[OR] [MAS] [E1] [C6] Operational Resilience Framework Overview

eBook 1: Chapter 6

 Monetary Authority of Singapore's (MAS) Regulatory Landscape

Purpose of the Chapter

This chapter provides an overview of the operational resilience framework   expected of financial institutions in Singapore, based on guidance from the Monetary Authority of Singapore (MAS).

MAS does not prescribe a single rigid framework. Instead, it expects financial institutions to adopt an integrated, holistic approach that combines multiple risk and resilience disciplines to ensure the continuous delivery of critical business services.

This chapter focuses on the integration of:

• Operational Risk Management (ORM)
• Business Continuity Management (BCM)
• Crisis Management (CM)
• Third-Party Risk Management (TPRM)

and how these collectively align with MAS expectations.

Concept of an Integrated Operational Resilience Framework

MAS promotes a service-centric, end-to-end resilience framework in which different risk management disciplines are not siloed but interconnected and mutually reinforcing.

The MAS BCM Guidelines explicitly require financial institutions to adopt an end-to-end service-centric view to ensure the continuous delivery of critical services.

This means that:

• Risks must be managed proactively (ORM)
• Disruptions must be absorbed and recovered from (BCM)
• Crises must be managed effectively (CM)
• External dependencies must be controlled (TPRM)

Operational resilience is therefore the integration layer that aligns these components into a unified framework.

Operational Risk Management (ORM) as the Preventive Foundation

Role of ORM in Resilience

Operational Risk Management forms the first line of defence by identifying and mitigating risks before disruptions occur.

Key ORM functions include:

• Risk identification and assessment
• Control design and implementation
• Monitoring and reporting of operational risks

MAS continues to enhance ORM expectations, emphasising a risk-proportionate approach aligned with the institution’s size, complexity, and risk exposure.

ORM Contribution to Operational Resilience

ORM contributes by:

• Reducing the likelihood of disruption
• Identifying emerging risks (e.g., cyber, third-party, digital risks)
• Supporting risk-informed decision-making

However, ORM alone is insufficient—it must be complemented by recovery and response capabilities.

Business Continuity Management (BCM) as the Recovery Backbone

Role of BCM

BCM ensures that financial institutions can:

• Respond to disruptions
• Recover critical business services within defined timeframes
• Maintain minimum service levels during incidents

MAS BCM Guidelines emphasise:

• Identification of critical business services
• Establishment of Service Recovery Time Objectives (SRTOs)
• End-to-end dependency mapping
• Regular testing, audit, and continuous improvement

BCM Contribution to Operational Resilience

BCM provides:

• Structured recovery strategies and plans
• Defined roles, responsibilities, and escalation protocols
• Mechanisms to restore services efficiently

It transforms resilience from a theoretical concept into a practical execution capability.

Crisis Management (CM) as the Strategic Response Layer

Role of Crisis Management

Crisis Management focuses on leadership, coordination, and decision-making during major disruptions.

Key elements include:

• Crisis governance and command structure
• Communication with stakeholders (customers, regulators, public)
• Strategic decision-making under uncertainty

MAS highlights the importance of establishing robust incident and crisis management frameworks as part of resilience planning.

CM Contribution to Operational Resilience

Crisis Management ensures:

• Timely escalation and coordination across functions
• Clear and consistent communication strategies
• Effective management of reputational and systemic risks

Without effective crisis management, even strong BCM capabilities may fail due to poor coordination and decision-making.

Third-Party Risk Management (TPRM) as an Extended Control Layer

Increasing Reliance on Third Parties

Financial institutions in Singapore increasingly depend on:

• Cloud service providers
• Fintech partners
• Outsourced service providers

This creates operational risk that extends beyond organisational boundaries.

MAS Expectations on TPRM

MAS has strengthened its focus on third-party risk management, proposing guidelines that:

• Extend beyond outsourcing to all third-party arrangements
• Require lifecycle management from onboarding to termination
• Emphasise governance, monitoring, and accountability

TPRM Contribution to Operational Resilience

TPRM ensures:

• Visibility of external dependencies
• Mitigation of concentration and systemic risks
• Assurance that third parties can support critical service continuity

Importantly, MAS reinforces that accountability remains with the financial institution, even when services are outsourced.

Integration of ORM, BCM, CM, and TPRM

Unified Framework

The operational resilience framework integrates all four components:

End-to-End Service Continuity

MAS expects institutions to ensure:

• End-to-end resilience across the service lifecycle
• Alignment of all components to support critical business services
• Continuous validation through testing and scenario analysis

This reflects a shift from functional resilience to service resilience.

Alignment with MAS Expectations

Service-Centric and Outcome-Based Approach

MAS requires financial institutions to:

• Focus on customer-facing service outcomes
• Ensure continuous delivery of critical services
• Define and operate within impact tolerances and recovery objectives

Risk-Based and Proportionate Implementation

The framework must be:

• Tailored to the institution’s risk profile and complexity
• Scalable and adaptable to changing environments
• Supported by strong governance and oversight

MAS explicitly promotes a risk-proportionate implementation approach, balancing operational burden with risk exposure.

Continuous Improvement and Testing

MAS expects institutions to:

• Conduct regular testing and exercises
• Perform independent audits
• Continuously improve based on lessons learned

Operational resilience is therefore a dynamic and evolving capability, not a static framework.

The operational resilience framework for financial institutions in Singapore is built on the integration of multiple disciplines, rather than reliance on any single function.

Under the guidance of the Monetary Authority of Singapore, institutions are expected to combine Operational Risk Management, Business Continuity Management, Crisis Management, and Third-Party Risk Management into a cohesive and effective framework.

This integrated approach ensures that financial institutions can not only prevent and manage risks but also respond, recover, and adapt to disruptions while maintaining the continuous delivery of critical services.

Ultimately, alignment with MAS expectations transforms operational resilience into a strategic capability, enabling institutions to navigate an increasingly complex, digital, and interconnected financial landscape.

eBook 1	C1	C2	C3	C4
	C5	C6	C7	C8

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.