![BB OR [A] 10](https://blog.bcm-institute.org/hs-fs/hubfs/BB%20OR%20%5BAi%20Gen%20Blog%20Photo%5D/OR%20Pictures%20A/BB%20OR%20Folder%20A/BB%20OR%20%5BA%5D%2010.jpg?width=2000&height=1333&name=BB%20OR%20%5BA%5D%2010.jpg "BB OR [A] 10")
Establish Impact Tolerances
CBS-10 – Self-service Terminal
Introduction
Self-service terminals (SSTs) form a critical business service (CBS) within Maybank’s retail banking ecosystem.
These terminals — including ATMs, cash deposit machines (CDMs), and multifunction kiosks — are key enablers of customer convenience and accessibility.
They support day-to-day transactions such as withdrawals, deposits, inquiries, and account activations, and thus, are essential to maintaining trust and continuity in financial services delivery.
In line with operational resilience regulations, it is vital to set appropriate impact tolerances for these services. Impact tolerances define the maximum acceptable level of disruption before intolerable harm is caused to customers, financial stability, or regulatory compliance.
The tolerances consider multiple factors: downtime duration, potential data loss, customer reliance, reputational effects, and regulatory requirements.
The table below outlines the impact tolerances for each Sub-CBS of CBS-10: Self-service Terminals at Maybank.
Table: Impact Tolerance Summary for CBS-10
|
Sub-CBS Code |
Sub-CBS |
Maximum Tolerable Downtime (MTD) |
Maximum Tolerable Data Loss (MTDL) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
10-1 |
Authentication & Access |
2 hours |
< 15 mins |
Customers are unable to authenticate, and there is widespread transaction failure |
Potential breach of regulatory requirements for fair access |
Service Disruption, Customer Trust |
Robust but requires periodic stress testing |
Enhance multi-factor fallback and biometric redundancy |
|
10-2 |
Withdrawal (Card & Contactless) |
4 hours |
< 30 mins |
Loss of cash access, financial hardship during peak hours |
Possible scrutiny under customer service obligations |
Financial Stability, Customer Confidence |
Strong with high redundancy |
Expand cash stock monitoring and ATM load balancing |
|
10-3 |
Deposit & Inquiry |
6 hours |
< 30 mins |
Inability to deposit funds or check balances, leading to inconvenience |
Minor unless prolonged disruption |
Service Availability |
Adequate with some vulnerabilities |
Introduce alternative deposit routing through digital channels |
|
10-4 |
Activation & Setup (Cash-out) |
8 hours |
< 1 hour |
Delayed new card activations or cash-out setup; medium impact |
Limited regulatory consequence |
Customer Experience |
Moderate resilience |
Implement automated rerouting to digital/mobile onboarding |
|
10-5 |
Availability Management |
1 hour |
< 15 mins |
Entire network outage affecting multiple SSTs simultaneously |
High regulatory concern if systemic |
Operational Continuity, Regulatory Compliance |
Good but single points of failure exist |
Improve real-time monitoring and rapid failover systems |
|
10-6 |
Security & Resilience |
Immediate (0 downtime tolerance) |
0 |
Fraud risk, data compromise, reputational damage |
Severe regulatory sanctions (e.g., BNM, MAS) |
Security, Compliance |
Strong, monitored 24/7 |
Continuous patching, AI-based anomaly detection, red-team testing |
|
10-7 |
Customer Support & Recovery |
12 hours |
< 1 hour |
Delayed issue resolution, reputational dissatisfaction |
May breach customer care standards if recurring |
Reputation, Service Quality |
Adequate but reactive |
Strengthen proactive notification and escalation process |
![[BCM] [Thin Banner] Summing Up](https://blog.bcm-institute.org/hs-fs/hubfs/BCM%20Generic%20Banner/%5BBCM%5D%20%5BThin%20Banner%5D%20Summing%20Up.png?width=1920&height=250&name=%5BBCM%5D%20%5BThin%20Banner%5D%20Summing%20Up.png)
Establishing impact tolerances for CBS-10: Self-service Terminals ensures that Maybank can pre-emptively identify vulnerabilities, set boundaries for acceptable service disruption, and allocate resources toward resilience-building initiatives.
While areas such as security and authentication require near-zero tolerance for failure due to their direct regulatory and trust implications, other functions, such as deposit/inquiry or activation/setup, may withstand slightly more extended outages without systemic consequences.
Nonetheless, all tolerances remain anchored to customer needs, regulatory compliance, and operational resilience principles.
The outcomes of this assessment will inform targeted resilience enhancements, including real-time monitoring, stronger security controls, and diversified fallback mechanisms.
Ultimately, by setting precise impact tolerances, Maybank strengthens its ability to safeguard customer trust, uphold regulatory obligations, and maintain continuity in critical self-service banking functions.
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
