Key Operational Resilience Regulatory and Supervisory Expectations for Malaysian Banks
In today's volatile and interconnected financial landscape, operational disruptions can have far-reaching consequences for individual institutions and the broader financial ecosystem.
For financial institutions operating in Malaysia, ensuring operational resilience is not just about regulatory compliance but a strategic imperative to maintain trust, stability, and continuity of services.
This article outlines the development and implementation of an Operational Resilience Framework (ORF) for Malaysian Banks, aligned with Bank Negara Malaysia’s (BNM) guidelines and the Basel Committee on Banking Supervision (BCBS)'s Principles for the Sound Management of Operational Risk (PSMOR).
Bank Negara Malaysia’s Operational Resilience Expectations
-
Establish an integrated risk management framework.
-
Identify critical operations and third-party dependencies.
-
Ensure continuity of essential business services under various severe but plausible scenarios.
-
Conduct regular resilience testing and scenario planning.
-
Embed resilience into governance, technology, and change management practices.
BNM – Risk Management in Technology (RMiT)
Policy Document Issued: 2019 | Revised: June 2023
This is one of the most critical documents governing operational resilience in the context of technology.
Key Requirements
-
Establish robust IT and cybersecurity risk governance structures.
-
Identify and assess technology risks that could threaten critical operations.
-
Implement secure, resilient IT systems and ensure recoverability.
-
Perform regular technology resilience testing (e.g., stress testing, penetration testing, red teaming).
-
Ensure third-party and outsourcing arrangements comply with resilience expectations.
Relevance to Operational Resilience
RMiT reinforces the resilience of Maybank’s digital infrastructure, cybersecurity defenses, and outsourcing ecosystem—all of which are crucial pillars in the broader ORF.
BNM – Business Continuity Management (BCM) Guidelines (2008)
Key Requirements
-
Develop and maintain a robust BCM program.
-
Identify critical functions and perform Business Impact Analyses (BIAs).
-
Establish Crisis Management and Emergency Response structures.
-
Conduct regular BCM drills and simulation exercises.
-
Ensure timely recovery of operations in adverse scenarios.
Relevance to Operational Resilience
BCM is a foundational element of operational resilience. Banks operating in Malaysia must evolve their BCM practices to align with emerging threats, including cyber events and systemic disruptions.
BNM – Outsourcing Policy Document (Effective March 1, 2022)
Key Requirements
-
Conduct comprehensive due diligence before outsourcing material functions.
-
Ensure service providers meet the bank’s resilience and risk standards.
-
Include clear contract terms related to performance, recovery, and exit strategies.
-
Ensure ongoing oversight and conduct periodic assessments.
Relevance to Operational Resilience
Maybank must ensure that third-party vendors and cloud service providers can support operational continuity under stress.
BNM – Technology Risk Management Framework (TRMF)
(Integrated into RMiT but foundational for ongoing reviews)
This framework provides the basis for managing risk across digital platforms and supports building technological resilience against emerging threats such as cyber-attacks and IT system failures.
BNM – Corporate Governance Policy
Effective Date: 3 August 2016
Key Requirements
-
The board and senior management oversee risk, continuity, and resilience strategies.
-
Establish board-level risk committees with oversight responsibilities.
-
Embedding resilience principles into the bank’s strategic planning and risk appetite.
Relevance to Operational Resilience
Governance is a cornerstone of resilience. This policy ensures board accountability in maintaining and funding resilient capabilities.
Cyber Resilience Review and Industry Assessments
BNM periodically conducts thematic assessments and issues ad-hoc directives for banks to assess their resilience to cyber threats, data breaches, and critical infrastructure disruption.
The large and systemic institution and financial institutions operating in Malaysia are typically included in these pilot reviews and expected to participate in national and industry-wide resilience-building initiatives.
Financial Stability Board (FSB) Guidance on Operational Resilience (Global Standard)
While not legally binding, financial institutions operating in Malaysia, as a regionally systemic bank with a global presence, are expected to adopt international best practices.
FSB's Core Components of Operational Resilience
-
Governance
-
Identification of critical operations
-
Mapping of interdependencies
-
Setting impact tolerances
-
Scenario testing
-
Incident management
-
Continuous learning
BNM also draws heavily from this framework when developing future policy guidance.
Malaysian Code on Corporate Governance (MCCG) 2021 – Securities Commission
Though more relevant for public companies, this code emphasizes:
-
Corporate sustainability and resilience.
-
Effective risk governance.
-
Disclosure and transparency in managing disruptions.
Operational resilience must be embedded in the public disclosures and investor relations strategies of financial institutions operating in Malaysia (as listed entities).
ASEAN and Cross-Border Regulatory Expectations
As financial institutions operating in Malaysia and also operating in multiple ASEAN jurisdictions (Singapore, Indonesia, Philippines, etc.), it must harmonise resilience efforts with:
-
Monetary Authority of Singapore (MAS) guidelines on BCM and Operational Risk.
-
Otoritas Jasa Keuangan (OJK) – Indonesia’s Resilience Requirements.
-
Bangko Sentral ng Pilipinas (BSP) Guidelines on Operational Resilience.
This calls for a Group-Wide Operational Resilience Framework that is scalable, flexible, and locally compliant.
Basel Committee’s PSMOR
-
Governance: Strong oversight from senior management and the board.
-
Risk Identification and Assessment: Proactive recognition of material operational risks.
-
Monitoring and Reporting: Timely and accurate information for decision-making.
-
Control and Mitigation: Effective internal controls and contingency plans.
-
Business Continuity and Resilience: Capability to deliver critical operations during disruptions.
Summing Up … Table for OR Regulatory Landscape
| Regulator/Standard | Requirement/Guideline | Focus Area |
|---|---|---|
| BNM | RMiT Policy | IT & Cyber Resilience |
| BNM | BCM Guidelines | Business Continuity Planning |
| BNM | Outsourcing Policy | Vendor Risk & Resilience |
| BNM | Corporate Governance | Board Oversight |
| BNM | TRMF (legacy) | Technology Risk |
| SC Malaysia | MCCG | Sustainability & Governance |
| FSB | Operational Resilience Guidance | Global Best Practices |
| Basel Committee | PSMOR | ORM Integration |
| ASEAN Jurisdictions | Local Regulations | Regional Compliance |
|
OR Planning Methodology Phases |
Plan | Implement | Sustain | ||
More Information About Blended Learning OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.