Perform Scenario Testing
CBS-9 – Branch Operations
Introduction
Scenario testing is an essential component of operational resilience as it evaluates the ability of critical business services (CBS) to withstand severe but plausible disruptions.
For Maybank, Branch Operations (CBS-9) is a cornerstone of customer engagement, financial transactions, and trust-building.
By testing scenarios across various sub-processes, the bank can ensure customer needs are met even during disruptions and demonstrate compliance with regulatory expectations.
Each test integrates cyber and ICT risk considerations and incorporates evidence of proactive risk management, aligning with Maybank’s enterprise-wide risk management framework.
Table: Scenario Testing for CBS-9
|
Sub-CBS Code |
Sub-CBS |
Testing Objective |
Test Scenarios |
Success Criteria |
Testing Frequency |
Integration of Cyber & ICT Risks |
Evidence of Proactive Risk Management Action |
|
9-1 |
Customer Onboarding & Account Management |
Ensure seamless onboarding despite disruptions |
Core banking system outage, sudden surge in digital onboarding requests, phishing attack targeting new accounts |
Onboarding restored within tolerance, fraud detected and blocked |
Semi-annual |
Simulated phishing and identity theft |
Documented response playbook, staff awareness training |
|
9-2 |
Counter & Cash Transactions |
Validate cash service continuity |
Branch system downtime, ATM cash outage, cash-in-transit delays |
Cash services are available through alternate branches or mobile ATMs |
Annual |
Malware on teller systems, ATM skimming |
ATM anti-skimming tech, alternate service routing |
|
9-3 |
Self-Service Terminal Support |
Test the resilience of self-service facilities |
Widespread ATM/CDM downtime, network disruption |
>90% uptime achieved with rerouting to nearby terminals |
Annual |
DDoS on ATM network, card cloning attacks |
Redundant ATM switches, enhanced monitoring |
|
9-4 |
Trade Services & Remittances |
Validate cross-border and trade transaction continuity |
SWIFT outage, sanctions screening system downtime |
Trade/FX services restored within tolerance |
Semi-annual |
Cyber-attack on SWIFT gateway |
Dual authorization, isolation protocols |
|
9-5 |
Credit & Collateral Admin |
Test resilience in loan/credit operations |
System delay in collateral valuation, fraud attempts in loan processing |
Collateral updates processed within SLA |
Annual |
Data breach on credit systems |
Encryption of records, monitoring of anomalies |
|
9-6 |
Automation & Digital Enablement |
Assess continuity of digital workflows |
Robotic Process Automation (RPA) outage, API integration failure |
Manual override within 24 hrs, no customer backlog |
Semi-annual |
Exploitation of APIs, malware in automation bots |
Pen-testing APIs, fallback to manual processes |
|
9-7 |
Security & Continuity |
Validate crisis response and physical security |
Power outage, fire, or civil unrest near the branch |
Safe evacuation, alternate branch continuity |
Annual |
Cyber-attack on CCTV/surveillance |
Dual connectivity, emergency drills |
|
9-8 |
Customer Service & Resolution |
Test the ability to handle complaints during disruption |
Call centre outage, social media misinformation spread |
Complaints addressed within SLA, misinformation corrected |
Quarterly |
Phishing/social engineering attacks |
Crisis comms playbook, real-time monitoring |
Table: Scenario Testing Playbook for CBF-9
|
Sub-CBS Code |
Sub-CBS |
Testing Objective |
Test Scenarios |
Success Criteria |
Testing Frequency |
|
9-1 |
Customer Onboarding & Account Management |
Ensure uninterrupted onboarding and account management under disruption |
- Core banking system outage - Surge in digital onboarding requests - Phishing attack targeting new accounts |
- Onboarding restored within defined impact tolerance - Fraud attempts detected and blocked |
Semi-annual |
|
9-2 |
Counter & Cash Transactions |
Validate continuity of in-branch cash services |
- Branch system downtime - ATM cash outage - Delays in cash-in-transit |
- Cash services available through alternate branches or mobile ATMs - Transactions processed within SLA |
Annual |
|
9-3 |
Self-Service Terminal Support |
Test the resilience of self-service facilities |
- Widespread ATM/CDM downtime - Network disruption impacting terminals |
- >90% uptime maintained - Customers redirected effectively |
Annual |
|
9-4 |
Trade Services & Remittances |
Ensure trade and remittance services remain functional |
- SWIFT or remittance gateway outage - Sanctions screening system failure |
- Trade/FX transactions restored within tolerance - No regulatory breaches |
Semi-annual |
|
9-5 |
Credit & Collateral Admin |
Assess the continuity of loan and collateral processes |
- System delay in collateral valuation - Fraud attempts in loan processing |
- Collateral updates and approvals processed within SLA - Suspicious activities detected |
Annual |
|
9-6 |
Automation & Digital Enablement |
Validate digital workflow continuity |
- RPA (Robotic Process Automation) outage - API integration failure between systems |
- Manual override available within defined tolerance - No customer backlog |
Semi-annual |
|
9-7 |
Security & Continuity |
Test crisis response and branch security measures |
- Power outage - Fire or civil unrest near the branch |
- Safe evacuation executed - Alternate branch or operational continuity activated |
Annual |
|
9-8 |
Customer Service & Resolution |
Ensure timely customer support during disruption |
- Call centre outage - Social media misinformation campaigns |
- Complaints addressed within SLA - Misinformation was mitigated effectively |
Quarterly |
Summing Up ...
By performing structured scenario testing on Branch Operations (CBS-9), Maybank can strengthen resilience across customer-facing, transactional, and security-critical processes.
The integration of cyber and ICT risks into every test scenario ensures that digital vulnerabilities are addressed alongside physical disruptions.
Evidence of proactive risk management, such as documented playbooks, simulations, and awareness training, demonstrates Maybank’s commitment to protecting customers and sustaining trust.
Regular scenario testing not only fulfils regulatory expectations but also ensures the bank is prepared for both current and emerging threats.
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
