[OR] [MM] [BNM] Operational Resilience Maturity-level Assessment Aligned to Bank Negara Malaysia

Operational Resilience Maturity Assessment (BNM-Aligned)

This chapter contains a comprehensive Operational Resilience Maturity Assessment Question Set tailored for banks operating in Malaysia, aligned to the expectations and themes from the Bank Negara Malaysia 2025 Discussion Paper on Operational Resilience.

The structure reflects BNM’s emphasis on:

• Sustaining critical business services (CBS)
• Ability to prevent, respond, recover, and adapt to disruptions
• Strong governance, accountability, and interdependency management
• Focus on customer impact and systemic stability

Section 1: Governance & Accountability

Objective: Assess Board and Senior Management oversight.

1. Has the Board formally approved an Operational Resilience (OR) framework and strategy?
2. Are roles and responsibilities for OR clearly defined at the Board, Senior Management, and Business levels?
3. Is there a designated executive accountable for each Critical Business Service (CBS)?
4. Does the Board regularly review OR metrics, incidents, and resilience posture?
5. Are OR objectives aligned with the bank’s risk appetite and strategic priorities?
6. Is there a formal governance structure integrating BCM, IT Risk, Cyber Risk, and Third-Party Risk?
7. Are escalation protocols clearly defined for severe disruption scenarios?

Section 2: Identification of Critical Business Services (CBS)

Objective: Ensure focus on services critical to customers and financial stability.

1. Has the bank identified and documented all Critical Business Services?
2. Are CBS defined by customer impact and systemic importance rather than by internal processes?
3. Are CBS reviewed periodically (e.g., annually or after major changes)?
4. Are CBS mapped across all business lines (retail, corporate, treasury, digital banking)?
5. Has the bank validated CBS with regulators or internal stakeholders?
6. Are dependencies (people, process, technology, third parties) identified for each CBS?

Section 3: Impact Tolerance Setting

Objective: Define acceptable disruption thresholds.

1. Has the bank established Impact Tolerances for each CBS (e.g., time, volume, service degradation)?
2. Are tolerances expressed in measurable metrics (e.g., downtime, transaction backlog)?
3. Are tolerances aligned with customer expectations and regulatory requirements?
4. Are tolerances approved by Senior Management/Board?
5. Has the bank assessed whether current capabilities can meet these tolerances?
6. Are tolerances tested under severe but plausible scenarios?

Section 4: Mapping of Interdependencies

Objective: Understand end-to-end service delivery.

1. Has the bank conducted end-to-end mapping of each CBS?
2. Are internal dependencies (systems, teams, processes) clearly documented?
3. Are third-party and fourth-party dependencies identified and assessed?
4. Is there visibility of critical technology assets supporting CBS?
5. Are single points of failure identified and mitigated?
6. Is dependency mapping updated following system or vendor changes?

Section 5: Risk Identification & Scenario Analysis

Objective: Evaluate resilience against disruption scenarios.

1. Has the bank identified severe but plausible scenarios (e.g., cyberattack, cloud outage, pandemic)?
2. Are scenarios linked to specific CBS?
3. Does the bank assess cross-border and systemic risks?
4. Are emerging risks (e.g., digitalisation, concentration risk, geopolitical risk) considered?
5. Are scenarios reviewed and updated periodically?
6. Are lessons from past incidents incorporated into scenario design?

Section 6: Scenario Testing & Exercising

Objective: Validate resilience capabilities.

1. Does the bank conduct regular scenario testing aligned to impact tolerances?
2. Are tests conducted at the enterprise and CBS levels?
3. Are third parties involved in testing where relevant?
4. Are both technical (IT failover) and business (manual workaround) tests performed?
5. Are test results documented and reported to Senior Management?
6. Are remediation actions tracked and implemented?
7. Does testing include multi-day disruption scenarios?

Section 7: Incident Response & Recovery

Objective: Assess ability to respond and recover effectively.

1. Does the bank have a documented incident response framework?
2. Are crisis management and communication plans integrated with OR?
3. Can the bank maintain minimum service levels during disruptions?
4. Are recovery strategies aligned with impact tolerances?
5. Are backup systems and alternate arrangements tested regularly?
6. Is there coordination across business, IT, and external stakeholders during incidents?

Section 8: Third-Party & Ecosystem Resilience

Objective: Manage external dependencies.

1. Does the bank assess the resilience capabilities of critical third-party providers?
2. Are contractual clauses in place for resilience requirements (e.g., SLAs, recovery time)?
3. Is there monitoring of vendor concentration risk?
4. Are fourth-party dependencies identified where relevant?
5. Are third parties included in scenario testing and incident response?
6. Are contingency plans in place for vendor failure?

Section 9: Technology & Cyber Resilience

Objective: Ensure digital and cyber robustness.

1. Are critical systems supporting CBS resilient by design (redundancy, failover)?
2. Does the bank conduct regular cyber resilience testing (e.g., penetration testing, red teaming)?
3. Are cloud and digital dependencies adequately managed?
4. Are data recovery and integrity controls aligned with impact tolerances?
5. Is there integration between cyber incident response and OR framework?
6. Are technology resilience metrics monitored continuously?

Section 10: Communication & Stakeholder Management

Objective: Maintain trust during disruptions.

1. Are communication protocols defined for customers, regulators, and stakeholders?
2. Are communication timelines aligned with impact tolerances?
3. Are crisis communication scenarios tested?
4. Is there coordination with regulators (e.g., BNM) during incidents?
5. Are customer impact mitigation strategies clearly defined?

Section 11: Continuous Improvement & Learning

Objective: Embed resilience as a continuous capability.

1. Are lessons learned from incidents and tests formally captured?
2. Are improvement plans tracked and monitored?
3. Is OR integrated into strategic planning and change management?
4. Are staff trained regularly on resilience roles and responsibilities?
5. Are key risk indicators (KRIs) and metrics used to monitor resilience?
6. Is there a periodic independent review (audit or assurance) of the OR framework?

Summing Up ...

Maturity Rating Framework (Recommended)

Use a 5-level maturity scale:

Key Takeaways (Aligned to BNM Direction)

• Operational resilience is not just compliance—it is the ability to sustain critical services under disruption
• Focus must shift from preventing failure to minimising impact on customers and the financial system
• Strong governance, accountability, and end-to-end service understanding are essential

In conclusion, a maturity-level model for focus areas is essential for organisations seeking to implement operational resilience.

By understanding the five or seven levels of the model and their specific requirements, organisations can develop and improve their approach to managing risk and disruptions.

This, in turn, can help organisations continue delivering critical services in the face of unexpected disruptions.

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.