![BB OR [D] 2](https://blog.bcm-institute.org/hs-fs/hubfs/OR%20picture/OR%20Pictures%20A/OR%20Folder%20D/BB%20OR%20%5BD%5D%202.jpg?width=2000&height=1333&name=BB%20OR%20%5BD%5D%202.jpg "BB OR [D] 2")
Operational Resilience Management Report
"Implement" Phase -
Stage 3: Establishing Impact Tolerance
Completion Report
Chapter 11
Executive Summary
This report outlines the progress and approach adopted for establishing impact tolerance for OCBC Bank’s critical business services, a key step within the “Implement” phase of our Operational Resilience Planning Methodology.
Establishing clear and measurable impact tolerance thresholds enables us to understand and manage our risk exposure during severe disruptions. It reinforces our commitment to regulatory expectations under the MAS Guidelines on Operational Resilience and global best practices such as those by the Basel Committee and the UK’s PRA.
Purpose of Impact Tolerance
Impact tolerance refers to the maximum acceptable level of disruption to a critical business service before intolerable harm occurs to:
-
Customers
-
Market integrity
-
The financial system
-
The Bank’s safety and soundness
It forms the foundation for designing effective resilience strategies and ensures alignment with OCBC Bank's risk appetite and strategic priorities.
Implementation Steps and Examples
Step 1: Identify Critical Business Services
OCBC has already completed the identification of its critical business services (CBS), including but not limited to:
-
Real-Time Payment Services (FAST, PayNow)
-
Digital and Mobile Banking Platforms
-
Corporate Cash Management Services
-
ATM and Branch Cash Services
-
Credit Card and Merchant Acquiring Services
-
Treasury and Capital Markets Operations
Step 2: Determine Dimensions of Harm
For each CBS, we evaluated potential harms along multiple dimensions:
-
Customer Harm (e.g., inability to access funds)
-
Market Harm (e.g., delayed market settlements)
-
Financial Harm (e.g., revenue or capital impact)
-
Regulatory and Reputational Harm (e.g., breaches of regulatory obligations)
Example:
For Real-Time Payment Services (PayNow/FAST), a disruption beyond 2 hours could prevent SMEs from making critical supplier payments, leading to customer attrition and potential regulatory intervention.
Step 3: Define Metrics for Impact Tolerance
We defined clear metrics to quantify tolerances, such as:
-
Maximum Acceptable Downtime (MAD)
-
Transaction Volume Thresholds
-
Monetary Exposure Limits
-
Customer Impact Thresholds
Example:
Digital Banking Platform
-
MAD: 3 hours
-
Max Unsuccessful Transactions: 50,000
-
Max Customer Calls to Contact Centre: 20,000
These thresholds were developed with business unit heads, technology risk managers, compliance, and customer experience teams.
Step 4: Scenario Testing and Justification
We conducted desktop scenario analysis and workshops to simulate disruptions (e.g., cyberattack on core banking systems, telco outage). These exercises validated the proposed thresholds and helped us understand plausible, severe, but plausible scenarios.
Example:
Scenario: DDoS attack on Internet Banking during the salary disbursement week.
Impact: Estimated 80,000 customers affected if the disruption exceeds 2 hours.
Result: Justified the setting of a 2-hour impact tolerance for Digital Banking.
Step 5: Documentation and Governance Approval
Each impact tolerance was documented with:
-
The rationale behind the threshold
-
Assumptions made
-
Data sources used
-
Responsible stakeholders
These documents were submitted to the Operational Resilience Steering Committee for review and subsequently approved by the Board's Risk Management Committee.
Key Deliverables
| Critical Business Service | Maximum Downtime | Impact Tolerance Metrics |
|---|---|---|
| Real-Time Payment Services | 2 hours | 100,000 delayed payments; $500M transaction queue limit |
| Digital and Mobile Banking Platforms | 3 hours | 50,000 failed logins; 20,000 customer complaints |
| Corporate Cash Management Services | 4 hours | $2B unprocessed payments; 50 corporate clients impacted |
| ATM and Branch Cash Services | 6 hours | 25% ATMs offline; 100 branches concurrently affected |
| Credit Card & Merchant Acquiring | 3 hours | 15,000 failed transactions; $30M in delayed settlement |
| Treasury and Capital Markets Operations | 1 hour | Missed trade settlement > $100M; Loss of intraday liquidity access |
Next Steps
-
Integrate impact tolerances into resilience testing scenarios
-
Design response and recovery strategies based on these thresholds
-
Embed thresholds into monitoring tools and dashboards
-
Conduct Board-level scenario testing and review annually
Summing Up ...
By establishing and formalising impact tolerances, OCBC Bank is taking a proactive and structured approach toward enhancing its operational resilience. This enables better prioritisation of resilience investments, supports regulatory compliance, and ultimately protects our customers and the wider financial ecosystem.
Table: Summary of Impact Tolerance Establishment – Implement Phase (Operational Resilience)
| Step | Implementation Activity | Description | OCBC Bank Example |
|---|---|---|---|
| 1 | Identify Critical Business Services (CBS) | Determine essential services for continued operations | Real-Time Payments, Digital Banking, ATM Services, Treasury Operations |
| 2 | Determine Dimensions of Harm | Assess potential harm to customers, financial system, market integrity, and reputation | PayNow outage >2 hrs leads to SME transaction failures, reputational risk |
| 3 | Define Impact Tolerance Metrics | Set measurable thresholds for acceptable disruption | Max downtime, customer impact, transaction volumes, monetary loss |
| 4 | Scenario Testing and Validation | Use stress scenarios to test and refine thresholds | DDoS on internet banking; 80,000 customers affected in >2 hrs |
| 5 | Documentation and Governance | Record rationale, obtain approvals from governance bodies | Reviewed by OR Steering Committee; approved by Risk Management Committee |
| 6 | Integration with OR Strategy | Align impact tolerances with response, recovery, and monitoring | Used to guide resilience testing, dashboard KPIs, and investment priorities |
Table: Example of Impact Tolerance Thresholds for OCBC Critical Business Services
| Critical Business Service | Maximum Downtime | Impact Tolerance Metrics |
|---|---|---|
| Real-Time Payment Services | 2 hours | 100,000 delayed payments; $500M in queue |
| Digital Banking Platforms | 3 hours | 50,000 failed logins; 20,000 calls to Contact Centre |
| Corporate Cash Management | 4 hours | $2B unprocessed payments; 50 key clients affected |
| ATM and Branch Services | 6 hours | 25% ATMs offline; 100 branches affected |
| Credit Card & Merchant Acquiring | 3 hours | 15,000 failed transactions; $30M delayed settlement |
| Treasury and Capital Markets | 1 hour | $100M missed trade settlement; liquidity loss |
![[OR] [OCBC] [E2] [Report] [P2] [S3] [C11] Setting Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/be2a4eb1-118f-46f7-ae85-07cbefd8f206.png)
More Information About Blended Learning OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://blog.bcm-institute.org/hs-fs/hubfs/hub_generated/resized/e4287b59-1a43-4e10-8e43-c73b27b3ca39.png?width=172&height=50&name=e4287b59-1a43-4e10-8e43-c73b27b3ca39.png)
![[BL-OR] [3] FAQ OR-300](https://blog.bcm-institute.org/hs-fs/hubfs/hub_generated/resized/294e989f-8613-4bf3-96a5-a89408cfb9ca.png?width=150&height=150&name=294e989f-8613-4bf3-96a5-a89408cfb9ca.png)
![Email to Sales Team [BCM Institute]](https://blog.bcm-institute.org/hs-fs/hubfs/hub_generated/resized/850988ce-aa7d-4953-95cf-797635341edd.png?width=100&height=100&name=850988ce-aa7d-4953-95cf-797635341edd.png)
