[CM] [OCBC] [E1] [C2] Understanding Your Organisation

Chapter 2

OCBC Bank

In the context of implementing a crisis management system aligned with ISO 22361:2022 (Crisis Management – Guidance) and the regulatory requirements applicable to banks in Singapore under the Monetary Authority of Singapore (MAS), this chapter provides a detailed organisational profile of OCBC, its operating environment, key activities, stakeholders, and risk landscape.

This foundational understanding is essential for tailoring the Crisis Management System (CMS) to the institution’s specific context.

Organisational Profile

Background and Purpose

OCBC is one of Singapore’s major banking groups, operating across Southeast Asia and Greater China. On its website, OCBC articulates a purpose: “As One Group, OCBC enables aspirations all across ASEAN and Greater China.” OCBC+1

The institution is incorporated in Singapore (Co. Reg. No. 193200032W), and is classified by MAS as a “Local Bank”. 

From a crisis-management standpoint, a clarity of purpose is a key component of the organisation’s context (see ISO 22361 element 4.2). OCBC’s purpose of “enabling aspirations” signals a focus not only on financial performance but on supporting customers, business growth, and regional presence—each of which can influence how a crisis may emerge or unfold.

Business Activities, Size, and Geographical Spread

OCBC’s activities include personal banking, business banking, wealth management, investment banking, insurance, and asset management across Singapore, Malaysia, Indonesia, Hong Kong, China, and other jurisdictions. 

Given its breadth of operations and multi-geography presence, the bank must manage a diverse set of risks—global, regional, and local. These include regulatory differences, cross-border legal exposures, currency/FX risks, cyber-risks, operational dependencies, and third-party/vendor risks.

Regulatory and Legal Context

OCBC operates under the regulatory oversight of MAS in Singapore. As a licensed local bank, it is subject to the Banking Act 1970, MAS Notices such as Notice 637 (Risk-Based Capital Adequacy Requirements), and other supervisory requirements. GLI+1

For example, in June 2025, OCBC published Pillar 3 Disclosures as required by MAS Notice 637, which reflect its regulatory capital levels, risk-weighted assets, and leverage ratio. OCBC

In May 2022, MAS imposed an additional capital requirement on OCBC due to deficiencies in its response to a large-scale SMS phishing scam, highlighting a regulatory risk in terms of operational resilience and incident response. 

From a CMS perspective, these regulatory constraints and external expectations form a significant part of the external context (as per ISO 22361, clause 4.2) and help identify legal, regulatory, and market requirements that must be integrated into the crisis management arrangements.

Governance, Compliance, and Risk Management Profile

OCBC has a dedicated Group Legal and Compliance (“GLC”) business division whose role is to ensure the Bank’s operations comply with policies, procedures, and relevant laws, rules, and regulations issued by MAS and other local regulators. OCBC

The Bank also has policies addressing anti-money laundering (AML), countering the financing of terrorism (CFT), and sanctions compliance.

For example, a notice to corporate customers of OCBC emphasised the bank’s commitment to complying with Singapore government sanctions laws, MAS regulations, United Nations sanctions, and other jurisdictions. 

For crisis management, this indicates that OCBC already has risk governance, controls, and compliance frameworks in place — an advantageous foundation for building an integrated CMS. However, it also suggests that the CMS must align with and overlay these existing mechanisms.

Internal & External Stakeholders

Understanding stakeholders is crucial to designing a crisis-management system that meets expectations and ensures a timely and effective response.

Internal Stakeholders

• Board of Directors and senior management (strategy-setting, oversight)
• Executive management of business banking, consumer banking, wealth, markets, insurance, and regional operations
• Group Risk, Group Audit, Legal & Compliance (governance, controls, compliance)
• IT & Cybersecurity, Operations, Business Continuity Management, Vendor Management teams
• Employees across functions and geographies (front-line, support services, branches)

An effective CMS must incorporate clear escalation lines, roles, and responsibilities, and ensure that these internal stakeholders understand their crisis management roles (as required under ISO 22301, clause 5.2).

External Stakeholders

• MAS (regulator) expects banks to have effective risk management, incident handling, recovery, and resolution capabilities.
• Customers (retail, SME, corporate) whose trust must be maintained during a crisis
• Shareholders and investors: given disclosure obligations (e.g., Pillar 3 disclosures) and reputational risk
• Business partners, vendors, and third-party service providers (outsourcing is common, e.g., cloud, fintech partners)
• Government agencies and law enforcement (for fraud, cyber incidents, and sanctions)
• Media and broader public (reputation risk, public trust)
• Regional and global financial institutions (given cross-border operations)

In the CMS, mapping these stakeholders, their needs, and expectations (clause 4.3 of ISO 22361) is crucial, particularly for effective communication and escalation during a crisis.

Context of OCBC from a Crisis-Management Perspective

Key Products, Services, and Critical Activities

OCBC’s broad portfolio—encompassing consumer banking (deposits, loans, cards), business banking (corporate lending, trade finance), wealth management, insurance, and markets—highlights many critical activities that must continue or recover rapidly in a crisis. For instance:

• Payment and settlement systems: Any disruption could impact a large number of customers and trigger regulatory scrutiny.
• Digital banking channels: Online/mobile banking downtime or cyber-attack would affect customer access and trust.
• Trade-finance and cross-border services: Given the ASEAN/Greater China footprint, disruptions in foreign operations can have regional ripple effects.
• Insurance and wealth services: While perhaps lower in volume, they contribute to the group’s business continuity and customer interface.
• Third-party dependencies: Cloud platforms, data centres, fintech partners, service vendors—any failure or incident could cascade into banking operations.

A CMS aligned to ISO 22361 must identify such critical activities (clause 4.4) and ensure the business continuity strategy and crisis response plan recognise and prioritise them.

Risk Landscape (Threats, Hazards, Vulnerabilities)

OCBC’s context reveals several risk drivers relevant to crisis management:

• Operational risk and fraud/scams: The May 2022 MAS sanction highlights that OCBC’s response to a significant phishing fraud event was deemed deficient by the regulator. 
• Cybersecurity/IT disruptions: Banking operations increasingly rely on digital platforms; any significant outage or cyber breach can become a crisis.
• Regulatory and compliance risk: Non-compliance can trigger regulatory action, reputational damage, or business interruption. OCBC emphasises its compliance capabilities. 
• Third-party/vendor risk & supply-chain disruption: Outsourcing of services (e.g., cloud, fintech) introduces dependencies that might fail under stress.
• Geopolitical/regional risk: Operating across multiple countries (ASEAN & Greater China) exposes the company to regional economic shocks, regulatory changes, and cross-border legal issues.
• Liquidity/funding risk: Although OCBC is sound, banks must constantly manage liquidity, especially in stress scenarios. Historically, OCBC has maintained minimum liquid assets in accordance with MAS requirements. OCBC
• Reputation risk: As a major bank in Singapore, any crisis (fraud, outage, scandal) affects public trust, share price, and regulatory confidence.
• Major external events, such as pandemics, natural disasters, systemic financial crises, cyber warfare, or large-scale fraud schemes, present high-impact, low-probability scenarios.

These risk categories must feed into the threat-hazard inventory, scenario-planning, and business impact analysis (BIA) phases of the CMS (ISO 22361 clause 4.4 & clause 6).

Organisational Culture and Resilience Mindset

OCBC’s investment in compliance, legal, and risk governance suggests the bank is mature in its governance, controls, and risk-management frameworks. For example, the GLC division emphasises its role in ethics and compliance. 

However, the fact that MAS found deficiencies in OCBC’s incident response suggests that further strengthening of crisis preparedness and organisational resilience is required.

From a CMS design view, this means embedding a “crisis-aware” culture, regular exercising, and continuous improvement are key.

External Dependencies and Interconnections

Given OCBC’s role in the Singapore banking system, its dependencies include:

• Payment infrastructure (links with national payment rails, e.g., GIRO, FAST, PayNow)
• Inter-bank and global money markets
• Critical third-party service providers (IT, cloud, data centres)
• Suppliers and vendors for branch operations, cash logistics, and physical security
• Regional offices and branches (which themselves are exposed to local hazards)
• Regulatory/infrastructure resilience (MAS oversight, crisis/incident management across the banking sector)

Within CMS design, recognising these dependencies is key to mapping cascading effects, interdependencies, and escalation triggers (ISO 22361 clause 5.3).

Implications for Crisis-Management System Design

From the organisational understanding above, several implications for the CMS are clear:

1. Alignment with regulatory expectations: Since MAS oversight is significant, the CMS must integrate regulatory reporting, incident notification, recovery, and resolution planning (RRP) expectations. The fact that MAS imposed additional capital means that operational risk events can quickly translate into regulatory capital and reputation consequences.
2. Criticality of digital channels and cyber resilience: With a strong digital banking presence, the CMS must emphasise cyber-incident response, system outage recovery, third-party vendor disruptions, and communication to customers.
3. Cross-border and multi-line complexity: OCBC’s business spans multiple geographies and business lines; therefore, the CMS must cater to multi-jurisdictional incidents, coordinate responses across divisions, and ensure local/regional incident escalation.
4. Stakeholder communication and trust: In banking, customer trust is paramount. The CMS must incorporate clear customer-communications plans, regulatory disclosures, media handling, and investor relations in crisis scenarios.
5. Business continuity and recovery inter-linkage: Given the Bank’s need to meet obligations even in crisis (e.g., payments, depositor access), the CMS must tightly integrate with the BCM programmes (business continuity, DR, IT resilience). Since you are developing content on BCM and DR (your previous work), this is a key integration point.
6. Scenario planning and exercising: Given past regulatory commentary about slower incident response, OCBC should emphasise robust scenario planning (fraud/scam, cyber-attack, system outage, major vendor failure, regional disruption) and regular exercising of the CMS.
7. Governance, roles, and escalation: A straightforward assignment of roles, accountabilities, and escalation paths within the bank is necessary — tied to established governance frameworks (Risk, Audit, Compliance) — but with crisis-specific clarity (command centre, crisis team, communications lead, incident manager).
8. Continuous improvement and learning: According to ISO 22361, the CMS should incorporate feedback loops from incidents, exercises, near misses, and external lessons learnt (e.g., a phishing scam event) to ensure the system evolves and remains aligned with the organisation’s changing risk profile.
   

Understanding OCBC’s organisational profile — its purpose, structure, business activities, regulatory and risk context — provides the necessary foundation for designing a tailored Crisis Management System.

The bank’s multi-line, multi-jurisdiction operations, combined with significant regulatory oversight and digital-channel dependencies, shape the CMS design imperatives.

Embedding a robust crisis-preparedness culture, integrating with business continuity and incident-response capabilities, and maintaining regulatory alignment are essential strategic elements.

Key Takeaways for Practitioners

• Map OCBC’s critical business functions and dependencies; prioritise them in the CMS.
• Incorporate the MAS regulatory context and reporting/notification obligations explicitly into crisis planning.
• Develop scenario-based plans for the most relevant hazards (cyber, fraud, system outage, vendor failure, regional disruption).
• Define roles, accountabilities, and escalation paths clearly, including liaison with regulatory, communication, and IT teams.
• Link CMS to BCM and DR programmes (including your work on virtualisation and disaster recovery) to ensure continuity of vital services in crisis.
• Incorporate exercises, table-tops, and post-incident reviews to build organisational resilience and refine the CMS.