[OR] [MIB] [E1] [C5] Identifying Critical Business Services

eBook 1: Chapter 5 What Are the Critical Business Services (CBS) of Maybank Investment Bank When Implementing an Operational Resilience Program?

Operational resilience refers to an organisation’s ability to continuously deliver critical business services despite disruptions—from cyber threats and system failures to natural disasters, third-party outages, and other operational shocks.

Instead of reacting only when incidents occur, operational resilience anticipates, adapts, responds to, absorbs, and recovers from disruptions, ensuring continuity for customers and protecting financial stability.

Within this framework, a Critical Business Service (CBS) is defined as a service that, if disrupted, would either:

• Cause intolerable harm to one or more clients, or
• Endanger the soundness, stability, or resilience of the financial system or the orderly operation of capital markets

This end-to-end, impact-focused view is the cornerstone of operational resilience and is central to how Maybank Investment Bank develops, governs, and prioritises resilience activities.

What Constitutes Critical Business Services for Maybank Investment Bank

Maybank Investment Bank, as a major Malaysian investment bank and key contributor to the capital markets, delivers multiple services whose disruption could significantly impair customer outcomes or systemic functions. Key CBS categories likely include:

Securities Trading and Execution Services

• Front-office trading and electronic execution platforms are essential for market access.
• A prolonged outage could frustrate clients, expose the bank and counterparties to risks, and disrupt market liquidity.

Corporate Finance & Capital Markets Advisory

• Services such as equity fundraising, debt issuance, and M&A advisory are time-sensitive.
• Failure to support transaction workflows could result in financial loss or reputational damage.

Custody, Clearing, and Settlement Capabilities

• Core post-trade activities ensure the safe and timely settlement of trades across markets.
• Disruptions here could undermine trust in securities processing and lead to regulatory scrutiny.

Risk Management & Market Risk Reporting

• These services underpin real-time valuation and compliance reporting for both internal risk controls and external obligations.
• Any interruption could hinder oversight and decision-making.

Client Account Management and Custodian Services

• Handling client assets, corporate actions, and margin accounts is fundamental to client relationships.
• Interruptions could trigger compensatory liabilities and loss of confidence.

Regulatory Reporting and Compliance Monitoring

• Ensures Maybank IB meets statutory obligations (e.g., trade reporting, capital adequacy, anti-money-laundering).
• Disruption risks regulatory non-compliance and financial penalties.

Each of these services must be mapped end-to-end (from clients and front-end systems to back-office processes and third-party dependencies), assessed for impact, and integrated into resilience planning and testing regimes.

CBS Identification and Impact Assessment

To operationalise CBS, MIB typically engages in a structured process that includes:

• Business Impact Analysis (BIA): Evaluating the impact of service disruption across financial, operational, regulatory, and reputational dimensions.
• Dependency Mapping: Documenting the people, technology, data, facilities, and third parties underpinning each service.
• Impact Tolerance Definition: Establishing maximum acceptable disruption tolerances and recovery objectives (such as Recovery Time Objectives and Recovery Point Objectives).

This service-centric, impact-driven assessment focuses resilience efforts where they matter most, aligns with regulatory expectations, and informs scenario testing, mitigation planning, and investment decisions.

Critical Business Services (CBS) of Maybank Investment Bank

Regulatory Expectations and Operational Resilience Requirements in Malaysia

Bank Negara Malaysia (BNM) has been progressively strengthening operational resilience expectations for financial institutions, including investment banks:

Business Continuity Management (BCM) Requirements

BNM’s Business Continuity Management policy document requires financial institutions to develop BCM frameworks that preserve the continuity of critical services within defined timeframes under disruptive conditions.

This framework emphasises integrated enterprise-wide planning and regular testing of continuity arrangements.

Although the standalone operational resilience framework is emerging, regulators in Malaysia increasingly view operational resilience as a priority—especially as disruptions become more frequent and complex.

Recent initiatives include:

• BNM’s Operational Resilience Discussion Paper (2025):
  This consultation paper sets out high-level principles for operational resilience and underscores the importance of maintaining critical financial services under stress. It encourages firms to strengthen governance, scenario planning, third-party risk management, and recovery capabilities.
• Integration with Operational Risk Policies:
  BNM documents on operational disruptions and cyber risk expectations are being incorporated into existing risk management standards.
• Risk Management in Technology (RMiT) Policy Updates:
  Updated RMiT policy places a stronger emphasis on technology risk controls, third-party reliance, and cybersecurity resilience, which are crucial enablers of continuity for CBS across digital platforms.

Regulatory Enforcement Examples

Regulators have imposed penalties on banks for sustained service disruptions that impacted CBS.

For example, BNM levied fines against major Malaysian banks—including penalties in excess of millions of ringgit—when electronic banking services experienced prolonged outages, highlighting regulators’ expectation that banks maintain resilience in critical infrastructure.

This reflects the principle that operational resilience tools (like timely incident mitigation, effective third-party oversight, and recovery planning) are not merely best practices but supervisory expectations.

The Role of CBS in Resilience Governance

For Maybank Investment Bank, identifying and managing CBS drives key operational resilience components:

• Governance and Accountability: Senior management and the Board oversee resilience strategies based on CBS criticality.
• Scenario Testing and Drills: Services deemed critical are tested against severe but plausible shock scenarios to assess whether resilience capabilities meet predefined impact tolerances.
• Third-Party Risk Management: With technology and outsourcing integral to many CBS, the bank ensures that third parties meet resilience standards consistent with regulatory expectations.

This shifts resilience from a siloed risk response to a business-centric capability that enhances the bank’s operational durability and protects clients and market stability.

Embedding Resilience through Critical Business Services

In an era of escalating operational risks and evolving regulatory scrutiny, the identification, prioritization, and protection of Critical Business Services is integral to Maybank Investment Bank’s operational resilience program.

By viewing its delivery of essential financial services through the lens of CBS and aligning governance, planning, testing, and recovery efforts accordingly, MIB better anticipates disruption, sustains service continuity, and supports Malaysia’s financial system stability.

These efforts also reflect emerging regulatory expectations from Bank Negara Malaysia, which increasingly emphasize comprehensive resilience planning beyond traditional business continuity practices.

Blogs marked [x] are under construction.

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.