[OR] [MM] [MAS] Operational Resilience Maturity-level Assessment Aligned to Monetary Authority of Singapore

Operational Resilience Maturity Assessment (MAS-Aligned)

This chapter contains a comprehensive Operational Resilience Maturity Assessment Questionnaire tailored for banks operating in Singapore, aligned to the expectations of the Monetary Authority of Singapore (MAS), particularly from “Achieving Operational Resilience for Financial Institutions in Singapore”, MAS BCM Guidelines (2022), and emerging ORM/TRM expectations.

The structure follows your Plan → Implement → Test → Improve lifecycle and integrates MAS themes such as governance, critical services, recovery objectives, testing, third-party risk, and continuous improvement. 

MAS emphasises governance oversight, risk appetite, recovery objectives, testing, and continuous improvement as core resilience expectations.

Section 1: Governance, Oversight, and Strategy

Purpose: Assess Board and senior management accountability and resilience governance.

1. Has the Board formally approved an Operational Resilience or BCM Framework aligned to MAS expectations?
2. Is there a clearly defined risk appetite and tolerance statement for operational disruptions?
3. Are roles and responsibilities for resilience clearly defined across the three lines of defence?
4. Does senior management receive regular reporting on resilience performance and incidents?
5. Is there a dedicated function (e.g., ORM/BCM/Resilience Office) with sufficient authority and resources?
6. Are resilience objectives embedded into enterprise strategy and business planning?
7. Does governance extend to subsidiaries, branches, and critical third parties?

Section 2: Critical Business Services (CBS) Identification

Purpose: Evaluate the shift to a service-centric resilience approach.

1. Has the organisation formally identified its Critical Business Services (CBS)?
2. Are CBS defined from a customer-outcome perspective rather than from internal processes?
3. Are CBS approved at the Board or senior management level?
4. Are CBS periodically reviewed for relevance and changes in business strategy?
5. Are dependencies (people, process, technology, third parties) identified for each CBS?
6. Are systemically important services clearly distinguished from other services?

Section 3: Mapping and Dependency Analysis

Purpose: Assess end-to-end visibility of service delivery.

1. Has the bank completed end-to-end mapping of each CBS?
2. Are critical dependencies (internal and external) clearly documented?
3. Are single points of failure and concentration risks identified and mitigated?
4. Is there visibility of interconnections across business units and systems?
5. Are third-party dependencies mapped to specific CBS and critical processes?
6. Is dependency mapping updated following material changes (e.g., cloud migration, outsourcing)?

Section 4: Impact Tolerance and Recovery Objectives

Purpose: Align with MAS expectations on service recovery and disruption tolerance.

1. Has the organisation defined Service Recovery Time Objectives (SRTO) or equivalent for each CBS?
2. Are recovery objectives supported by Business Impact Analysis (BIA)?
3. Are data recovery objectives (RPO / data loss tolerance) defined?
4. Are impact tolerances aligned with:
• Customer impact
• Regulatory obligations
• Financial and reputational impact
5. Are tolerances approved by senior management or Board?
6. Are recovery objectives regularly reviewed and tested for realism?

Section 5: Risk Identification, Assessment, and Treatment

Purpose: Evaluate the robustness of ORM aligned to MAS.

1. Does the organisation maintain a comprehensive operational risk taxonomy?
2. Are risks identified across:
• Business processes
• Technology systems
• Third parties
• External threats (cyber, pandemic, geopolitical)
3. Are tools used, such as:
• Risk & Control Self-Assessments (RCSA)
• Scenario analysis
• Key Risk Indicators (KRIs)
4. Are mitigation measures implemented and tracked?
5. Are residual risks monitored against risk appetite thresholds?
6. Are risks reassessed following significant changes or incidents?

Section 6: Scenario Testing and Exercising

Purpose: Validate resilience through severe but plausible scenarios.

1. Does the organisation conduct regular scenario testing aligned to CBS?
2. Are scenarios based on severe but plausible events (e.g., cyberattack, cloud outage)?
3. Do tests assess end-to-end service delivery (not just systems)?
4. Are third parties included in testing exercises?
5. Are different exercise types conducted?
• Tabletop exercises
• Simulation drills
• Full-scale tests
6. Are results documented and linked to improvement actions?
7. Are tests aligned to impact tolerances / SRTOs?

Section 7: Technology and Cyber Resilience (TRM Alignment)

Purpose: Ensure resilience of digital infrastructure.

1. Are systems designed with redundancy and failover capabilities?
2. Are cyber resilience capabilities integrated into operational resilience?
3. Are cloud and outsourced IT services subject to resilience and risk assessments?
4. Is there a defined incident response and cyber recovery plan?
5. Are systems monitored for availability, performance, and security threats?
6. Are technology risks aligned with MAS TRM Guidelines?

Section 8: Third-Party Risk Management (TPRM)

Purpose: Address increasing reliance on external providers.

1. Are all critical third parties identified and classified by criticality level?
2. Are due diligence and risk assessments conducted prior to onboarding?
3. Are resilience requirements embedded in contracts / SLAs?
4. Are third-party disruptions incorporated into scenario testing?
5. Is there monitoring of third-party performance and concentration risk?
6. Are contingency plans in place for third-party failure (exit strategies)?

Section 9: Incident and Crisis Management

Purpose: Assess response capability during disruptions.

1. Is there a formal incident management framework?
2. Are escalation thresholds clearly defined?
3. Is there a crisis management structure (e.g., crisis team, command centre)?
4. Are communication protocols defined for:
• Internal stakeholders
• Regulators (MAS)
• Customers and the public
5. Are crisis management exercises conducted regularly?
6. Are lessons learned from incidents incorporated into improvements?

Section 10: Training, Awareness, and Culture

Purpose: Embed resilience into business-as-usual operations.

1. Are staff trained on BCM, incident response, and crisis management roles?
2. Is resilience incorporated into employee onboarding and regular training?
3. Are senior leaders actively promoting a resilience culture?
4. Are staff evaluated on resilience-related KPIs?
5. Are awareness programmes conducted regularly (e.g., simulations, campaigns)?

Section 11: Continuous Improvement and Assurance

Purpose: Ensure resilience maturity evolves over time.

1. Is there a structured, continuous improvement framework?
2. Are findings from:
• Tests
• Incidents
• Audits
  translated into action plans?
3. Is there an independent internal audit or assurance function reviewing resilience?
4. Are resilience metrics (KPIs/KRIs) tracked and reported?
5. Is there a periodic framework review against MAS guidelines and emerging risks?
6. Are improvements prioritised based on risk and impact?

Section 12: Change Management and Future Readiness

Purpose: Align with MAS expectations on evolving risk landscape.

1. Is there a formal change management process assessing operational risk impact?
2. Are resilience considerations embedded in:
• New products
• Technology changes
• Outsourcing decisions
3. Are emerging risks (AI, cyber, geopolitical) incorporated into planning?
4. Are resilience capabilities reviewed following major organisational changes?
5. Is there a forward-looking resilience roadmap?

Maturity Rating Framework (Recommended)

Use a 7-level maturity scale:

Maturity Rating Guide (Optional Scoring Model)

For each question, assign:

1. Level 0: Ad-hoc: Reactive, unstructured processes.
2. Level 1: Reactive: Basic frameworks with sporadic execution.
3. Level 2: Proactive: Formal policies and dedicated teams.
4. Level 3: Mature: Anticipatory risk management.
5. Level 4: Advanced: Integrated, data-driven strategies.
6. Level 5: Leading: Predictive analytics and automation.
7. Level 6: Excellence: Industry leadership through innovation.

Key Takeaways (Aligned to MAS Direction)

• Operational resilience is not just compliance—it is the ability to sustain critical services under disruption

• Focus must shift from preventing failure to minimising impact on customers and the financial system

• Strong governance, accountability, and end-to-end service understanding are essential

This assessment reflects MAS’s expectation that operational resilience is not a one-time compliance exercise but an ongoing capability that requires governance, testing, and continuous improvement embedded in daily operations.

It enables banks to:

• Identify gaps against MAS expectations

• Prioritise resilience investments

• Transition from compliance → maturity → strategic resilience capability

 

More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.