[OR] [MM] Implementing a 7-Level Operational Resilience Maturity Model for Malaysian Banks

Determining and Building the 7-Level Operational Resilience Maturity Model for Malaysian Financial Institutions

As the global financial landscape becomes increasingly interconnected and digitized, the threat of disruptions—from cyberattacks to third-party failures and systemic shocks—has never been more prominent.

For large banks in Malaysia, operational resilience is no longer just a component of enterprise risk management; it is a fundamental pillar of sustainable financial operations, customer trust, and regulatory compliance.

In Malaysia, Bank Negara Malaysia (BNM) has underscored the importance of operational resilience through guidelines such as the Risk Management in Technology (RMiT) and Operational Risk Integrated Framework (ORIF).

These guidelines call for financial institutions to enhance their ability to deliver critical business services, even during severe operational stress. However, the challenge lies in translating high-level regulatory expectations into practical implementation steps across diverse departments, systems, and partners.

Banks require a structured, measurable framework to assess their resilience capabilities, identify gaps, and prioritise actions to meet this challenge.

The 7-Level Operational Resilience Maturity Model, developed by BCM Institute, provides precisely this: a staged progression model that organizations can use to benchmark their resilience efforts, align internal capabilities with regulatory expectations, and build a forward-looking roadmap.

This chapter is designed to guide large Malaysian banks through customising, adopting, and implementing the 7-level maturity model. It will help banks assess their current state, define future targets, and systematically build a robust and defensible operational resilience program aligned with business strategy and regulatory mandates.

Whether your institution is at the early stages of awareness or already implementing scenario testing and third-party resilience measures, this chapter offers actionable guidance to advance maturity in a controlled and strategic manner.

Understanding the 7-Level Maturity Model

The 7-level maturity model provides a structured path to operational resilience, allowing organizations to assess current capabilities and define a roadmap for advancement.

The model evaluates resilience across focus areas such as risk management, business continuity, IT resilience, and third-party risk. Each level represents progressive sophistication:

Level 0: Ad-hoc: Reactive, unstructured processes.
Level 1: Reactive: Basic frameworks with sporadic execution.
Level 2: Proactive: Formal policies and dedicated teams.
Level 3: Mature: Anticipatory risk management.
Level 4: Advanced: Integrated, data-driven strategies.
Level 5: Leading: Predictive analytics and automation.
Level 6: Excellence: Industry leadership through innovation..

Each level defines a degree of maturity across the operational resilience lifecycle: governance, impact tolerance, critical operations, scenario testing, communication, third-party dependencies, and continuous improvement.

Step-by-Step Approach to Determine and Build Maturity Content

Step 1: Define the Focus Areas

Begin by customising the BCM Institute’s focus areas to your institution. Recommended core areas for a Malaysian bank

These levels are assessed across key focus areas such as:

Component (Plan Phase)	Description
Assess Capability and Maturity	Evaluate the bank’s existing resilience measures and identify areas for improvement.
Analyse Gap	Conduct a thorough assessment to determine vulnerabilities and gaps in the resilience framework.
Develop Strategy and Roadmap	Create a structured plan outlining steps to enhance resilience capabilities.
Confirm Risk Appetite	Define the organisation’s risk tolerance and establish parameters for operational resilience.
Develop and Embed Governance	Implement governance structures to oversee and enforce resilience strategies.

Component (Implement Phase)	Description
Identify Critical Business Services	Determine essential operations that must be prioritised in resilience planning.
Map Processes and Resources	Outline the dependencies and resources required to maintain critical business services.
Set Impact Tolerance	Establish thresholds for acceptable levels of disruption to business operations.
Conduct Scenario Testing	Simulate potential disruptions to assess response effectiveness and identify areas for improvement.
Improve Lesson Learnt	Analyse past incidents and refine resilience strategies based on insights gained.

Component (Sustain Phase)	Description
Introduce Cultural Change	Promote a resilience-driven mindset across the organisation.
Develop Communication Strategy	Establish clear communication channels for crisis response and stakeholder engagement.
Implement Training and Awareness	Conduct regular training sessions to enhance employees' understanding of resilience strategies.
Provide Self-assessment	Enable teams to evaluate their preparedness periodically and identify areas for growth.
Conduct Independent Quality Review	Perform external reviews to ensure compliance with resilience best practices and regulatory requirements.

Step 2: Establish Maturity Criteria for Each Level

Use the table below (sampling from the "Focus Areas shown above) as a starting point to determine what each maturity level looks like across each focus area.

Customise this to reflect internal policies, regulatory requirements (BNM, Basel, etc.), and business operations.

Level	Governance	Critical Business Services	Impact Tolerance	Scenario Testing	Third Parties	Crisis Comms	Continuous Learning
1. Ad-hoc	No formal structure; reactive	No defined critical operations	No tolerances defined	Not conducted	Untracked; unmanaged	Informal, inconsistent	Lessons not documented
2. Initial	Awareness exists; no formal assignment	Some ops loosely identified	Tolerances considered informally	Ad-hoc testing	Basic third-party list	Crisis team identified	Issues tracked manually
3. Repeatable	Roles assigned; some controls	Ops prioritised by volume/ importance	Draft tolerances for key ops	Simple internal disruptions tested	Key vendors monitored	Draft comms plan	Debriefs after incidents
4. Defined	Policy, charter in place	Ops linked to business impact	Formal tolerances for critical ops	Simulations and tabletops	Risk-rated vendors	Roles and escalation set	Trends and metrics tracked
5. Managed	Performance monitored	Ops mapped to dependencies	Tolerances integrated in ops	Testing includes internal + external events	Integrated SLA/OLA monitoring	Multi-channel validated	Improvement plans implemented
6. Optimised	Resilience embedded into governance	Ops dynamically updated	Tolerances drive strategic decisions	Complex, cross-border scenarios	Resilience KPIs for vendors	Stakeholder-tested messaging	Predictive learning mechanisms
7. Excellence	Culture of resilience	Fully integrated, real-time mapping	Tolerance levels proactively managed	Industry-leading simulation	Third-party continuity ensured	Proactive crisis readiness	Continuous, automated learning cycle

Step 3: Conduct a Maturity Assessment

Use the defined criteria to conduct a self-assessment or external review of your current maturity level in each focus area.

Use surveys, interviews, and workshops with process owners and risk leaders.
Assign a score from 1 to 7 for each focus area.
Highlight areas of weakness, compliance gaps (e.g., BNM RMiT), and business risk.

Output: A Maturity Heatmap or Radar Chart showing current levels across focus areas.

Step 4: Define Target Maturity Levels

Based on your business strategy, regulatory obligations, and operational complexity, define realistic target levels for each focus area within a 2-3 year timeframe.

Example: Governance at Level 6, Scenario Testing at Level 5, Continuous Learning at Level 4.
Target levels should be risk-based and proportional to business criticality.

Step 5: Build a Roadmap

Develop a phased implementation roadmap aligned with your strategic goals.

Phase 1: Foundations—Move from Level 1 to Level 3 by setting up frameworks, policies, and baseline testing.
Phase 2: Institutionalise – Strengthen governance, perform impact assessments, and conduct structured training.
Phase 3: Integration – Integrate resilience into change management, digital transformation, and third-party frameworks.
Phase 4: Continuous Improvement – Automate learning, optimize decision-making, and benchmark against peers.

Step 6: Monitor and Report Progress

Implement a performance dashboard to track maturity progress:

Include KPIs (e.g., % of critical ops tested, % vendors assessed for resilience).
Report quarterly to the Board Risk Committee and relevant stakeholders.
Adjust the model based on lessons learned and regulatory changes (e.g., BNM updates).

Use Case Example: Large Malaysian Bank

Current State: Governance at Level 2 (Initial), Scenario Testing at Level 3 (Repeatable), Vendor Management at Level 2.

Target State (2 Years): Governance at Level 5, Scenario Testing at Level 5, Vendor Management at Level 4.

Actions:

Implement Board-approved OR framework (Governance → Level 4)
Map and categorize critical operations (Critical Ops → Level 4)
Run annual simulation with cross-functional teams (Scenario Testing → Level 5)
Introduce third-party resilience metrics in procurement contracts (Third Parties → Level 4)

Summing Up …

Operational resilience is no longer optional; it is a strategic and regulatory necessity for financial institutions in Malaysia.

The increasing complexity of banking ecosystems—driven by digital transformation, cross-border dependencies, and evolving threat landscapes—demands a structured, measurable, and forward-looking approach to resilience.

The 7-Level Operational Resilience Maturity Model provides a comprehensive framework for large banks to evaluate where they stand today and where they need to be.

By defining specific maturity criteria across key focus areas such as governance, scenario testing, third-party management, and continuous improvement, banks can ensure alignment with both BNM’s expectations and global best practices.

This chapter has outlined a step-by-step methodology for Malaysian banks to:

Identify relevant focus areas,
Define maturity criteria,
Conduct an honest assessment,
Set target maturity levels,
Develop a practical implementation roadmap, and
Monitor and report progress consistently.

By following this maturity-driven approach, banks can institutionalize resilience as a core business capability to withstand disruptions and emerge stronger. In doing so, they build trust with regulators, customers, shareholders, and employees.

Operational resilience is a journey, not a destination. The maturity model serves as both a compass and a map, enabling your institution to navigate this journey with confidence, clarity, and purpose.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.