end service delivery

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

Operational Resilience Capability and Maturity: Regulatory Audit Checklist

[OR] [CMM] [P1] [S2] [BNM] Regulatory Audit OR Capability Checklist: BNM BCM, RMiT, ORM

Operational Resilience Planner-Specialist-Expert