[OR] [KIB] [E2] [P1 to P3] [C1] OR Planning Methodology

Operational Resilience for Kenanga Investment Bank: A Structured Three-Phase Methodology

Introduction

The financial services landscape in Malaysia is undergoing a fundamental shift. Operational disruptions—whether arising from cyber incidents, third-party failures, technology outages, pandemics, or geopolitical shocks—are no longer viewed as rare events but as inevitable stressors that institutions must be able to withstand.

For Kenanga Investment Bank, whose operations span investment banking, stockbroking, asset and wealth management, and digital financial services, operational resilience is not merely a defensive capability but a strategic imperative to preserve market confidence, protect clients, and sustain orderly financial markets.

This eBook sets out Kenanga Investment Bank’s Operational Resilience Planning Methodology, anchored in a pragmatic, regulator-aligned three-phase lifecycle: Plan, Implement, and Sustain.

The methodology reflects emerging supervisory expectations articulated by Bank Negara Malaysia (BNM)—particularly the themes introduced in the 2025 BNM Discussion Paper on Operational Resilience—which emphasise the ability of financial institutions to prevent, adapt, respond to, recover from, and learn from operational disruptions, while continuing to deliver critical business services within acceptable tolerance levels.

Purpose of This Chapter

This introductory chapter establishes the conceptual foundation for Kenanga Investment Bank’s resilience journey by:

• Explaining the rationale and structure of the three-phase methodology
• Demonstrating how resilience is embedded by design, rather than treated as a standalone compliance exercise
• Highlighting how the methodology aligns with BNM’s evolving supervisory focus, including service-centric resilience, governance accountability, scenario testing, and continuous improvement

Readers are expected to gain a clear understanding of why the methodology is structured as it is, how each phase builds upon the previous one, and what outcomes Kenanga Investment Bank seeks to achieve at each stage of the resilience lifecycle.

Overview of Kenanga’s Operational Resilience Planning Methodology

Kenanga Investment Bank’s methodology is intentionally designed as an end-to-end resilience lifecycle, recognising that resilience is not achieved through a single assessment or the adoption of a single framework, but through continuous planning, disciplined execution, and sustained cultural reinforcement.

Plan — Establishing the Foundations of Resilience

The Plan phase focuses on building a clear, risk-informed foundation for operational resilience. This phase ensures that Kenanga Investment Bank understands its current state, regulatory expectations, and strategic ambitions before implementing detailed resilience measures.

Stage 1: Assess Capability and Maturity

Kenanga evaluates its existing operational resilience capabilities across governance, technology resilience, third-party risk management, business continuity, and incident response. This assessment establishes a baseline maturity profile aligned to BNM’s expectations for proportionality and risk-based oversight.

Stage 2: Analyse Gap

Identified capabilities are compared with internal objectives and emerging regulatory themes—such as those outlined in the 2025 BNM Discussion Paper—highlighting gaps in service mapping, impact-tolerance definition, scenario testing, and accountability structures.

Stage 3: Develop Strategy and Roadmap

A structured resilience roadmap is developed, prioritising initiatives based on criticality, regulatory risk, and business impact. This roadmap integrates resilience objectives into Kenanga’s broader enterprise risk and digital transformation strategies.

Stage 4: Confirm Risk Appetite

Operational resilience risk appetite is formally articulated, defining acceptable levels of disruption to critical business services. This aligns with BNM’s emphasis on impact-driven tolerance thresholds, rather than technology-centric recovery metrics alone.

Stage 5: Develop and Embed Governance

Clear ownership, escalation mechanisms, and board-level oversight are established to ensure accountability. This includes alignment with BNM expectations regarding senior management responsibility and three lines of defence assurance.

Phase 2: Implement — Embedding Resilience into Core Operations

The Implement phase translates strategy into operational reality by embedding resilience principles directly into Kenanga’s business services, processes, systems, and third-party arrangements.

Stage 1: Identify Critical Business Services

Critical business services—such as trade execution, client asset safeguarding, settlement, and digital brokerage platforms—are identified based on their potential to harm customers, undermine market integrity, and threaten financial stability, consistent with BNM’s service-centric resilience approach.

Stage 2: Map Processes and Resources

End-to-end mapping of people, processes, technology, data, facilities, and third-party dependencies is conducted to reveal concentration risks and single points of failure.

Stage 3: Set Impact Tolerance

Quantitative and qualitative impact tolerances are established for each critical service, defining the maximum tolerable level of disruption before intolerable harm occurs—an approach strongly reinforced in the 2025 BNM Discussion Paper.

Stage 4: Conduct Scenario Testing

Severe but plausible scenarios—such as cyber-attacks, cloud service outages, market volatility surges, or third-party failures—are tested to assess Kenanga’s ability to remain within impact tolerances.

Stage 5: Improve Lessons Learnt

Findings from testing and real incidents are systematically analysed, documented, and fed back into control improvements, recovery strategies, and investment decisions.

Phase 3: Sustain — Embedding Resilience as a Way of Working

The Sustain phase ensures that operational resilience becomes an enduring organisational capability rather than a one-time programme.

Stage 1: Introduce Cultural Change

Resilience ownership is reinforced across business and support functions, ensuring that staff understand their role in protecting critical services—not just complying with policies.

Stage 2: Develop Communication Strategy

Clear internal and external communication protocols are established for disruptions, supporting transparency with regulators, clients, and market stakeholders in line with BNM’s supervisory expectations.

Stage 3: Implement Training and Awareness

Targeted training programmes build competence in incident response, crisis management, and resilience testing across all levels of the organisation.

Stage 4: Provide Self-Assessment

Regular self-assessments are conducted to evaluate ongoing compliance, progress in maturity, and alignment with evolving regulatory guidance.

Stage 5: Conduct Independent Quality Review

Independent assurance—through internal audit or external review—provides objective validation of the effectiveness of resilience and its continuous improvement.

Building a Resilient Future for Kenanga Investment Bank

Operational resilience is no longer defined by the ability to recover systems quickly; it is defined by the ability to protect critical business services under severe stress while maintaining trust in the financial system.

Through its structured Plan–Implement–Sustain methodology, Kenanga Investment Bank demonstrates a deliberate and forward-looking response to both operational risk realities and regulatory expectations in Malaysia.

The methodology outlined in this eBook reflects the core principles reinforced in the 2025 BNM Discussion Paper on Operational Resilience, including:

• A service-centric view of resilience rather than siloed risk management
• Clear impact tolerances tied to customer and market harm
• Strong governance and accountability at the board and senior management levels
• Continuous scenario testing, learning, and improvement

By embedding resilience by design, Kenanga Investment Bank positions itself to not only comply with evolving supervisory expectations but to enhance its operational robustness, protect stakeholder confidence, and support the long-term stability of Malaysia’s financial system.

As operational disruptions continue to evolve in scale and complexity, resilience will remain a journey rather than a destination.

This eBook serves as both a strategic guide and a practical reference, reinforcing Kenanga Investment Bank’s commitment to operational excellence, regulatory alignment, and sustainable growth in an increasingly uncertain world.

Blogs marked [x] are under construction.

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.