This chapter is a Regulatory Audit Checklist: Operational Resilience Capability Assessment (Malaysia), fully aligned to:
Bank Negara Malaysia (BNM) 2025 Discussion Paper on Operational Resilience
Integration with BNM PD-BCM (Business Continuity Management Policy Document)
RMiT (Risk Management in Technology)
Operational Risk Management (ORM) expectations
BCM Institute [OR] [P1-S1] Capability Assessment methodology
The checklist follows your preferred audit-ready table structure with:
Evaluation Criteria
Expectation (Regulatory Alignment)
Evidence Required
Score (Fully / Partially / Not Demonstrated)
Audit Comments
|
Evaluation Criteria |
Expectation (BNM PD-BCM / ORM Alignment) |
Evidence Required |
Score |
Audit Comments |
|
Board-approved Operational Resilience Framework |
Board provides oversight and approves resilience strategy (BNM OR DP, ORM governance) |
Board minutes, approved OR framework |
|
|
|
Senior Management Accountability |
Clear accountability for operational resilience at the senior level |
Organisation chart, job descriptions, accountability matrix |
|
|
|
Integration with ERM |
OR integrated into the enterprise risk management framework |
ERM framework, risk appetite statements |
|
|
|
Three Lines of Defence Structure |
Roles and responsibilities defined across 3LOD |
Governance framework, RACI matrix |
|
|
|
Resilience Reporting to Board |
Regular reporting on resilience posture and incidents |
Board reports, dashboards |
|
|
|
Evaluation Criteria |
Expectation (BNM OR DP) |
Evidence Required |
Score |
Audit Comments |
|
CBS Identification Methodology |
Bank identifies CBS based on customer, financial, and systemic impact |
CBS methodology document |
|
|
|
Approved CBS Inventory |
Formal list of CBS approved by management |
CBS register |
|
|
|
CBS Ownership |
Each CBS has an assigned accountable owner |
Ownership records |
|
|
|
Periodic Review of CBS |
CBS reviewed periodically |
Review records, governance minutes |
|
|
|
Distinction from Processes/Systems |
CBS is clearly distinguished from internal processes and IT systems |
CBS definitions and mapping documents |
|
|
|
Evaluation Criteria |
Expectation (BNM OR DP / PD-BCM) |
Evidence Required |
Score |
Audit Comments |
|
Defined Impact Tolerances per CBS |
Measurable tolerance thresholds established |
Impact tolerance tables |
|
|
|
Metrics Defined (RTO, Backlog, etc.) |
Quantitative thresholds defined |
KPI/KRI documents |
|
|
|
Alignment with Risk Appetite |
Impact tolerance aligned with enterprise risk appetite |
Risk appetite statement |
|
|
|
Monitoring of Tolerance Breaches |
Breaches tracked and escalated |
Incident logs, escalation reports |
|
|
|
Evaluation Criteria |
Expectation (BNM OR DP / RMiT) |
Evidence Required |
Score |
Audit Comments |
|
End-to-End CBS Mapping |
Full mapping of CBS across processes and systems |
Mapping documentation |
|
|
|
Dependency Identification (People, Process, Tech, Third Party) |
Comprehensive dependency mapping |
Dependency tables |
|
|
|
Identification of Single Points of Failure |
Critical vulnerabilities identified |
Risk assessments, mapping outputs |
|
|
|
Maintenance of Mapping |
Mapping updated regularly |
Version control records |
|
|
|
Evaluation Criteria |
Expectation (BNM OR DP / PD-BCM) |
Evidence Required |
Score |
Audit Comments |
|
Severe but Plausible Scenarios Defined |
Scenario library established |
Scenario inventory |
|
|
|
End-to-End CBS Testing |
Testing conducted at the service level |
Test plans, reports |
|
|
|
Inclusion of Multi-Domain Risks |
Cyber, technology, and third-party risks are included |
Scenario design documents |
|
|
|
Lessons Learned Process |
Improvements tracked post-testing |
Post-exercise reports, action logs |
|
|
|
Evaluation Criteria |
Expectation (RMiT / OR DP) |
Evidence Required |
Score |
Audit Comments |
|
Resilience of Critical Systems |
Systems support CBS within tolerance levels |
System architecture, DR test results |
|
|
|
Redundancy and Recovery Capability |
Systems designed with redundancy |
DR/BCP documentation |
|
|
|
Monitoring and Detection |
Real-time monitoring in place |
Monitoring dashboards, alerts |
|
|
|
Cloud and Digital Risk Management |
Cloud dependencies assessed and managed |
Cloud risk assessments |
|
|
|
Evaluation Criteria |
Expectation (BNM OR DP / Outsourcing Guidelines) |
Evidence Required |
Score |
Audit Comments |
|
Identification of Critical Third Parties |
Third parties supporting CBS were identified |
Vendor inventory |
|
|
|
Due Diligence and Risk Assessment |
Enhanced due diligence for critical vendors |
Vendor risk assessments |
|
|
|
Contractual Resilience Clauses |
Contracts include resilience requirements |
Vendor contracts |
|
|
|
Concentration Risk Assessment |
Concentration risks identified and mitigated |
Risk reports |
|
|
|
Inclusion in Testing |
Third parties included in scenario testing |
Exercise reports |
|
|
|
Evaluation Criteria |
Expectation (PD-BCM / ISO 22361 alignment) |
Evidence Required |
Score |
Audit Comments |
|
Incident Management Framework |
Structured incident response process |
Incident management policy |
|
|
|
Crisis Management Structure |
Defined crisis governance (command structure) |
Crisis management plan |
|
|
|
Escalation Protocols |
Clear escalation thresholds defined |
Escalation matrix |
|
|
|
Crisis Communication Plans |
Stakeholder communication plans defined |
Communication plans |
|
|
|
Testing of Crisis Response |
Crisis exercises conducted |
Exercise reports |
|
|
|
Evaluation Criteria |
Expectation (PD-BCM) |
Evidence Required |
Score |
Audit Comments |
|
CBS-Aligned BCM Plans |
Plans aligned to CBS, not just functions |
BCM plans |
|
|
|
Recovery Strategies Tested |
Recovery strategies validated |
Test results |
|
|
|
Ability to Operate in Degraded Mode |
Capability to prioritise critical services |
Operational procedures |
|
|
|
Alignment with Impact Tolerance |
Recovery meets defined tolerance |
Test evidence |
|
|
|
Evaluation Criteria |
Expectation (ORM / OR DP) |
Evidence Required |
Score |
Audit Comments |
|
Defined Resilience KPIs/KRIs |
Metrics aligned to CBS resilience |
KPI/KRI dashboards |
|
|
|
Post-Incident Review Process |
Lessons learned process in place |
Incident review reports |
|
|
|
Continuous Improvement Tracking |
Actions tracked and implemented |
Action logs |
|
|
|
Reporting to Senior Management |
Regular reporting of resilience metrics |
Management reports |
|
|
|
Evaluation Criteria |
Expectation (BNM OR DP Integrated Approach) |
Evidence Required |
Score |
Audit Comments |
|
Integration with ORM |
OR aligned with operational risk management |
ORM framework |
|
|
|
Integration with BCM |
BCM embedded within OR framework |
BCM policy and linkage documents |
|
|
|
Integration with Cyber Resilience |
Cyber resilience integrated into OR |
Cyber framework |
|
|
|
Integration with TPRM |
Third-party risk integrated into OR |
TPRM framework |
|
|
|
Enterprise-wide Embedding |
OR embedded in strategy and operations |
Strategic plans, transformation programmes |
|
|
|
Score |
Rating |
Level |
Description |
|
6 |
Fully Demonstrated |
Innovative |
Industry leadership through innovation. |
|
5 |
Fully Demonstrated |
Optimising |
Capability is fully implemented, measured, and optimised (Continuously improved and integrated) |
|
4 |
Largely Demonstrated |
Well-defined |
Minor gaps, largely effective (Measured, monitored, and controlled) |
|
3 |
Partially Demonstrated |
Defined |
Documented and consistently implemented |
|
2 |
Limited Demonstration |
Managed |
Ad hoc or fragmented practices ( Defined but not consistently applied ) |
|
1 |
Not Demonstrated |
Initial |
Informal, inconsistent practices |
|
0 |
Not Demonstrated |
Undefined |
No evidence of capability |
For auditor: Score only for Level 1 to 5
For reviewer: Score from 0 to 6 to report on capability
Level 1: Initial: Informal, inconsistent practices
Level 2: Managed: Defined but not consistently applied
Level 3: Defined: Documented and consistently implemented
Level 4: Well-defined: Measured, monitored, and controlled
Level 5: Optimising: Continuously improved and integrated
Level 6: Innovative: Industry leadership through innovation.
Overall Capability Level
Key Strengths
Key Gaps
Priority Recommendations
Use a 7-level maturity scale:
Level 0: Undefined: No evidence of capability
Level 1: Initial: Informal, inconsistent practices
Level 2: Managed: Defined but not consistently applied
Level 3: Defined: Documented and consistently implemented
Level 4: Well-defined: Measured, monitored, and controlled
Level 5: Optimising: Continuously improved and integrated
Level 6: Innovative: Industry leadership through innovation.
This checklist reflects BNM’s direction toward:
Integrated, service-centric, and outcome-driven operational resilience
It ensures alignment across:
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|