[OR] [MAS] [E2] [C8] Challenges in Implementation

eBook 2: Chapter 8

Challenges in Implementation

Introduction

Implementing operational resilience within financial institutions is a complex,  

While regulatory frameworks such as those issued by the Monetary Authority of Singapore provide clear expectations, translating these into practical, organisation-wide capabilities presents significant challenges.

MAS emphasises that financial institutions must build resilience in an environment characterised by increasing digitalisation, interconnected systems, and reliance on third parties.

At the same time, institutions are expected to identify vulnerabilities, eliminate single points of failure, and ensure continuous delivery of critical services.

This chapter examines four key implementation challenges: legacy systems constraints, data and dependency visibility gaps, third-party risk complexity, and cultural and organisational barriers.

Legacy Systems Constraints

The Burden of Legacy Infrastructure

Many financial institutions in Singapore operate on legacy IT systems that were not designed with modern resilience requirements in mind.

These systems often lack flexibility, scalability, and integration capabilities.

Key Challenges

• Limited System Interoperability
  Legacy systems may not integrate seamlessly with newer platforms, making end-to-end resilience difficult to achieve.

• Single Points of Failure
  Older architectures often contain critical dependencies that are difficult to replace or redesign, increasing vulnerability.

• Complex Recovery Processes
  Recovery procedures may be manual, slow, or poorly documented, hindering timely restoration of services.

• Constraints on Modernisation
  Upgrading or replacing legacy systems involves significant cost, risk, and operational disruption.

MAS Perspective

MAS expects institutions to identify and address vulnerabilities, including single points of failure, as part of their operational resilience framework .

However, doing so within legacy environments remains a major practical challenge.

Data and Dependency Visibility Gaps

The Need for End-to-End Visibility

Operational resilience requires a clear understanding of how critical business services are delivered, including all supporting resources and dependencies.

However, many organisations struggle to achieve this visibility.

Key Challenges

• Incomplete Dependency Mapping
  Institutions may lack a comprehensive view of dependencies across:
• Systems and applications
• Internal processes
• Third-party and fourth-party providers

• Data Silos
  Information is often fragmented across departments, making it difficult to build a unified view of operations.

• Dynamic and Evolving Environments
  Frequent changes in systems, vendors, and processes make it difficult to maintain accurate and up-to-date maps.

• Limited Real-Time Monitoring
  Without real-time visibility, organisations may struggle to detect and respond to disruptions promptly.

Impact on Operational Resilience

Visibility gaps can lead to:

• Delayed identification of disruptions
• Inaccurate assessment of impact on CBS
• Ineffective response and recovery actions

MAS expects institutions to adopt robust risk identification and monitoring processes, supported by tools and frameworks that provide comprehensive visibility across operations .

Third-Party Risk Complexity

Increasing Reliance on External Providers

The growing use of outsourcing, cloud services, and digital platforms has significantly increased third-party dependencies.

While these enhance efficiency, they also introduce complexity in managing resilience.

Key Challenges

• Limited Control Over Third Parties
  Financial institutions may have limited visibility and control over vendor operations and resilience capabilities.

• Concentration Risk
  Heavy reliance on a small number of providers (e.g., cloud service providers) creates systemic vulnerabilities.

• Fourth-Party Dependencies
  Vendors often rely on subcontractors, adding layers of complexity and risk.

• Cross-Border Risks
  Third-party services operating across jurisdictions introduce regulatory, legal, and geopolitical risks.

MAS Perspective

MAS has strengthened its focus on third-party risk management, recognising increased reliance on external providers and heightened cyber risks.

Institutions are expected to ensure that outsourcing arrangements do not compromise operational resilience and that risks are effectively managed across the entire service chain.

Cultural and Organisational Barriers

The Human Dimension of Resilience

Operational resilience is not purely a technical or regulatory exercise—it requires a fundamental shift in organisational culture and mindset.

Key Challenges

1. Siloed Organisational Structures

• Departments operate independently, limiting collaboration and information sharing
• Lack of alignment across business, IT, risk, and compliance functions

2. Compliance-Driven Mindset

• Focus on meeting regulatory requirements rather than building true resilience
• Tick-box approach to implementation

3. Resistance to Change

• Employees and management may resist new processes, frameworks, or responsibilities
• Difficulty in embedding resilience into day-to-day operations

4. Lack of Ownership and Accountability

• Unclear roles and responsibilities for operational resilience
• Limited senior management engagement

MAS Expectations

MAS emphasises the importance of strong governance, clear roles and responsibilities, and active oversight by senior management.

Institutions must ensure that operational resilience is embedded across the organisation, not confined to specific functions.

Interdependencies of Challenges

These challenges are not isolated—they are deeply interconnected:

• Legacy systems contribute to visibility gaps
• Visibility gaps exacerbate third-party risk complexity
• Cultural barriers hinder efforts to address all technical and operational challenges

This interconnectedness reinforces the need for a holistic and integrated approach to operational resilience.

Addressing Implementation Challenges

To overcome these challenges, financial institutions should:

• Modernise Technology Infrastructure
  Gradually replace or enhance legacy systems with resilient architectures
• Enhance Visibility and Mapping Capabilities
  Invest in tools and processes to improve dependency mapping and monitoring
• Strengthen Third-Party Risk Management
  Conduct rigorous vendor assessments and include third parties in resilience testing
• Embed a Resilience Culture
  Promote cross-functional collaboration and leadership accountability
• Adopt a Continuous Improvement Approach
  Regularly review and refine resilience capabilities in response to evolving risks

Implementing operational resilience in Singapore’s financial sector presents significant challenges, driven by legacy systems, visibility gaps, third-party complexity, and organisational barriers.

Guided by the expectations of the Monetary Authority of Singapore, financial institutions must navigate these challenges while ensuring the continuous delivery of critical business services.

Ultimately, overcoming these challenges requires more than technical solutions—it demands a strategic, integrated, and organisation-wide commitment to resilience.

By addressing these barriers systematically, institutions can move from regulatory compliance to true operational resilience maturity.

eBook 1	C1	C2	C3	C4	C5
eBook 1	C6	C7	C8	C9	C10

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.