[OR] [MIB] [E2] [P1 to P3] [C1] OR Planning Methodology

eBook2: Chapter1

Operational Resilience for Maybank Investment Bank: A Structured Three-Phase Methodology

Introduction: Forging Resilience in Today’s Financial Landscape

In an era marked by rapid digital transformation, increasing external threats, and heightened stakeholder expectations, operational resilience is no longer a regulatory tick‑box but a strategic imperative for leading financial institutions.

For a sophisticated investment bank like Maybank Investment Bank, resilience means the sustained ability to deliver critical services amid disruption—whether it be cybersecurity incidents, technology outages, systemic shocks, or third‑party dependencies.

Operational resilience integrates risk management, governance, business continuity, and adaptive capacity into a unified enterprise capability, enabling institutions to anticipate, withstand, respond to, and learn from disruptions.

  At Maybank Investment Bank, this journey is structured around a comprehensive Three‑Phase Operational Resilience Planning Methodology: Plan, Implement, and Sustain.

Each phase consists of targeted stages that translate regulatory expectations and internal strategic needs into actionable frameworks and measurable outcomes.

This approach aligns closely with global standards, such as the Basel Committee’s principles for operational resilience, and with evolving expectations from regulators such as Bank Negara Malaysia (BNM).

In late 2025, BNM issued a discussion paper on operational resilience, signalling its emerging direction and key considerations that financial institutions must factor into their frameworks.

These include embedding robust governance, defining critical services and impact tolerances, reinforcing third‑party oversight, mapping dependencies, and embedding continuous improvement practices organisation-wide.

For financial institutions operating in Malaysia, regulatory frameworks such as the Policy Document on Operational Risk Management (ORM), the Risk Management in Technology (RMiT) policy, and Business Continuity Management (BCM) guidelines serve as essential compliance baselines that reinforce many elements of operational resilience.

These frameworks require FIs to embed risk governance, maintain resilient technology and cybersecurity postures, conduct regular scenario testing, and ensure operational continuity under severe but plausible scenarios.

As market expectations and regulatory landscapes evolve, Maybank Investment Bank’s methodology embodies a forward‑thinking, structured, and defensible approach—integrating compliance with BNM’s expectations and global best practices while enabling sustainable operational excellence.

Phase 1: Plan

The first phase sets the direction and ensures that the bank’s operational resilience efforts are governed, aligned with risk appetite, and informed by maturity insights.

The five stages in Phase 1 are:

• Assess Capability and Maturity – Establish the current state of operational resilience across functions, processes, technology, people, and third‑party dependencies, benchmarked against global and local regulatory expectations.
• Analyse Gap – Identify shortfalls between current resilience practices and desired future states that align with internal strategy and regulatory expectations, including those hinted at by BNM’s 2025 discussion paper.
• Develop Strategy and Roadmap – Translate insights into a forward‑looking resilience strategy with clear milestones, deliverables, investment estimates, and accountabilities across business lines.
• Confirm Risk Appetite – Define acceptable levels of disruption tolerance and align the bank’s risk appetite and tolerance statements with enterprise risk management and supervisory expectations (e.g., continuity thresholds for critical services).
• Develop and Embed Governance – Establish oversight structures, roles, and responsibilities for operational resilience—anchored at the board and senior management levels—to ensure accountability and ongoing monitoring.

Through these stages, operational resilience is anchored in governance, clarity of purpose, alignment with broader enterprise risk strategies, and early engagement with regulators and stakeholders.

Phase 2: Implement

Having laid the foundation, Phase 2 focuses on translating strategy into practice:

• Identify Critical Business Services – Define the bank’s most essential services whose disruption would materially affect customers, markets, and systemic stability.
• Map Processes and Resources – Document the end‑to‑end processes, people, technology assets, and third‑party interfaces that enable each critical service.
• Set Impact Tolerance – Establish thresholds for acceptable loss or disruption for each critical service, including time, financial, and reputational metrics.
• Conduct Scenario Testing – Simulate severe but plausible disruptions to assess the resilience of critical services and validate recovery plans.
• Improve Lessons Learnt – Integrate insights from exercises, incidents, and testing into process refinement, mitigating strategies, and response playbooks.

This phase underscores the transition from planning to operational realities, ensuring that resilience capabilities are measurable, stress‑tested, and capable of withstanding real‑world disruptions.

Phase 3: Sustain

Sustainability ensures that operational resilience remains embedded in the organisational culture and continues to evolve:

• Introduce Cultural Change – Champion resilience as a core value throughout the organisation to ensure proactive risk awareness and responsiveness.
• Develop Communication Strategy – Implement clear frameworks for internal and external communication during incidents, and continuously engage stakeholders on resilience expectations.
• Implement Training and Awareness – Equip teams with the knowledge, skills, and behaviors needed to identify, mitigate, and respond to operational risks.
• Provide Self‑assessment – Enable ongoing internal evaluation of resilience capabilities through self‑assessment tools and dashboards.
• Conduct Independent Quality Review – Leverage external assurance and audit functions to validate resilience practices, benchmark progress, and identify improvement opportunities.

This phase reinforces that resilience is not static but requires ongoing investment, learning, and cultural reinforcement.

Charting a Resilient, Adaptive Future

Operational resilience is both a strategic asset and a regulatory requirement for financial institutions like Maybank Investment Bank.

In the face of increasing digitalisation, interconnected risk landscapes and heightened customer expectations, the ability to anticipate, absorb and adapt to disruption is fundamental to long‑term success and regulatory credibility.

By adopting a structured methodology—grounded in rigorous planning, disciplined implementation, and sustained reinforcement—Maybank Investment Bank positions itself not only to meet evolving Bank Negara Malaysia (BNM) expectations but to build trust with clients, partners, regulators, and the broader financial ecosystem.

Emerging regulatory signals from BNM and global best practices underscore the importance of deep governance integration, clear impact tolerances, comprehensive scenario testing, and continuous improvement.

These pillars are evident throughout the bank’s approach and emphasize resilience as an outcome of strategic risk management—not just an operational compliance exercise.

Through every phase of the Operational Resilience Planning Methodology, the bank’s journey exemplifies a forward‑looking model that turns disruption into an opportunity for strategic advantage and sustainable growth.

Blogs marked [x] are under construction.

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.