The Treatment and Control phase of the Risk Assessment and Response (RAR) methodology is a critical component of OCBC Bank’s operational resilience framework.
Following the identification and assessment of potential crises and threats in Part 1, this phase focuses on translating risk insights into actionable strategies that safeguard the bank’s financial stability, operational continuity, legal compliance, and reputation.
This chapter outlines the structured approach adopted by OCBC Bank to manage and mitigate risks across five key threat categories: Denial of Access – Natural Disaster, Denial of Access – Man-made Disaster, Unavailability of People, Disruption to the Supply Chain, and Equipment & IT-Related Disruption.
For each threat, the bank evaluates existing risk treatments—including risk avoidance, risk reduction, risk transference, and risk acceptance—and documents the effectiveness of current controls. In addition, the chapter identifies planned or additional controls that strengthen the bank’s resilience and ensure preparedness against evolving threats.
By systematically addressing these threats, OCBC Bank not only protects its critical operations but also demonstrates its commitment to proactive risk management, regulatory compliance, and the continuous delivery of services to customers and stakeholders.
|
Threat (category) |
Existing Risk Treatment – Risk Avoidance |
Existing Risk Treatment – Risk Reduction |
Existing Risk Treatment – Risk Transference |
Existing Risk Treatment – Risk Acceptance |
Existing Controls |
Additional (Planned) Controls |
|
Denial of Access – Natural Disaster (e.g., flood, storm) |
- Avoid locating critical operations in highly flood-prone areas (site selection) |
- Hardened data centres/ buildings (raised flooring, storm-resistant design) - Redundant power and utility systems - Business continuity plans for premises evacuation |
- Insurance for property damage from natural disasters |
- Accept limited downtime for non-critical facilities |
- Disaster recovery (DR) sites and backup data centres - Business continuity plan (BCP) with recovery procedures - Emergency evacuation plans |
- Implement early-warning systems (e.g., flood sensors) - Conduct regular flood/ disaster drills - Periodic risk mapping of climate-related risks (e.g., via climate-scenario analysis) - Remote-work readiness for affected regions |
|
Denial of Access – Man-made Disaster (e.g., fire, terrorism, power outage) |
- Avoid high-risk tenants/partners in sensitive locations |
- Fire protection systems (sprinklers, alarms), physical security, access control - Redundant generators, UPS, and physical security around premises |
- Property & liability insurance - Contractual security services / risk-sharing with third parties |
- Accept short-term disruptions in some branches or less critical business units |
- Security infrastructure (CCTV, guards) - Fire suppression/detection - Access control policies - Emergency response team |
- Upgrade to biometric / more advanced access control - Enhance threat-intelligence monitoring for security risks - Strengthen collaboration with local authorities and first responders - Implement more frequent security drills, including “active shooter” or bomb threat simulations |
|
Unavailability of People (e.g., pandemic, labour strike, loss of key staff) |
- Avoid overdependence on single individuals by cross-training / succession planning |
- Remote working infrastructure (VPN, collaboration tools), flexible work policies, health protocols |
- Outsource non-core functions / use temporary staffing firms - Purchase business interruption insurance (if applicable) |
- Accept short-term drop in productivity in exceptional cases |
- HR contingency and succession plans - Key-person insurance - Workforce wellness programs, vaccination/ health monitoring |
- Develop a standby pool of trained reserve staff - Enhance teleworking policies and infrastructure (e.g., always-on secure remote access) - Strengthen succession planning for leadership and critical roles - Run regular “pandemic-style” continuity exercises |
|
Disruption to the Supply Chain (e.g., vendor failure, regulatory violation, supplier accident) |
- Avoid single-supplier dependency; qualify multiple vendors |
- Supplier risk assessments; maintain buffer stocks of critical supplies; diversify vendor base |
- Use contracts with performance SLAs and penalty clauses - Transfer certain risks via third-party insurance/vendors |
- Accept delays in non-critical services |
- Approved Vendor List (AVL), vendor management program - Periodic vendor reviews/audits - Contractual SLAs with key suppliers |
- Develop alternate suppliers (Tier-2, local back-ups) - Improve oversight of supplier risk (e.g., ESG, business continuity capability) - Digitize inventory and supply chain visibility - Conduct joint BCP testing with critical suppliers |
|
Equipment & IT-Related Disruption (e.g., hardware failure, network outage, telecom failure) |
- Avoid using outdated or unsupported legacy systems |
- Regular maintenance, patch management, scheduled backups, and a disaster recovery plan - Redundant hardware/ network architecture; UPS, backup power |
- Third-party service contracts (cloud providers, managed service providers) - Cyber-insurance |
- Accept limited downtime for non-critical systems |
- Three-lines-of-defence risk governance structure (first-line ops, second-line risk control, internal audit) OCBC - Data backup, replication, DR site - Network monitoring, firewalls, security operations centre (SOC) |
- Migrate more systems to resilient cloud / hybrid architecture - Perform frequent DR testing (failover, restore) - Implement software-defined networking (SDN) for routing resilience - Strengthen endpoint security, zero-trust architecture, and telecommunication redundancy |
The Treatment and Control phase serves as a bridge between risk assessment and practical crisis management, enabling OCBC Bank to implement a comprehensive set of measures that mitigate potential disruptions.
Through a combination of preventive controls, risk reduction strategies, insurance mechanisms, and contingency planning, the bank ensures that its critical operations remain robust in the face of both natural and man-made threats.
By continuously monitoring, reviewing, and enhancing both existing and additional controls, OCBC Bank reinforces its operational resilience and readiness to respond effectively to crises.
The structured approach presented in this chapter underscores the bank’s commitment to safeguarding its people, assets, and stakeholders, while embedding a culture of preparedness that is central to sustaining long-term business continuity.
Leading Through Crisis: Implementing Crisis Management at OCBC Bank |
|||
| eBook 3: Starting Your CM Implementation | |||
|
[RAR] [T1-1] |
[RAR] [T1-2] |
[RAR] [T1-2] [Technology] |
[RAR] [T2] |
|
[RAR] [T3] |
[CMS] [T1] |
[CMS] [T2] |
[PD] [CS] [1] |
To learn more about the course and schedule, click the buttons below for the CM-300 Crisis Management Implementer [CM-3] and the CM-5000 Crisis Management Expert Implementer [CM-5].
|
Please feel free to send us a note if you have any questions. |
||