[CM] [OCBC] [E1] [C9] Pre-Crisis - Risk Identification and Crisis Preparedness

Chapter 9

Introduction

The pre-crisis phase is the foundation of an effective crisis management framework for OCBC Bank. It focuses on anticipating, identifying, and preparing for potential crises that could threaten the Bank’s operations, reputation, and regulatory compliance.

Aligned with ISO 22361:2022, this phase emphasises proactive measures — such as risk identification, crisis assessment, scenario planning, and establishing early warning mechanisms — that enable OCBC Bank to respond effectively when a crisis unfolds.

Through structured risk management, OCBC ensures resilience by embedding crisis preparedness into its enterprise-wide governance and operational culture.

1. Identifying Potential Crises Affecting OCBC Bank

The first step in the pre-crisis phase is the systematic identification of potential crises that could disrupt OCBC Bank’s ability to operate or maintain stakeholder confidence.

Given OCBC’s size, regional presence, and diversified financial services, the Bank faces a wide range of potential crises spanning internal and external sources. These include operational disruptions, cyber incidents, reputational risks, regulatory breaches, and macroeconomic shocks.

1.1 Categories of Potential Crises

OCBC Bank classifies potential crises into major categories for effective monitoring and management:

1.2 Continuous Identification Mechanisms

• Enterprise Risk Management (ERM) integration – linking crisis identification to OCBC’s overall risk management processes.
• Regular horizon scanning – using intelligence from regulators, industry associations, and global partners to detect emerging risks.
• Stakeholder engagement – gathering input from business units, compliance, IT security, and corporate communications to identify weak points.

2. Crisis Risk Assessment and Categorisation

Once potential crises are identified, OCBC Bank performs a Crisis Risk Assessment (CRA) to determine which events could escalate into full-scale crises.

This assessment aligns with ISO 22361’s guidance on risk-based crisis management and involves evaluating both likelihood and impact severity.

2.1 Risk Assessment Criteria

2.2 Crisis Risk Categorisation

Following the assessment, potential crises are categorized into priority levels for preparedness planning:

This categorisation ensures that OCBC allocates resources proportionately, focusing on high-impact crises that could threaten its strategic objectives and regulatory obligations.

3. Scenario Planning and Contingency Planning

Scenario planning allows OCBC Bank to anticipate how various crises might unfold and evaluate its capacity to respond effectively. It goes beyond traditional risk analysis by exploring “what-if” situations that stress-test OCBC’s resilience.

3.1 Scenario Planning Objectives

• Understand potential chain reactions and interdependencies across business units.
• Test decision-making under uncertainty and stress.
• Identify critical thresholds where incidents escalate into crises.
• Strengthen preparedness across functional areas (e.g., technology, treasury, communications).

3.2 Developing Crisis Scenarios

OCBC Bank develops detailed crisis scenarios for simulation and readiness exercises. Examples include:

• Cybersecurity Breach Scenario: A major data exfiltration incident compromising customer data.
• Regulatory Non-Compliance Scenario: MAS-imposed sanctions due to reporting errors.
• Liquidity Shock Scenario: A sudden withdrawal surge triggered by market rumors.
• Reputational Crisis Scenario: Viral misinformation affecting customer trust.

3.3 Contingency Planning

For each crisis scenario, OCBC develops Crisis Contingency Plans (CCPs) that define:

• Activation criteria (when to escalate from incident to crisis).
• Roles and responsibilities of the Crisis Management Team (CMT).
• Alternative communication channels and decision-making protocols.
• Resource and vendor support plans for critical dependencies (e.g., IT vendors, telecommunications).

These plans are reviewed periodically and tested through crisis simulation exercises to ensure operational readiness.

4. Early Warning Systems and Crisis Indicators

Early warning systems form OCBC’s first line of defense in detecting anomalies before they evolve into crises. ISO 22361 emphasizes the need for early detection, monitoring, and escalation mechanisms within the organization’s crisis management system.

4.1 Establishing Early Warning Indicators (EWIs)

OCBC Bank identifies and monitors Crisis Indicators that signal the potential onset of a crisis. These include:

• Operational Indicators: Repeated system downtime, ATM outages, or failed transactions.
• Financial Indicators: Unusual liquidity fluctuations, significant credit defaults, or sudden market volatility.
• Reputational Indicators: Negative spikes in social media sentiment, customer complaints, or press coverage.
• Compliance Indicators: Regulatory inquiries, audit findings, or breach reports.
• Cybersecurity Indicators: Unauthorized network access attempts or alerts from threat intelligence systems.

4.2 Detection and Escalation Mechanisms

• Automated Monitoring Systems: Real-time dashboards in IT and risk departments track anomalies.
• Incident Escalation Protocols: Clear escalation paths from operational units to the Crisis Management Team.
• Crisis Communication Alerts: Internal and external communication protocols triggered when thresholds are breached.
• Cross-Functional Coordination: Integration of information from Risk, Compliance, IT, and Corporate Communications for faster situational awareness.

4.3 Review and Continuous Improvement

The effectiveness of early warning systems is reviewed through:

• Periodic audits and after-action reviews post-incident.
• Feedback loops between operational teams and crisis leaders.
• Benchmarking against MAS regulatory requirements and industry standards.

The Pre-Crisis Phase of OCBC Bank’s Crisis Management Framework lays the groundwork for organizational resilience by embedding foresight, structured planning, and proactive detection into daily operations.

By integrating risk identification, assessment, scenario planning, and early warning mechanisms, OCBC Bank ensures that it remains prepared to face crises swiftly, decisively, and in full alignment with ISO 22361 and Monetary Authority of Singapore (MAS) expectations.

In essence, crisis preparedness is not a one-time activity but a continuous discipline — one that strengthens OCBC Bank’s capacity to protect its stakeholders and sustain trust even in the face of uncertainty.