[OR] [BSN] [E2] [C19] Conducting Independent Quality Reviews

Chapter 19

Conduct Independent Quality Review – Stage 5 of the Sustain Phase of BSN’s Operational Resilience Planning Methodology

Introduction

In the Sustain phase of Bank Simpanan Nasional’s Operational Resilience Planning Methodology, the “Conduct Independent Quality Review” stage plays a crucial role in ensuring that all resilience activities—spanning planning, implementation, and monitoring—meet expected quality standards and industry best practices.

This review process ensures objectivity, identifies gaps, and drives continual improvement.

As BSN continues to provide critical services to individuals, government entities, and businesses across Malaysia, conducting an independent quality review ensures that its resilience strategies remain robust, relevant, and aligned with regulatory expectations.

Objective of Independent Quality Review

The primary objectives of conducting an independent quality review are to:

• Validate the integrity and effectiveness of resilience plans and controls.
• Provide an impartial assessment of BSN’s preparedness to respond to disruptions.
• Ensure alignment with Bank Negara Malaysia (BNM) and other relevant regulatory guidelines.
• Recommend actionable improvements for strategic and operational resilience.

Implementation Steps

1. Define the Scope and Objectives of the Review

Clearly define what will be reviewed (e.g., specific Critical Business Functions or entire resilience plans) and what the review aims to achieve.

Example

BSN may initiate an independent quality review of CBS-4 (Digital Banking) and CBS-8 (Core Banking System) due to the increasing reliance on digital platforms and the criticality of uninterrupted system availability.

2. Appoint Independent Reviewers

Engage internal audit teams that are functionally independent, or external subject matter experts (SMEs) with no operational involvement in the day-to-day BCM/ITRM functions.

Example

A third-party consultancy with expertise in operational resilience could be commissioned to conduct a review of CBS-1 (Retail Banking Services) and CBS-6 (Agent Banking), assessing their continuity plans under various disruptive scenarios.

3. Conduct Documentation Review

Review all resilience-related documentation, including:

• Business Impact Analysis (BIA)
• Risk Assessments
• Business Continuity Plans (BCPs)
• Crisis Management Frameworks
• Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs)

Example

During the review of CBS-10 (Regulatory Reporting and Compliance), documentation must demonstrate how BSN ensures timely and accurate regulatory submissions during system outages or crises.

4. Perform Validation Exercises and Interviews

Conduct validation through:

• Stakeholder interviews
• Walkthroughs
• Site inspections
• Review of recent incident response cases or test reports

Example

To assess CBS-3 (ATM and Self-Service Banking Infrastructure), reviewers may visit branches or data centres to inspect failover mechanisms and validate response actions during unplanned ATM outages.

5. Evaluate Against Standards and Best Practices

Use standards such as:

• ISO 22301 (Business Continuity)
• ISO 27001 (Information Security)
• ISO 22361 (Crisis Management)
• Bank Negara Malaysia’s Operational Resilience Guidelines

Example

A review of CBS-7 (Treasury and Liquidity Management) should confirm that the function’s continuity procedures align with BNM’s expectations for financial stability during systemic disruptions.

6. Identify Gaps and Non-Conformities

List observations by priority level (Critical, Major, Minor), noting where current practices diverge from stated procedures, standards, or best practices

Example

A critical finding may emerge if CBS-9 (Customer Complaint and Dispute Resolution) lacks a backup system for complaint tracking during system outages, potentially leading to regulatory penalties or reputational damage.

7. Report Findings and Recommendations

Deliver a formal report to BSN’s Operational Resilience Steering Committee and senior management, outlining:

• Summary of findings
• Risk exposure analysis
• Recommended corrective actions
• Timelines and the responsible owner

Example:

The review of CBS-5 (Loan Disbursement and Repayment Processing) may result in a recommendation to strengthen data backup frequency to reduce data loss risk within the 24-hour recovery window.

8. Track and Monitor Corrective Actions

Implement a follow-up process to ensure that recommendations are addressed within agreed-upon timelines. Use dashboards or compliance tracking tools for visibility.

Example

Post-review of CBS-2 (Government Aid and Disbursement Services), an internal team may be assigned to oversee process improvements that ensure timely disbursements during state emergencies.

Integration with Continuous Improvement

This independent review process should be embedded into BSN’s annual review cycle and triggered:

• After major changes (e.g., new digital services launched)
• Following significant incidents or near misses
• When regulatory guidelines are updated

Summing Up ...

Conducting an Independent Quality Review is a crucial element of BSN’s commitment to continuous improvement in operational resilience.

It ensures that each critical business function—from digital banking and core systems to regulatory reporting—is regularly assessed for quality, reliability, and resilience.

By maintaining objectivity and transparency in this review process, BSN strengthens its ability to anticipate, absorb, and adapt to future disruptions, thereby safeguarding public trust and financial stability.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.