[OR] [P2] [S4] [ST] Stakeholders in Operational Resilience Scenario Planning

Stakeholders in Operational Resilience Scenario Planning (Aligned to BNM)

Introduction

Operational resilience scenario planning is not a siloed technical exercise—it is a cross-functional, enterprise-wide capability that requires coordinated input from multiple stakeholders.

Each stakeholder contributes a distinct perspective, a set of data, and decision-making authority that collectively ensure scenario testing is realistic, severe yet plausible, and aligned with regulatory expectations.

Within the context of the Bank Negara Malaysia (BNM) Operational Resilience framework (2025 Discussion Paper), stakeholder involvement is not optional—it is a regulatory expectation.

BNM emphasises that financial institutions must demonstrate:

• Clear governance and accountability
• Cross-functional integration across risk, business, and technology
• Board and senior management oversight
• End-to-end understanding of Critical Business Services (CBS)

Purpose of the Chapter

 This chapter outlines the key stakeholders involved in scenario planning, what each brings to the table, and how their roles align with BNM’s expectations.

To:

• Identify key stakeholders in operational resilience scenario planning
• Define their roles and contributions
• Demonstrate how stakeholder collaboration supports effective scenario design and testing
• Align stakeholder responsibilities with BNM’s operational resilience expectations

Board of Directors and Board Risk Committee

What They Bring

• Strategic oversight and governance
• Approval of resilience strategy, risk appetite, and impact tolerances
• Accountability for ensuring resilience aligns with organisational objectives

Role in Scenario Planning

• Endorse severe but plausible scenarios
• Review outcomes of scenario testing
• Ensure remediation actions are prioritised

Alignment to BNM

BNM emphasises board accountability in operational resilience. The Board must:

• Understand the disruption impacts on CBS
• Oversee resilience strategy and tolerances
• Ensure adequate resources are allocated

👉 The Board ensures scenario planning is strategic, not operationally isolated.

Senior Management (Executive Committee)

What They Bring

• Enterprise-wide coordination and decision-making authority
• Ability to translate strategy into execution
• Ownership of resilience across business lines

Role in Scenario Planning

• Sponsor scenario planning initiatives
• Approve scenarios and testing scope
• Drive cross-functional participation
• Ensure corrective actions are implemented

Alignment to BNM

BNM requires active senior management involvement in:

• Identifying Critical Business Services
• Setting impact tolerances
• Overseeing scenario testing

👉 Senior management ensures scenario planning is actionable and embedded into operations.

Operational Resilience / Risk Management Function

What They Bring

• Methodology, frameworks, and governance
• Risk identification and scenario design expertise
• Alignment with ORM, BCM, and regulatory expectations

Role in Scenario Planning

• Lead the design of severe but plausible scenarios
• Facilitate workshops and coordination
• Ensure consistency with risk appetite and impact tolerances
• Integrate outputs into enterprise risk management

Alignment to BNM

BNM highlights the importance of integrating operational resilience with Operational Risk Management (ORM).

👉 This function ensures scenario planning is structured, consistent, and risk-driven.

Business Units / Service Owners (CBS Owners)

What They Bring

• Deep knowledge of Critical Business Services (CBS)
• Understanding of customer impact and service delivery
• Operational realities and constraints

Role in Scenario Planning

• Identify critical processes and dependencies
• Validate scenario realism
• Assess impact on customers, revenue, and operations
• Participate in scenario testing exercises

Alignment to BNM

BNM requires a service-centric approach, where institutions:

• Identify CBS
• Understand end-to-end service delivery
• Assess disruption impacts

👉 Business units ensure scenarios are realistic and customer-impact focused.

Technology and Cybersecurity Teams

What They Bring

• Knowledge of IT systems, infrastructure, and cyber threats
• Understanding of system interdependencies and vulnerabilities
• Expertise in cyber resilience and incident response

Role in Scenario Planning

• Design technology and cyber-related scenarios (e.g., ransomware, system outages)
• Identify system recovery capabilities (RTO, RPO)
• Validate the resilience of digital channels and infrastructure

Alignment to BNM

BNM’s framework integrates technology risk (RMiT) and cyber resilience into operational resilience.

👉 Technology teams ensure scenarios reflect modern digital and cyber risks.

Business Continuity Management (BCM) and Crisis Management (CM) Teams

What They Bring

• Established continuity and crisis response frameworks
• Experience in disruption response and recovery
• Testing and exercising expertise

Role in Scenario Planning

• Align scenario testing with BCM and crisis exercises
• Validate recovery strategies and plans
• Coordinate crisis response during simulations

Alignment to BNM

BNM expects integration of:

• BCM
• Crisis management
• Operational resilience

👉 BCM/CM ensures scenario planning is execution-ready and response-oriented.

Third-Party Risk Management (TPRM) Function

What They Bring

• Visibility over outsourced services and vendors
• Understanding of third-party dependencies and concentration risks

Role in Scenario Planning

• Identify third-party failure scenarios
• Assess the impact of vendor disruption on CBS
• Coordinate with critical vendors during testing

Alignment to BNM

BNM emphasises outsourcing and third-party risk as key resilience considerations.

👉 TPRM ensures scenarios include external dependency risks, not just internal failures.

Compliance and Legal Function

What They Bring

• Knowledge of regulatory obligations
• Understanding of legal implications during disruptions

Role in Scenario Planning

• Ensure scenarios consider regulatory breaches
• Assess compliance impact during disruptions
• Advise on legal risks and reporting obligations

Alignment to BNM

BNM requires institutions to assess:

• Regulatory impact
• Compliance breaches during disruptions

👉 Compliance ensures scenarios reflect regulatory consequences, not just operational impacts.

Internal Audit

What They Bring

• Independent assurance
• Objective evaluation of framework effectiveness

Role in Scenario Planning

• Review governance and controls
• Validate the adequacy of scenario design and testing
• Assess remediation effectiveness

Alignment to BNM

BNM expects an independent review and assurance of operational resilience frameworks.

👉 Internal Audit ensures scenario planning is credible and defensible.

External Stakeholders (Regulators, Critical Vendors, Industry Bodies)

What They Bring

• External perspective and systemic risk awareness

• Industry benchmarking and best practices

Role in Scenario Planning

• Participate in sector-wide or cross-industry scenarios
• Provide insights on systemic risks
• Support coordinated response testing

Alignment to BNM

BNM encourages sector-wide resilience and systemic risk awareness.

👉 External stakeholders ensure scenarios reflect systemic and industry-level risks.

Summary Table: Stakeholder Contributions

Operational resilience scenario planning is only as strong as the collective strength of its stakeholders. Each stakeholder contributes a critical piece of the resilience puzzle—strategy, risk insight, operational knowledge, technical expertise, and governance.

In alignment with Bank Negara Malaysia’s Operational Resilience framework, institutions must demonstrate that scenario planning is:

• Board-led and management-driven
• Service-centric and risk-informed
• Cross-functional and integrated
• Tested, validated, and continuously improved

Ultimately, effective stakeholder engagement transforms scenario planning from a compliance exercise into a powerful tool for building true operational resilience—ensuring that financial institutions can withstand, adapt, and recover from severe disruptions while continuing to deliver Critical Business Services.