Determining and Building the 7-Level Operational Resilience Maturity Model for Malaysian Financial Institutions
As the global financial landscape becomes increasingly interconnected and digitized, the threat of disruptions—from cyberattacks to third-party failures and systemic shocks—has never been more prominent.
In Malaysia, Bank Negara Malaysia (BNM) has underscored the importance of operational resilience through guidelines such as the Risk Management in Technology (RMiT) and Operational Risk Integrated Framework (ORIF).
These guidelines call for financial institutions to enhance their ability to deliver critical business services, even during severe operational stress. However, the challenge lies in translating high-level regulatory expectations into practical implementation steps across diverse departments, systems, and partners.
The 7-Level Operational Resilience Maturity Model, developed by BCM Institute, provides precisely this: a staged progression model that organizations can use to benchmark their resilience efforts, align internal capabilities with regulatory expectations, and build a forward-looking roadmap.
This chapter is designed to guide large Malaysian banks through customising, adopting, and implementing the 7-level maturity model. It will help banks assess their current state, define future targets, and systematically build a robust and defensible operational resilience program aligned with business strategy and regulatory mandates.
Whether your institution is at the early stages of awareness or already implementing scenario testing and third-party resilience measures, this chapter offers actionable guidance to advance maturity in a controlled and strategic manner.
Understanding the 7-Level Maturity Model
The 7-level maturity model provides a structured path to operational resilience, allowing organizations to assess current capabilities and define a roadmap for advancement.
The model evaluates resilience across focus areas such as risk management, business continuity, IT resilience, and third-party risk. Each level represents progressive sophistication:
- Level 0: Ad-hoc: Reactive, unstructured processes.
- Level 1: Reactive: Basic frameworks with sporadic execution.
- Level 2: Proactive: Formal policies and dedicated teams.
- Level 3: Mature: Anticipatory risk management.
- Level 4: Advanced: Integrated, data-driven strategies.
- Level 5: Leading: Predictive analytics and automation.
- Level 6: Excellence: Industry leadership through innovation..
Each level defines a degree of maturity across the operational resilience lifecycle: governance, impact tolerance, critical operations, scenario testing, communication, third-party dependencies, and continuous improvement.
Step-by-Step Approach to Determine and Build Maturity Content
Step 1: Define the Focus Areas
Begin by customising the BCM Institute’s focus areas to your institution. Recommended core areas for a Malaysian bank
These levels are assessed across key focus areas such as:
| Component (Plan Phase) | Description |
| Assess Capability and Maturity | Evaluate the bank’s existing resilience measures and identify areas for improvement. |
| Analyse Gap | Conduct a thorough assessment to determine vulnerabilities and gaps in the resilience framework. |
| Develop Strategy and Roadmap | Create a structured plan outlining steps to enhance resilience capabilities. |
| Confirm Risk Appetite | Define the organisation’s risk tolerance and establish parameters for operational resilience. |
| Develop and Embed Governance | Implement governance structures to oversee and enforce resilience strategies. |
| Component (Implement Phase) | Description |
| Identify Critical Business Services | Determine essential operations that must be prioritised in resilience planning. |
| Map Processes and Resources | Outline the dependencies and resources required to maintain critical business services. |
| Set Impact Tolerance | Establish thresholds for acceptable levels of disruption to business operations. |
| Conduct Scenario Testing | Simulate potential disruptions to assess response effectiveness and identify areas for improvement. |
| Improve Lesson Learnt | Analyse past incidents and refine resilience strategies based on insights gained. |
| Component (Sustain Phase) | Description |
| Introduce Cultural Change | Promote a resilience-driven mindset across the organisation. |
| Develop Communication Strategy | Establish clear communication channels for crisis response and stakeholder engagement. |
| Implement Training and Awareness | Conduct regular training sessions to enhance employees' understanding of resilience strategies. |
| Provide Self-assessment | Enable teams to evaluate their preparedness periodically and identify areas for growth. |
| Conduct Independent Quality Review | Perform external reviews to ensure compliance with resilience best practices and regulatory requirements. |
Step 2: Establish Maturity Criteria for Each Level
Use the table below (sampling from the "Focus Areas shown above) as a starting point to determine what each maturity level looks like across each focus area.
Customise this to reflect internal policies, regulatory requirements (BNM, Basel, etc.), and business operations.
|
Level |
Governance |
Critical Business Services |
Impact Tolerance |
Scenario Testing |
Third Parties |
Crisis Comms |
Continuous Learning |
|
1. Ad-hoc |
No formal structure; reactive |
No defined critical operations |
No tolerances defined |
Not conducted |
Untracked; unmanaged |
Informal, inconsistent |
Lessons not documented |
|
2. Initial |
Awareness exists; no formal assignment |
Some ops loosely identified |
Tolerances considered informally |
Ad-hoc testing |
Basic third-party list |
Crisis team identified |
Issues tracked manually |
|
3. Repeatable |
Roles assigned; some controls |
Ops prioritised by volume/ importance |
Draft tolerances for key ops |
Simple internal disruptions tested |
Key vendors monitored |
Draft comms plan |
Debriefs after incidents |
|
4. Defined |
Policy, charter in place |
Ops linked to business impact |
Formal tolerances for critical ops |
Simulations and tabletops |
Risk-rated vendors |
Roles and escalation set |
Trends and metrics tracked |
|
5. Managed |
Performance monitored |
Ops mapped to dependencies |
Tolerances integrated in ops |
Testing includes internal + external events |
Integrated SLA/OLA monitoring |
Multi-channel validated |
Improvement plans implemented |
|
6. Optimised |
Resilience embedded into governance |
Ops dynamically updated |
Tolerances drive strategic decisions |
Complex, cross-border scenarios |
Resilience KPIs for vendors |
Stakeholder-tested messaging |
Predictive learning mechanisms |
|
7. Excellence |
Culture of resilience |
Fully integrated, real-time mapping |
Tolerance levels proactively managed |
Industry-leading simulation |
Third-party continuity ensured |
Proactive crisis readiness |
Continuous, automated learning cycle |
Step 3: Conduct a Maturity Assessment
Use the defined criteria to conduct a self-assessment or external review of your current maturity level in each focus area.
- Use surveys, interviews, and workshops with process owners and risk leaders.
- Assign a score from 1 to 7 for each focus area.
- Highlight areas of weakness, compliance gaps (e.g., BNM RMiT), and business risk.
Output: A Maturity Heatmap or Radar Chart showing current levels across focus areas.
Step 4: Define Target Maturity Levels
Based on your business strategy, regulatory obligations, and operational complexity, define realistic target levels for each focus area within a 2-3 year timeframe.
- Example: Governance at Level 6, Scenario Testing at Level 5, Continuous Learning at Level 4.
- Target levels should be risk-based and proportional to business criticality.
Step 5: Build a Roadmap
Develop a phased implementation roadmap aligned with your strategic goals.
- Phase 1: Foundations—Move from Level 1 to Level 3 by setting up frameworks, policies, and baseline testing.
- Phase 2: Institutionalise – Strengthen governance, perform impact assessments, and conduct structured training.
- Phase 3: Integration – Integrate resilience into change management, digital transformation, and third-party frameworks.
- Phase 4: Continuous Improvement – Automate learning, optimize decision-making, and benchmark against peers.
Step 6: Monitor and Report Progress
Implement a performance dashboard to track maturity progress:
- Include KPIs (e.g., % of critical ops tested, % vendors assessed for resilience).
- Report quarterly to the Board Risk Committee and relevant stakeholders.
- Adjust the model based on lessons learned and regulatory changes (e.g., BNM updates).
Use Case Example: Large Malaysian Bank
Current State: Governance at Level 2 (Initial), Scenario Testing at Level 3 (Repeatable), Vendor Management at Level 2.
Target State (2 Years): Governance at Level 5, Scenario Testing at Level 5, Vendor Management at Level 4.
Actions:
- Implement Board-approved OR framework (Governance → Level 4)
- Map and categorize critical operations (Critical Ops → Level 4)
- Run annual simulation with cross-functional teams (Scenario Testing → Level 5)
- Introduce third-party resilience metrics in procurement contracts (Third Parties → Level 4)
Summing Up …
Operational resilience is no longer optional; it is a strategic and regulatory necessity for financial institutions in Malaysia.
The increasing complexity of banking ecosystems—driven by digital transformation, cross-border dependencies, and evolving threat landscapes—demands a structured, measurable, and forward-looking approach to resilience.
The 7-Level Operational Resilience Maturity Model provides a comprehensive framework for large banks to evaluate where they stand today and where they need to be.
By defining specific maturity criteria across key focus areas such as governance, scenario testing, third-party management, and continuous improvement, banks can ensure alignment with both BNM’s expectations and global best practices.
This chapter has outlined a step-by-step methodology for Malaysian banks to:
- Identify relevant focus areas,
- Define maturity criteria,
- Conduct an honest assessment,
- Set target maturity levels,
- Develop a practical implementation roadmap, and
- Monitor and report progress consistently.
By following this maturity-driven approach, banks can institutionalize resilience as a core business capability to withstand disruptions and emerge stronger. In doing so, they build trust with regulators, customers, shareholders, and employees.
Operational resilience is a journey, not a destination. The maturity model serves as both a compass and a map, enabling your institution to navigate this journey with confidence, clarity, and purpose.
More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|