[OR] [MM] [BNM] Operational Resilience Capability-level Assessment Aligned to Bank Negara Malaysia

Operational Resilience Maturity Assessment (BNM-Aligned)

This chapter contains a comprehensive Operational Resilience Capability Assessment Questionnaire tailored for Malaysian banks, aligned with the Bank Negara Malaysia 2025 Operational Resilience Discussion Paper, and structured using BCM Institute’s Capability & Maturity (P1-S1) approach.

The design reflects BNM’s emphasis on:

• Critical service continuity and systemic impact
• End-to-end dependency mapping (including third parties)
• Severe-but-plausible scenario testing
• Board accountability and governance
• Continuous improvement and resilience culture-

Operational Resilience Capability Assessment (Malaysia – BNM Aligned)

Assessment Structure

1. Governance, Accountability & Culture

Key Objective:

Assess Board and Senior Management ownership of resilience.

Assessment Questions

1. Has the Board formally approved an Operational Resilience framework aligned to BNM expectations?
2. Is there a designated accountable executive (e.g., Chief Operational Resilience Officer)?
3. Does the Board demonstrate technical understanding of resilience risks (e.g., cyber, third-party, systemic risk)?
4. Are resilience objectives integrated into enterprise strategy and risk appetite?
5. Are KPIs/KRIs linked to resilience outcomes (not just compliance)?
6. Does management actively promote a culture of transparency during disruptions?
7. Are incentives aligned to encourage escalation of risks and incidents?

👉 BNM emphasis: governance must evolve from oversight to ownership and accountability.

2. Identification of Critical Business Services (CBS)

Key Objective:

Ensure service-centric (not process-centric) resilience.

Assessment Questions

1. Has the institution identified its Critical Business Services (CBS)?
2. Are CBS defined based on:
• Customer impact?
• Financial stability/systemic impact?
3. Are CBS approved by Senior Management/Board?
4. Are CBS mapped across:
• Retail banking
• Payments and settlement
• Digital channels
5. Are CBS reviewed periodically for relevance?
6. Is there a clear distinction between:
• Critical services vs supporting processes?

👉 BNM shift: from internal processes → services that matter to customers and system stability.

3. Mapping of Interconnections & Dependencies

Key Objective:

Understand end-to-end service delivery vulnerabilities.

Assessment Questions

1. Has the bank performed end-to-end mapping for each CBS?
2. Does mapping include:
• People
• Processes
• Technology
• Third-party providers
3. Are interdependencies between CBS identified?
4. Are single points of failure identified and documented?
5. Are critical third-party providers classified based on service impact?
6. Is mapping updated for:
• New products
• System changes
• Outsourcing arrangements?
7. Are cross-border dependencies considered?

👉 BNM focus: increased digitalisation and interdependencies amplify systemic risk.

4. Impact Tolerance Setting

Key Objective:

Define acceptable disruption thresholds.

Assessment Questions

1. Has the institution defined impact tolerance for each CBS?
2. Are tolerances based on:
• Maximum tolerable downtime (MTD)
• Customer harm thresholds
• Financial/reputational impact?
3. Are tolerances approved by Senior Management/Board?
4. Are tolerances aligned with:
• Regulatory expectations
• Market/system stability requirements?
5. Are tolerances periodically reviewed and updated?
6. Are data loss tolerances (RPO-like metrics) defined?

👉 Key concept: resilience = ability to remain within impact tolerance, not just recovery.

5. Scenario Testing (Severe but Plausible)

Key Objective:

Validate resilience under stress.

Assessment Questions

1. Are scenario tests conducted on CBS (not just systems)?
2. Are scenarios:
• Severe but plausible?
• Multi-dimensional (cyber + third-party + operational)?
3. Do tests include:
• End-to-end service disruption?
• Cross-functional participation?
4. Are third-party failure scenarios tested?
5. Are results measured against impact tolerance thresholds?
6. Are weaknesses identified and tracked to closure?
7. Are scenario tests escalated to:
• Senior Management?
• Board level?

👉 BNM expectation: move from testing plans → testing real service resilience.

6. Incident Management, Response & Recovery

Key Objective:

Assess operational response capability.

Assessment Questions

1. Is there an integrated incident → crisis → recovery framework?
2. Are escalation thresholds clearly defined?
3. Is there a central command structure during disruptions?
4. Are communication protocols defined for:
• Customers
• Regulators
• Stakeholders?
5. Are recovery strategies aligned to CBS impact tolerance?
6. Are recovery plans tested regularly?
7. Is decision-making authority clearly defined during crises?

7. Third-Party Risk & Outsourcing Resilience

Key Objective:

Manage external dependencies.

Assessment Questions

1. Are critical third parties identified and classified?
2. Are resilience requirements embedded in:
• Contracts
• SLAs?
3. Are third parties required to demonstrate:
• Business continuity capability?
• Cyber resilience?
4. Are concentration risks assessed (e.g., cloud providers)?
5. Are contingency plans in place for third-party failure?
6. Are third parties included in scenario testing?
7. Is there continuous monitoring of vendor resilience?

👉 BNM emphasis: growing reliance on third parties and digital ecosystems increases systemic vulnerability.

8. Technology & Cyber Resilience Integration

Key Objective:

Ensure resilience of digital infrastructure.

Assessment Questions

1. Is cyber resilience integrated into operational resilience?
2. Are critical IT systems mapped to CBS?
3. Are backup and recovery capabilities aligned to impact tolerance?
4. Are cloud and digital platforms assessed for resilience risk?
5. Are cyber incident scenarios tested (e.g., ransomware)?
6. Is there real-time monitoring of system resilience?
7. Are legacy system risks identified and mitigated?

9. Metrics, Monitoring & Reporting

Key Objective:

Enable measurable resilience performance.

Assessment Questions

1. Are resilience metrics defined for each CBS?
2. Are metrics linked to:
• Availability
• Recovery time
• Customer impact?
3. Are dashboards available for Senior Management?
4. Are breaches of impact tolerance reported to regulators?
5. Are KRIs used to predict potential disruptions?
6. Is performance tracked across:
• Business units
• Third parties?
7. Are lessons learned incorporated into metrics?

10. Continuous Improvement & Learning

Key Objective:

Embed resilience as a dynamic capability.

Assessment Questions

1. Is there a structured lessons learned process after incidents/tests?
2. Are improvements tracked and validated?
3. Is resilience integrated into:
• Change management
• Product development?
4. Are emerging risks considered (e.g., AI, geopolitical disruptions)?
5. Are industry-wide disruptions analysed and incorporated?
6. Is benchmarking conducted against peers?
7. Is there continuous training and awareness?

👉 BNM direction: resilience must evolve continuously to address emerging risks and systemic threats.

11. Industry & Systemic Resilience Perspective

Key Objective:

Assess contribution to financial system stability.

Assessment Questions

1. Does the bank assess its systemic importance?
2. Are interbank dependencies (e.g., payment systems) mapped?
3. Are sector-wide disruption scenarios considered?
4. Does the institution participate in:
• Industry exercises?
• Regulatory stress testing?
5. Are contagion risks evaluated?
6. Are coordination mechanisms defined with:
• Regulators
• Industry players?

Scoring Framework (Example)

Conclusion

This assessment framework reflects a fundamental shift in BNM’s expectations:

• From BCM compliance → Operational resilience capability
• From process focus → service-centric resilience
• From testing plans → validating outcomes under stress
• From governance oversight → accountability and ownership

Ultimately, Malaysian banks are expected to demonstrate not just preparedness—but the ability to sustain critical services under severe disruption, supported by governance, testing, and continuous improvement.

Capability Rating Framework (Recommended)

Assessment Structure

Aligned to BCM Institute Capability Levels:

• Level 1 – Initial (Ad hoc)
• Level 2 – Developing (Defined)
• Level 3 – Established (Implemented)
• Level 4 – Managed (Integrated)
• Level 5 – Optimised (Adaptive/Resilient)

Use a 7-level maturity scale:

Maturity Rating Guide (Optional Scoring Model)

For each question, assign:

1. Level 0: Ad-hoc: Reactive, unstructured processes.
2. Level 1: Reactive: Basic frameworks with sporadic execution.
3. Level 2: Proactive: Formal policies and dedicated teams.
4. Level 3: Mature: Anticipatory risk management.
5. Level 4: Advanced: Integrated, data-driven strategies.
6. Level 5: Leading: Predictive analytics and automation.
7. Level 6: Excellence: Industry leadership through innovation.

Key Takeaways (Aligned to BNM Direction)

• Conclusion

  This assessment framework reflects a fundamental shift in BNM’s expectations:

  • From BCM compliance → Operational resilience capability
  • From process focus → service-centric resilience
  • From testing plans → validating outcomes under stress
  • From governance oversight → accountability and ownership

  Ultimately, Malaysian banks are expected to demonstrate not just preparedness—but the ability to sustain critical services under severe disruption, supported by governance, testing, and continuous improvement.