[OR] [GEL] [E2] [P1 to P3] [C1] OR Planning Methodology

Operational Resilience Planning Methodology for Great Eastern Life

Introduction

Great Eastern Life is one of the largest and longest-established life insurance providers in the region. As part of the financial services sector in Malaysia, the organisation operates in an increasingly complex risk environment characterised by digital transformation, cyber threats, third-party dependencies, and rising regulatory expectations.

Financial institutions are expected not only to maintain strong risk management and business continuity capabilities but also to demonstrate operational resilience—the ability to prevent, adapt to, respond to, recover, and learn from operational disruptions while continuing to deliver critical services to customers and the financial system.

Insurance companies such as Great Eastern Life play a crucial role in protecting individuals, families, and businesses from financial risks. Disruptions to key insurance services—such as policy administration, claims processing, premium payments, and digital customer services—can have significant consequences for policyholders, financial markets, and public confidence.

Recognising this, the Malaysian financial regulator, Bank Negara Malaysia (BNM), has introduced stronger expectations for operational resilience through policy frameworks and regulatory guidance. In particular, the 2025 BNM Discussion Paper on Operational Resilience outlines supervisory expectations for financial institutions to identify critical business services, set impact tolerances, map dependencies, and conduct severe but plausible scenario testing.

This eBook, “Implementing Operational Resilience in Insurance: A Practical Guide for Great Eastern Life,” presents a structured and practical methodology that can be applied by Great Eastern Life to build and sustain operational resilience capabilities aligned with regulatory expectations. The methodology is designed around three integrated phases:

• Plan – Establish the foundation, governance, and strategic direction for operational resilience.

• Implement – Identify and test critical services to ensure they can remain within acceptable impact tolerances during disruptions.
• Sustain – Embed resilience into organisational culture and continuously improve capabilities.

Together, these phases provide a systematic approach to building a resilient insurance organisation capable of maintaining essential services even during severe operational disruptions.

Phase 1: Plan – Establishing the Foundations

The Plan Phase focuses on establishing the strategic and governance foundations required to support an operational resilience programme. For Great Eastern Life, this phase ensures that resilience initiatives align with organisational objectives, risk management practices, and regulatory expectations.

Stage 1: Assess Capability and Maturity

The first stage involves assessing Great Eastern Life’s current resilience capabilities across areas such as business continuity management, disaster recovery, ICT resilience, cyber security, third-party risk management, and crisis management.

BNM expects financial institutions to evaluate their operational risk management frameworks and resilience readiness as part of enterprise risk governance. A maturity assessment enables the organisation to identify strengths, weaknesses, and areas requiring improvement.

Stage 2: Analyse Gap

Following the maturity assessment, the organisation performs a gap analysis comparing current practices with regulatory expectations and industry standards.

Examples of regulatory expectations highlighted in the BNM discussion paper include:

• Identification and prioritisation of critical business services
• Mapping of important business services to underlying resources and dependencies
• Establishment of impact tolerance thresholds for disruption
• Integration of ICT resilience and cyber risk management

This analysis provides clarity on what improvements are required for Great Eastern Life to achieve compliance and strengthen resilience capabilities.

Stage 3: Develop Strategy and Roadmap

In this stage, Great Eastern Life develops a multi-year operational resilience strategy and implementation roadmap. The roadmap defines:

• Key initiatives and milestones
• Resource requirements
• Governance structures
• Integration with existing BCM, risk management, and technology resilience programmes

BNM expects financial institutions to demonstrate clear board-level oversight and strategic direction for operational resilience initiatives.

Stage 4: Confirm Risk Appetite

Operational resilience requires defining the organisation’s risk appetite for service disruption. This includes establishing acceptable levels of downtime or disruption for services such as:

• Claims processing
• Policy servicing
• Premium payment processing
• Digital customer access

Regulators increasingly expect institutions to define impact tolerances based on customer harm, financial stability impact, and reputational damage, rather than purely technology recovery metrics.

Stage 5: Develop and Embed Governance

The final stage of the planning phase involves establishing governance structures, including:

• Operational resilience steering committees
• Board reporting mechanisms
• cross-functional resilience teams
• accountability across business units

BNM emphasises that senior management and board oversight are critical for effective resilience governance. Insurance companies must demonstrate clear responsibility for ensuring critical services remain operational during disruptions.

Phase 2: Implement – Translating Strategy into Action

The Implement Phase translates strategy into operational actions. It focuses on identifying critical business services and ensuring they can withstand severe disruptions.

Stage 1: Identify Critical Business Services

Great Eastern Life must identify services whose disruption would cause significant harm to customers or the financial system. Examples include:

• Policy issuance and underwriting
• Claims processing and benefit payments
• Premium collection and policy servicing
• Digital insurance platforms and customer portals

BNM’s operational resilience guidance highlights the importance of prioritising services based on potential customer harm and systemic impact.

Stage 2: Map Processes and Resources

Once critical services are identified, the organisation maps all supporting resources, including:

• People (operations teams, claims specialists, IT staff)
• Processes (policy administration workflows)
• Technology (policy administration systems, claims systems, digital platforms)
• Third-party providers (cloud providers, payment gateways, outsourced services)

BNM emphasises the need for institutions to understand internal and external dependencies, including third-party service providers.

Stage 3: Set Impact Tolerance

Impact tolerance defines the maximum acceptable level of disruption for a critical service.

For example:

BNM encourages financial institutions to set impact tolerances based on customer harm, financial impact, and regulatory obligations.

Stage 4: Conduct Scenario Testing

Scenario testing evaluates whether the organisation can remain within impact tolerance during severe disruptions.

Examples of severe but plausible scenarios include:

• Large-scale cyberattack on policy administration systems
• Failure of a cloud service provider
• Data centre outage affecting claims processing
• Pandemic-related workforce disruptions
• Payment network outages affecting premium collections

BNM expects financial institutions to conduct regular resilience testing and simulations to validate their operational capabilities.

Stage 5: Improve Lessons Learnt

Following scenario testing, Great Eastern Life should document lessons learned and implement improvements to strengthen resilience. Continuous improvement ensures that resilience capabilities evolve alongside emerging threats and technological changes.

Phase 3: Sustain – Embedding and Continuously Improving Resilience

The Sustain Phase ensures that operational resilience becomes an enduring organisational capability rather than a one-time initiative.

Stage 1: Introduce Cultural Change

Operational resilience must be embedded into organisational culture. Employees across all departments—from underwriting to IT—must understand their role in maintaining service continuity.

Stage 2: Develop Communication Strategy

A structured communication framework is required to manage crises and operational disruptions. This includes:

• internal crisis communication protocols
• regulator communication procedures
• customer communication during disruptions

BNM expects financial institutions to maintain clear crisis communication mechanisms with regulators and stakeholders.

Stage 3: Implement Training and Awareness

Regular training and awareness programmes ensure that employees understand resilience procedures, crisis response protocols, and operational recovery responsibilities.

Stage 4: Provide Self-Assessment

Self-assessments allow the organisation to periodically review its resilience capabilities and identify areas for improvement. This includes internal audits and management reviews.

Stage 5: Conduct Independent Quality Review

Independent reviews—such as internal audit or external assessments—provide assurance that operational resilience frameworks remain effective and aligned with regulatory expectations.

BNM expects financial institutions to demonstrate ongoing monitoring, testing, and improvement of resilience capabilities.

Operational resilience is becoming a fundamental expectation for financial institutions worldwide, including insurance companies operating in Malaysia. For organisations such as Great Eastern Life, building operational resilience is not only a regulatory requirement but also a strategic capability that protects policyholders, safeguards financial stability, and strengthens customer trust.

The three-phase Operational Resilience Planning Methodology—Plan, Implement, and Sustain—provides a structured framework for developing and maintaining resilience capabilities across the organisation. By establishing governance and strategic direction in the planning phase, identifying and testing critical business services in the implementation phase, and embedding resilience into organisational culture in the sustainment phase, Great Eastern Life can effectively prepare for and respond to operational disruptions.

Aligned with expectations from Bank Negara Malaysia, the approach outlined in this eBook ensures that Great Eastern Life can identify critical services, manage dependencies, define impact tolerances, conduct scenario testing, and continuously improve its resilience capabilities. Ultimately, operational resilience enables the organisation to deliver essential insurance services reliably—even during periods of significant disruption—thereby protecting customers, maintaining regulatory compliance, and supporting the stability of Malaysia’s financial system.

Blogs marked [x] are under construction.

Implementing Operational Resilience in Insurance: A Practical Guide for Great Eastern Life
C1	C2 [x]	C8 [x]	C14 [x]

 

	Implementing Operational Resilience in Insurance: A Practical Guide for Great Eastern Life
	ebook 2: Implementing Operational Resilience for Great Eastern Life
	C1	eBook 1	eBook 2	eBook 3	C20 [x]	C21 [x]
	"Plan" Phase of the Operational Resilience Planning Methodology
	C2 [x]	C3 [x]	C4 [x]	C5 [x]	C6 [x]	C7 [x]
	"Implement" Phase of the Operational Resilience Planning Methodology
	C8 [x]	C9 [x]	C10 [x]	C11 [x]	C12 [x]	C13 [x]
	"Sustain" Phase of the Operational Resilience Planning Methodology
	C14 [x]	C15 [x]	C16 [x]	C17 [x]	C18 [x]	C19 [x]

  

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.