This report outlines the progress and approach adopted for establishing impact tolerance for OCBC Bank’s critical business services, a key step within the “Implement” phase of our Operational Resilience Planning Methodology.
Establishing clear and measurable impact tolerance thresholds enables us to understand and manage our risk exposure during severe disruptions. It reinforces our commitment to regulatory expectations under the MAS Guidelines on Operational Resilience and global best practices such as those by the Basel Committee and the UK’s PRA.
Impact tolerance refers to the maximum acceptable level of disruption to a critical business service before intolerable harm occurs to:
Customers
Market integrity
The financial system
The Bank’s safety and soundness
It forms the foundation for designing effective resilience strategies and ensures alignment with OCBC Bank's risk appetite and strategic priorities.
OCBC has already completed the identification of its critical business services (CBS), including but not limited to:
Real-Time Payment Services (FAST, PayNow)
Digital and Mobile Banking Platforms
Corporate Cash Management Services
ATM and Branch Cash Services
Credit Card and Merchant Acquiring Services
Treasury and Capital Markets Operations
For each CBS, we evaluated potential harms along multiple dimensions:
Customer Harm (e.g., inability to access funds)
Market Harm (e.g., delayed market settlements)
Financial Harm (e.g., revenue or capital impact)
Regulatory and Reputational Harm (e.g., breaches of regulatory obligations)
Example:
For Real-Time Payment Services (PayNow/FAST), a disruption beyond 2 hours could prevent SMEs from making critical supplier payments, leading to customer attrition and potential regulatory intervention.
We defined clear metrics to quantify tolerances, such as:
Maximum Acceptable Downtime (MAD)
Transaction Volume Thresholds
Monetary Exposure Limits
Customer Impact Thresholds
Example:
Digital Banking Platform
MAD: 3 hours
Max Unsuccessful Transactions: 50,000
Max Customer Calls to Contact Centre: 20,000
These thresholds were developed with business unit heads, technology risk managers, compliance, and customer experience teams.
We conducted desktop scenario analysis and workshops to simulate disruptions (e.g., cyberattack on core banking systems, telco outage). These exercises validated the proposed thresholds and helped us understand plausible, severe, but plausible scenarios.
Example:
Scenario: DDoS attack on Internet Banking during the salary disbursement week.
Impact: Estimated 80,000 customers affected if the disruption exceeds 2 hours.
Result: Justified the setting of a 2-hour impact tolerance for Digital Banking.
Each impact tolerance was documented with:
The rationale behind the threshold
Assumptions made
Data sources used
Responsible stakeholders
These documents were submitted to the Operational Resilience Steering Committee for review and subsequently approved by the Board's Risk Management Committee.
| Critical Business Service | Maximum Downtime | Impact Tolerance Metrics |
|---|---|---|
| Real-Time Payment Services | 2 hours | 100,000 delayed payments; $500M transaction queue limit |
| Digital and Mobile Banking Platforms | 3 hours | 50,000 failed logins; 20,000 customer complaints |
| Corporate Cash Management Services | 4 hours | $2B unprocessed payments; 50 corporate clients impacted |
| ATM and Branch Cash Services | 6 hours | 25% ATMs offline; 100 branches concurrently affected |
| Credit Card & Merchant Acquiring | 3 hours | 15,000 failed transactions; $30M in delayed settlement |
| Treasury and Capital Markets Operations | 1 hour | Missed trade settlement > $100M; Loss of intraday liquidity access |
Integrate impact tolerances into resilience testing scenarios
Design response and recovery strategies based on these thresholds
Embed thresholds into monitoring tools and dashboards
Conduct Board-level scenario testing and review annually
By establishing and formalising impact tolerances, OCBC Bank is taking a proactive and structured approach toward enhancing its operational resilience. This enables better prioritisation of resilience investments, supports regulatory compliance, and ultimately protects our customers and the wider financial ecosystem.
| Step | Implementation Activity | Description | OCBC Bank Example |
|---|---|---|---|
| 1 | Identify Critical Business Services (CBS) | Determine essential services for continued operations | Real-Time Payments, Digital Banking, ATM Services, Treasury Operations |
| 2 | Determine Dimensions of Harm | Assess potential harm to customers, financial system, market integrity, and reputation | PayNow outage >2 hrs leads to SME transaction failures, reputational risk |
| 3 | Define Impact Tolerance Metrics | Set measurable thresholds for acceptable disruption | Max downtime, customer impact, transaction volumes, monetary loss |
| 4 | Scenario Testing and Validation | Use stress scenarios to test and refine thresholds | DDoS on internet banking; 80,000 customers affected in >2 hrs |
| 5 | Documentation and Governance | Record rationale, obtain approvals from governance bodies | Reviewed by OR Steering Committee; approved by Risk Management Committee |
| 6 | Integration with OR Strategy | Align impact tolerances with response, recovery, and monitoring | Used to guide resilience testing, dashboard KPIs, and investment priorities |
| Critical Business Service | Maximum Downtime | Impact Tolerance Metrics |
|---|---|---|
| Real-Time Payment Services | 2 hours | 100,000 delayed payments; $500M in queue |
| Digital Banking Platforms | 3 hours | 50,000 failed logins; 20,000 calls to Contact Centre |
| Corporate Cash Management | 4 hours | $2B unprocessed payments; 50 key clients affected |
| ATM and Branch Services | 6 hours | 25% ATMs offline; 100 branches affected |
| Credit Card & Merchant Acquiring | 3 hours | 15,000 failed transactions; $30M delayed settlement |
| Treasury and Capital Markets | 1 hour | $100M missed trade settlement; liquidity loss |
| Operational Resilience in Action: A Practical Guide for OCBC Bank | |||||
|
"Implement" Phase of its Operational Resilience Planning Methodology |
|||||
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.