.

Operational Resilience eBook Series: Regulatory Audit Checklist
OR Ai Gen_with Cert Logo 34

[OR] [MM] [BNM] Regulatory Audit Checklist: BNM BCM, RMiT, ORM

This chapter contains a Regulatory Audit Checklist for Operational Resilience and BCM tailored for financial institutions regulated by Bank Negara Malaysia (BNM).

It is aligned primarily to:

  • BNM Policy Document on Business Continuity Management (PD-BCM, 19 Dec 2022) 

  •  BNM Risk Management in Technology (RMiT) 

  •  BNM Operational Risk expectations (including OR governance and internal controls) 

  • BNM Discussion Paper on Operational Resilience (2025) 

The checklist follows your preferred Plan → Implement → Test → Improve lifecycle and mirrors supervisory expectations for audit, compliance validation, and regulatory readiness.

Moh Heng Goh
Operational Resilience Planner-Specialist-Expert

Regulatory Audit Checklist

BNM BCM, RMiT, ORM (Operational Resilience)

OR PM Plan Assess Capability and Maturity

BCMPedia Operational Resilience

This chapter contains a Regulatory Audit Checklist for Operational Resilience and BCM tailored for financial institutions regulated by Bank Negara Malaysia (BNM).

It is aligned primarily to:

  • BNM Policy Document on Business Continuity Management (PD-BCM, 19 Dec 2022) 

  •  BNM Risk Management in Technology (RMiT) 

  •  BNM Operational Risk expectations (including OR governance and internal controls) 

  • BNM Discussion Paper on Operational Resilience (2025) 

The checklist follows your preferred Plan → Implement → Test → Improve lifecycle and mirrors supervisory expectations for audit, compliance validation, and regulatory readiness.

 

Section 1. Governance, Oversight, and Accountability 

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

Board Accountability

Has the Board approved an Operational Resilience framework and clearly articulated resilience outcomes?

Board accountability for resilience outcomes

Board minutes, OR policy

 

Senior Management Ownership

Is senior management accountable for ensuring the continuity of critical business services?

Senior management responsibility

Governance documents

 

Resilience Strategy

Is there a documented operational resilience strategy aligned to business objectives?

Strategic alignment

Strategy papers

 

Risk Appetite

Has the institution defined risk appetite, including disruption tolerance thresholds?

Outcome-based tolerance

Risk appetite statement

 

Governance Structure

Are roles and responsibilities clearly defined across the organisation?

Clear accountability model

Org charts, RACI

 

Enterprise Integration

Is operational resilience integrated across risk, BCM, IT, and business functions?

Integrated resilience approach

Framework documents

 

Group & Cross-Border Governance

Is governance applied consistently across subsidiaries and cross-border operations?

Cross-border resilience

Group policies

 

 

Section 2. Identification of Critical Business Services

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

CBS Identification

Has the institution identified its Critical Business Services (CBS)?

Service-centric resilience

CBS inventory

 

External Outcome Focus

Are CBS defined based on the delivery of outcomes to customers and stakeholders?

Outcome-based approach

CBS definitions

 

Systemic Importance

Are services assessed for systemic importance and their impact on financial stability?

Financial system stability

Service classification

 

Approval

Are CBS approved by senior management and the Board?

Governance oversight

Approval records

 

Periodic Review

Are CBS regularly reviewed to reflect changes in business and environment?

Dynamic resilience

Review logs

 

 

Section 3. Mapping of Interconnections and Dependencies

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

End-to-End Mapping

Are CBS mapped end-to-end across processes, systems, people, and third parties?

End-to-end visibility

Process maps

 

Dependency Identification

Are all dependencies (internal and external) identified?

Dependency transparency

Dependency tables

 

Interconnectedness

Are interconnections across financial ecosystem participants identified?

Ecosystem resilience

Architecture diagrams

 

Third-Party Mapping

Are third parties linked to specific CBS and dependencies?

Third-party integration

Vendor mapping

 

Concentration Risk

Are concentration risks and single points of failure identified?

Concentration risk management

Risk assessments

 

Dynamic Updates

Are mappings updated following material changes?

Change responsiveness

Change logs

 

 

Section 4. Impact Tolerance and Disruption Thresholds

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

Impact Tolerance Definition

Are impact tolerances defined for each CBS?

Outcome-based resilience thresholds

Impact tolerance statements

 

Measurable Metrics

Are tolerances expressed in measurable terms (e.g., time, service degradation)?

Quantifiable outcomes

BIA outputs

 

Severe Disruption Thresholds

Are thresholds defined for severe but plausible disruptions?

Stress threshold definition

Scenario definitions

 

Multi-Dimensional Impact

Are tolerances based on customer harm, financial loss, or regulatory impact?

Holistic impact view

Impact analysis

 

Approval

Are tolerances approved at appropriate governance levels?

Governance oversight

Approval records

 

Alignment with Risk Appetite

Are tolerances aligned with risk appetite and strategy?

Strategic alignment

Risk appetite documents

 

 

Section 5. Risk Identification, Assessment, and Control (ORM Integration)

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

Risk Framework

Is there a comprehensive risk management framework supporting operational resilience?

Integrated risk management

ORM policy

 

Risk Identification

Are risks identified across CBS, dependencies, and the ecosystem?

End-to-end risk visibility

Risk registers

 

Emerging Risks

Are emerging risks (cyber, digitalisation, climate, geopolitical) assessed?

Forward-looking risk assessment

Risk reports

 

Risk Assessment

Are risks assessed based on likelihood and impact?

Risk quantification

Risk assessment reports

 

Control Effectiveness

Are controls implemented and regularly assessed?

Control assurance

Control testing reports

 

Residual Risk Monitoring

Are residual risks monitored against tolerance thresholds?

Risk monitoring

Risk dashboards

 

 

Section 6. Scenario Testing – Severe but Plausible Scenarios 

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

Testing Programme

Is there a structured scenario testing programme?

Testing discipline

Testing plan

 

Scenario Design

Are scenarios severe but plausible and aligned to the risk profile?

Realistic stress scenarios

Scenario library

 

End-to-End Testing

Are CBS tests end-to-end against disruption thresholds?

Outcome validation

Test reports

 

Impact Tolerance Validation

Do tests validate whether tolerances can be maintained?

Outcome measurement

Test evaluation

 

Cross-Entity Testing

Are scenarios tested across business units and jurisdictions?

Group resilience

Test documentation

 

Third-Party Inclusion

Are third parties included in testing?

Ecosystem resilience

Participation records

 

Remediation

Are gaps identified and tracked to closure?

Continuous improvement

Action logs

 

 

Section 7. Business Continuity and Recovery Capabilities

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

BCM Alignment

Is BCM aligned with operational resilience outcomes?

Outcome-based BCM

BCM policy

 

Recovery Strategies

Are recovery strategies defined for CBS?

Service continuity

Strategy documents

 

Resource Readiness

Are resources available to support recovery?

Operational readiness

Resource inventories

 

Recovery Effectiveness

Can CBS be restored within defined tolerances?

Outcome validation

Test results

 

 

Section 8. Technology and Cyber Resilience

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

System Resilience

Are systems designed with resilience (redundancy, failover)?

Technology resilience

Architecture diagrams

 

Cyber Integration

Is cyber resilience integrated into operational resilience?

Cyber resilience integration

Cyber frameworks

 

Monitoring

Are systems continuously monitored for disruptions?

Real-time monitoring

Monitoring dashboards

 

Cloud Dependencies

Are cloud and digital dependencies assessed for resilience risk?

Digital resilience

Cloud risk assessments

 

Data Recovery

Are data protection and recovery mechanisms effective?

Data resilience

Backup logs

 

 

Section 9. Third-Party and Ecosystem Risk Management

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

Vendor Criticality

Are critical third parties identified?

Third-party criticality

Vendor inventory

 

Due Diligence

Are third parties assessed for resilience capability?

Pre-engagement assessment

Due diligence reports

 

Contractual Controls

Are resilience expectations embedded in contracts?

Contractual assurance

Contracts

 

Continuous Monitoring

Are third-party risks continuously monitored?

Ongoing oversight

Performance reports

 

Concentration Risk

Is the concentration risk across providers assessed?

Systemic risk

Risk analysis

 

Exit Strategy

Are contingency and exit plans defined?

Continuity planning

Exit plans

 

 

Section 10. Incident and Crisis Management

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

Incident Framework

Is there a formal incident management framework?

Incident response capability

Incident procedures

 

Escalation Protocol

Are escalation thresholds defined?

Timely response

Escalation matrix

 

Crisis Governance

Is there a crisis management structure?

Leadership during crisis

Org charts

 

Communication

Are communication protocols defined for stakeholders?

Stakeholder management

Communication plans

 

Regulatory Engagement

Are procedures in place for regulatory communication?

Supervisory engagement

Reporting procedures

 

Post-Incident Review

Are lessons learned captured and applied?

Continuous improvement

Review reports

 

 

Section 11. Continuous Improvement, Metrics, and Assurance 

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

Improvement Framework

Is there a structured, continuous improvement process?

Ongoing resilience enhancement

Improvement logs

 

Metrics

Are resilience KPIs/KRIs defined and monitored?

Measurable resilience

Dashboards

 

Independent Assurance

Is operational resilience subject to independent review/audit?

Assurance function

Audit reports

 

Issue Tracking

Are issues tracked to closure?

Accountability

Issue logs

 

Regulatory Alignment

Are frameworks reviewed against evolving regulatory expectations?

Supervisory alignment

Gap analysis

 

 

Section 12. Change Management and Future Readiness

 

Audit Area

Audit Checklist Questions

BNM OR Focus

Evidence Required

Rating

Change Framework

Is there a formal change management process?

Governance

Change policies

 

Risk Assessment

Are changes assessed for resilience impact?

Risk-informed change

Change risk assessments

 

Innovation Risk

Are risks from digitalisation, AI, and innovation assessed?

Future risk readiness

Risk reports

 

Strategic Roadmap

Is there a forward-looking operational resilience roadmap?

Strategic resilience

Roadmap documents

 

Scoring and Audit Interpretation

Rating Scale

For each question, assign:

  • New call-to-actionLevel 0: Ad-hoc: Reactive, unstructured processes. Non-Compliant 
  • Level 1: Reactive: Basic frameworks with sporadic execution. (Documented but inconsistent) 
  • Level 2: Proactive: Formal policies and dedicated teams. (Documented) 
  • Level 3: Mature: Anticipatory risk management. (Consistent execution) 
  • Level 4: Advanced: Integrated, data-driven strategies.  (Measured and monitored) 
  • Level 5: Leading: Predictive analytics and automation. (Continuous improvement and leading practice) 
  • Level 6: Excellence: Industry leadership through innovation.

    Audit Outcome Categories

  • Regulatory Gap (L0–L2): Immediate remediation required
  • Compliant (L3-L4): Meets MAS minimum expectations
  • Mature (L5–L6): Demonstrates strong resilience capability

 

New call-to-action

Key Takeaways (Aligned to MAS Direction)

This checklist reflects the BNM 2025 direction toward outcome-based operational resilience, where institutions are expected to:

  • Ensure continuous delivery of critical business services
  • Operate within defined disruption thresholds under stress
  • Manage ecosystem-wide dependencies and systemic risks
  • Demonstrate measurable resilience capability through testing and metrics

 

 

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

BL-OR-3 Register Now BL-OR-3_Tell Me More BL-OR-3_View Schedule
BL-OR-5_Register Now BL-OR-5_Tell Me More [BL-OR] [3-4-5] View Schedule
[BL-OR] [3] FAQ OR-300

If you have any questions, click to contact us.Email to Sales Team [BCM Institute]

 FAQ BL-OR-5 OR-5000
OR Implementer Landing Page

New call-to-action

 New call-to-action

 

Comments

 
CTA Banner_OR
CTA Banner_ORA
CTA Banner_BCM
CTA Banner_ITDR
CTA Banner_CM
BCMIWhiteLogoSmall.png
All rights reserved. Copyright 2026