As part of the “Implement” phase of the Operational Resilience Planning Methodology, scenario testing enables Bank Simpanan Nasional (BSN) to examine how its critical business services perform under adverse, yet realistic conditions.
Unlike traditional continuity testing, scenario testing focuses on understanding the broader impact of disruptions on customer outcomes, regulatory obligations, and reputational standing.
At its core, this phase challenges the assumptions embedded within BSN’s response and recovery strategies. It bridges the gap between documented plans and real-world execution by assessing the practical resilience of business units, technology infrastructure, supply chains, and communication channels.
Scenario testing also fosters cross-functional learning, enhances crisis coordination, and ensures that impact tolerances—such as maximum tolerable downtime and customer harm thresholds—are not only defined but can be adhered to in practice.
For BSN, this proactive approach aligns with Bank Negara Malaysia's resilience requirements and reinforces public confidence in its services, even amidst turbulence.
Begin by identifying the Critical Business Services (CBS) and functions to be tested. For BSN, these include:
Example:
For CBS-2 (Government Aid and Disbursement Services), BSN may set a scenario to test how well it can disburse emergency aid to beneficiaries during a national IT outage.
Construct realistic yet challenging scenarios that reflect BSN’s operational environment, risk landscape, and customer base. These should be considered:
Example:
A coordinated cyberattack brings down both myBSN and ATM services across multiple regions. BSN tests how quickly it can reroute transactions through agent banking and restore digital services.
Choose the appropriate format for the test:
Example:
BSN conducts a tabletop exercise involving Digital Banking, IT, Customer Service, and Corporate Communications to simulate a ransomware attack affecting CBS-4.
Ensure involvement from all relevant teams:
Example:
During a test of CBS-5 (Loan Disbursement), BSN involves system vendors and BNM liaison officers to assess response coordination.
Simulate the selected scenario under controlled conditions. Monitor actions taken, decisions made, and time taken to respond and recover.
Key elements to document include:
Assign observers to each functional area. Record actual vs. expected response times and note deviations from plans.
Example:
BSN finds that during the ATM disruption test, customer communication was delayed by 45 minutes due to unclear escalation protocols.
Hold a structured after-action review with all participants. Identify:
Incorporate improvements into Business Continuity Plans (BCPs), IT Disaster Recovery Plans (IT DRPs), and Operational Resilience Playbooks.
Example
After testing a myBSN outage, BSN revises its communication SOP to include SMS alerts to customers when the mobile app is down for more than 15 minutes.
Summarise the outcomes of each test and report to senior management and, where applicable, to BNM. Include:
|
CBS |
Critical Business Service |
Scenario Description |
Type of Test |
Date Tested |
Participants |
Key Findings |
Impact Tolerance Met? |
Recommendations/Action Items |
|
CBS-1 |
Retail Banking Services |
Sudden nationwide branch network outage due to power grid failure |
Tabletop Simulation |
202X-06-10 |
Branch Ops, IT Infra, Crisis Mgmt, Customer Comms |
Branch contingency plans were delayed due to manual dependencies |
No |
Automate manual override; review branch SOPs |
|
CBS-2 |
Government Aid and Disbursement Services |
Cyberattack delays processing of emergency fund transfers to B40 customers |
Live Simulation |
202X-06-12 |
Digital Ops, Treasury, IT Sec, Gov Liaisons |
Incident escalation was efficient; the Gov agency was not updated timely manner |
Partial |
Integrate Gov channels into comms protocol |
|
CBS-3 |
ATM and Self-Service Banking Infrastructure |
ATM network compromised by malware; 70% devices offline in urban areas |
Technical Failover Testing |
202X-06-14 |
ATM Vendor, IT Sec, Customer Care, Infra Support |
Slow malware detection; response team overwhelmed |
No |
Improve SOC-ATM link; staff specialised response team |
|
CBS-4 |
Digital Banking (myBSN Online & Mobile App) |
App inaccessible due to cloud provider API failure for 6 hours during peak usage |
Tabletop + Technical Drill |
202X-06-16 |
App Dev, Cloud Ops, Helpdesk, Social Media |
Alternate channels activated; push notification delayed |
Yes |
Update app alert system; strengthen vendor SLAs |
|
CBS-5 |
Loan Disbursement and Repayment Processing |
The loan module data was corrupted due to a failed patch rollout |
Technical Walkthrough |
202X-06-18 |
Loans, Core Banking, IT DevOps, QA |
Recovery RTO met, but reconciliation lagged |
Yes |
Automate backup validation checks |
|
CBS-6 |
Agent Banking (BSN Banking Agents) |
Remote agents are unable to sync transactions due to satellite link failure |
Live Simulation |
202X-06-20 |
Agent Network, IT Infra, Customer Support |
Rural coverage was highly impacted; agents had no manual workaround |
No |
Issue paper-based fallback forms to all rural agents |
|
CBS-7 |
Treasury and Liquidity Management |
Liquidity constraints due to the regional payment settlement system outage |
Tabletop Simulation |
202X-06-22 |
Treasury, Finance, Risk, BNM Liaison |
Inadequate fallback arrangements for interbank transfers |
No |
Develop alternative liquidity sourcing procedures |
|
CBS-8 |
Core Banking System (CBS Infrastructure) |
Sudden CBS core system crash during peak load on the salary disbursement day |
Technical Failover Testing |
202X-06-24 |
IT Infra, Core Banking, HR Payroll, Customer Service |
Failover triggered successfully; delays in non-core modules |
Yes |
Isolate module dependencies; update recovery runbook |
|
CBS-9 |
Customer Complaint and Dispute Resolution |
Surge in unresolved complaints due to prolonged digital outage |
Tabletop Exercise |
202X-06-25 |
Customer Experience, Legal, Ombudsman Liaison |
Inadequate staffing for peak surge; no alternative escalation |
No |
Deploy temp complaint hotline; improve triage system |
|
CBS-10 |
Regulatory Reporting and Compliance |
Data integrity compromised during automated reporting to BNM post-cyber incident |
Walkthrough & Document Drill |
202X-06-26 |
Compliance, IT Security, Legal, Reg Affairs |
Incorrect data submitted; delay in regulator notification |
No |
Validate post-incident reporting checklist; auto alerts |
Scenario testing is more than a compliance requirement—it is a vital diagnostic tool that reveals the true strength and flexibility of Bank Simpanan Nasional's operational resilience framework.
Through the deliberate application of stress on critical business services, BSN can simulate high-impact events, observe real-time reactions, and validate the robustness of its response capabilities.
Each exercise, regardless of outcome, contributes to a feedback loop that strengthens procedures, enhances staff competencies, and fortifies BSN’s promise to remain reliable, even under stress.
As BSN continues to innovate and expand its service delivery channels—especially in digital and rural agent-based banking—scenario testing must evolve accordingly.
Periodic exercises, incorporating new threat vectors and stakeholder complexities, will ensure that BSN's resilience posture remains aligned with national expectations, international standards, and the expectations of millions of Malaysians who rely on it.
Ultimately, scenario testing is the proving ground for trust—and it is this trust that anchors BSN’s mission in both crisis and continuity.
| Operational Resilience for Financial Services: The BSN Malaysia Approach | ||||||
| "Implement" Phase of the Operational Resilience Planning Methodology | ||||||
|
OR Planning Methodology Phases |
Plan | Implement | Sustain | ||
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|