[OR] [MM] [BNM] Regulatory Audit Checklist: BNM BCM, RMiT, ORM

Written by Moh Heng Goh | Apr 26, 2026 12:20:35 PM

Regulatory Audit Checklist

BNM BCM, RMiT, ORM (Operational Resilience)

This chapter contains a Regulatory Audit Checklist for Operational Resilience and BCM tailored for financial institutions regulated by Bank Negara Malaysia (BNM).

It is aligned primarily to:

BNM Policy Document on Business Continuity Management (PD-BCM, 19 Dec 2022)
BNM Risk Management in Technology (RMiT)
BNM Operational Risk expectations (including OR governance and internal controls)
BNM Discussion Paper on Operational Resilience (2025)

The checklist follows your preferred Plan → Implement → Test → Improve lifecycle and mirrors supervisory expectations for audit, compliance validation, and regulatory readiness.

Section 1. Governance, Oversight, and Accountability

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
Board Accountability	Has the Board approved an Operational Resilience framework and clearly articulated resilience outcomes?	Board accountability for resilience outcomes	Board minutes, OR policy
Senior Management Ownership	Is senior management accountable for ensuring the continuity of critical business services?	Senior management responsibility	Governance documents
Resilience Strategy	Is there a documented operational resilience strategy aligned to business objectives?	Strategic alignment	Strategy papers
Risk Appetite	Has the institution defined risk appetite, including disruption tolerance thresholds?	Outcome-based tolerance	Risk appetite statement
Governance Structure	Are roles and responsibilities clearly defined across the organisation?	Clear accountability model	Org charts, RACI
Enterprise Integration	Is operational resilience integrated across risk, BCM, IT, and business functions?	Integrated resilience approach	Framework documents
Group & Cross-Border Governance	Is governance applied consistently across subsidiaries and cross-border operations?	Cross-border resilience	Group policies

Section 2. Identification of Critical Business Services

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
CBS Identification	Has the institution identified its Critical Business Services (CBS)?	Service-centric resilience	CBS inventory
External Outcome Focus	Are CBS defined based on the delivery of outcomes to customers and stakeholders?	Outcome-based approach	CBS definitions
Systemic Importance	Are services assessed for systemic importance and their impact on financial stability?	Financial system stability	Service classification
Approval	Are CBS approved by senior management and the Board?	Governance oversight	Approval records
Periodic Review	Are CBS regularly reviewed to reflect changes in business and environment?	Dynamic resilience	Review logs

Section 3. Mapping of Interconnections and Dependencies

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
End-to-End Mapping	Are CBS mapped end-to-end across processes, systems, people, and third parties?	End-to-end visibility	Process maps
Dependency Identification	Are all dependencies (internal and external) identified?	Dependency transparency	Dependency tables
Interconnectedness	Are interconnections across financial ecosystem participants identified?	Ecosystem resilience	Architecture diagrams
Third-Party Mapping	Are third parties linked to specific CBS and dependencies?	Third-party integration	Vendor mapping
Concentration Risk	Are concentration risks and single points of failure identified?	Concentration risk management	Risk assessments
Dynamic Updates	Are mappings updated following material changes?	Change responsiveness	Change logs

Section 4. Impact Tolerance and Disruption Thresholds

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
Impact Tolerance Definition	Are impact tolerances defined for each CBS?	Outcome-based resilience thresholds	Impact tolerance statements
Measurable Metrics	Are tolerances expressed in measurable terms (e.g., time, service degradation)?	Quantifiable outcomes	BIA outputs
Severe Disruption Thresholds	Are thresholds defined for severe but plausible disruptions?	Stress threshold definition	Scenario definitions
Multi-Dimensional Impact	Are tolerances based on customer harm, financial loss, or regulatory impact?	Holistic impact view	Impact analysis
Approval	Are tolerances approved at appropriate governance levels?	Governance oversight	Approval records
Alignment with Risk Appetite	Are tolerances aligned with risk appetite and strategy?	Strategic alignment	Risk appetite documents

Section 5. Risk Identification, Assessment, and Control (ORM Integration)

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
Risk Framework	Is there a comprehensive risk management framework supporting operational resilience?	Integrated risk management	ORM policy
Risk Identification	Are risks identified across CBS, dependencies, and the ecosystem?	End-to-end risk visibility	Risk registers
Emerging Risks	Are emerging risks (cyber, digitalisation, climate, geopolitical) assessed?	Forward-looking risk assessment	Risk reports
Risk Assessment	Are risks assessed based on likelihood and impact?	Risk quantification	Risk assessment reports
Control Effectiveness	Are controls implemented and regularly assessed?	Control assurance	Control testing reports
Residual Risk Monitoring	Are residual risks monitored against tolerance thresholds?	Risk monitoring	Risk dashboards

Section 6. Scenario Testing – Severe but Plausible Scenarios

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
Testing Programme	Is there a structured scenario testing programme?	Testing discipline	Testing plan
Scenario Design	Are scenarios severe but plausible and aligned to the risk profile?	Realistic stress scenarios	Scenario library
End-to-End Testing	Are CBS tests end-to-end against disruption thresholds?	Outcome validation	Test reports
Impact Tolerance Validation	Do tests validate whether tolerances can be maintained?	Outcome measurement	Test evaluation
Cross-Entity Testing	Are scenarios tested across business units and jurisdictions?	Group resilience	Test documentation
Third-Party Inclusion	Are third parties included in testing?	Ecosystem resilience	Participation records
Remediation	Are gaps identified and tracked to closure?	Continuous improvement	Action logs

Section 7. Business Continuity and Recovery Capabilities

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
BCM Alignment	Is BCM aligned with operational resilience outcomes?	Outcome-based BCM	BCM policy
Recovery Strategies	Are recovery strategies defined for CBS?	Service continuity	Strategy documents
Resource Readiness	Are resources available to support recovery?	Operational readiness	Resource inventories
Recovery Effectiveness	Can CBS be restored within defined tolerances?	Outcome validation	Test results

Section 8. Technology and Cyber Resilience

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
System Resilience	Are systems designed with resilience (redundancy, failover)?	Technology resilience	Architecture diagrams
Cyber Integration	Is cyber resilience integrated into operational resilience?	Cyber resilience integration	Cyber frameworks
Monitoring	Are systems continuously monitored for disruptions?	Real-time monitoring	Monitoring dashboards
Cloud Dependencies	Are cloud and digital dependencies assessed for resilience risk?	Digital resilience	Cloud risk assessments
Data Recovery	Are data protection and recovery mechanisms effective?	Data resilience	Backup logs

Section 9. Third-Party and Ecosystem Risk Management

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
Vendor Criticality	Are critical third parties identified?	Third-party criticality	Vendor inventory
Due Diligence	Are third parties assessed for resilience capability?	Pre-engagement assessment	Due diligence reports
Contractual Controls	Are resilience expectations embedded in contracts?	Contractual assurance	Contracts
Continuous Monitoring	Are third-party risks continuously monitored?	Ongoing oversight	Performance reports
Concentration Risk	Is the concentration risk across providers assessed?	Systemic risk	Risk analysis
Exit Strategy	Are contingency and exit plans defined?	Continuity planning	Exit plans

Section 10. Incident and Crisis Management

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
Incident Framework	Is there a formal incident management framework?	Incident response capability	Incident procedures
Escalation Protocol	Are escalation thresholds defined?	Timely response	Escalation matrix
Crisis Governance	Is there a crisis management structure?	Leadership during crisis	Org charts
Communication	Are communication protocols defined for stakeholders?	Stakeholder management	Communication plans
Regulatory Engagement	Are procedures in place for regulatory communication?	Supervisory engagement	Reporting procedures
Post-Incident Review	Are lessons learned captured and applied?	Continuous improvement	Review reports

Section 11. Continuous Improvement, Metrics, and Assurance

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
Improvement Framework	Is there a structured, continuous improvement process?	Ongoing resilience enhancement	Improvement logs
Metrics	Are resilience KPIs/KRIs defined and monitored?	Measurable resilience	Dashboards
Independent Assurance	Is operational resilience subject to independent review/audit?	Assurance function	Audit reports
Issue Tracking	Are issues tracked to closure?	Accountability	Issue logs
Regulatory Alignment	Are frameworks reviewed against evolving regulatory expectations?	Supervisory alignment	Gap analysis

Section 12. Change Management and Future Readiness

Audit Area	Audit Checklist Questions	BNM OR Focus	Evidence Required	Rating
Change Framework	Is there a formal change management process?	Governance	Change policies
Risk Assessment	Are changes assessed for resilience impact?	Risk-informed change	Change risk assessments
Innovation Risk	Are risks from digitalisation, AI, and innovation assessed?	Future risk readiness	Risk reports
Strategic Roadmap	Is there a forward-looking operational resilience roadmap?	Strategic resilience	Roadmap documents

Scoring and Audit Interpretation

Rating Scale

For each question, assign:

Level 0: Ad-hoc: Reactive, unstructured processes. Non-Compliant
Level 1: Reactive: Basic frameworks with sporadic execution. (Documented but inconsistent)
Level 2: Proactive: Formal policies and dedicated teams. (Documented)
Level 3: Mature: Anticipatory risk management. (Consistent execution)
Level 4: Advanced: Integrated, data-driven strategies. (Measured and monitored)
Level 5: Leading: Predictive analytics and automation. (Continuous improvement and leading practice)
Level 6: Excellence: Industry leadership through innovation.

Audit Outcome Categories
Regulatory Gap (L0–L2): Immediate remediation required
Compliant (L3-L4): Meets MAS minimum expectations
Mature (L5–L6): Demonstrates strong resilience capability

Key Takeaways (Aligned to MAS Direction)

This checklist reflects the BNM 2025 direction toward outcome-based operational resilience, where institutions are expected to:

Ensure continuous delivery of critical business services
Operate within defined disruption thresholds under stress
Manage ecosystem-wide dependencies and systemic risks
Demonstrate measurable resilience capability through testing and metrics

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.



	If you have any questions, click to contact us.

View full post