[OR] [MB] [E4] Concluding Chapter: Embedding Operational Resilience at Maybank

Chapter 1

Summing Up Generic Banner

Concluding Chapter: Embedding Operational Resilience at Maybank

Introduction

Operational resilience is no longer an aspirational goal—it is a regulatory expectation and a strategic necessity for Maybank.

This eBook, “Operational Resilience in Action: Case Studies and Best Practices for Maybank”, has demonstrated how the bank has systematically applied the five stages of the Plan phase within the Operational Resilience Planning Methodology to ensure that its ten Critical Business Services (CBS) remain resilient under stress.

Through a structured and evidence-driven process, Maybank has produced comprehensive resilience documentation, demonstrating its commitment to safeguarding customer trust, maintaining financial stability, and complying with regulatory obligations.

Key Outcomes Across the 10 Critical Business Services

Each of the ten CBS—ranging from Retail and SME Loans to Self-service Terminals—was rigorously assessed and documented against six core components of operational resilience.

These are the Critical Business Services (CBS) for Maybank.

CBS-1: Retail and SME Loans
CBS-2: Corporate Lending and Trade Finance
CBS-3: Cards
CBS-4: Payment and Settlement Systems
CBS-5: Digital and Mobile Banking
CBS-6: Treasury Operations
CBS-7: Wealth Management
CBS-8: Customer Support
CBS-9: Branch Operations
CBS-10: Self-service Terminal

The outputs for each CBS will consist of these six steps. Each step forms the foundation of Maybank’s submission to each CBS, management, and regulators. The steps are as follows:

Identification of Critical Business Services (DP):
Maybank has clearly defined and justified the inclusion of each CBS, focusing on services essential to financial stability, customer confidence, and regulatory obligations.
Mapping Dependencies and Connectivity (MD):
Dependencies—both internal (people, systems, data, facilities) and external (third parties, market infrastructures)—were mapped comprehensively. This provides clarity on upstream and downstream linkages that could amplify risks during a disruption.
Mapping Processes and Resources (MPR):
Core business processes, applications, infrastructure, and supporting resources for each CBS have been catalogued. This mapping ensures visibility into resource criticality, redundancy, and recovery priorities.
Establishing Impact Tolerances (iTo):
Clear metrics were defined to measure disruption tolerance, such as maximum allowable downtime, service degradation thresholds, and customer impact benchmarks. These tolerances align with both customer expectations and regulatory requirements.
Identifying Severe but Plausible Scenarios (SuPS):
Scenario libraries covering cyber-attacks, system outages, third-party failures, pandemics, and natural disasters were developed to challenge the resilience of each CBS.
Performing Scenario Testing (ST):
Controlled resilience exercises validated whether each CBS could continue to operate within established impact tolerances under stress. Lessons learned have been captured to inform ongoing improvements.

Deliverables for Management and Regulators

The outcomes of the Plan phase demonstrate Maybank’s proactive approach to embedding operational resilience into its business model. The deliverables include:

A resilience framework mapping the 10 CBS and their supporting resources.
Evidence-based impact tolerances for each CBS, showing clear thresholds for customer and market impact.
Scenario testing results that assure Maybank’s preparedness for severe but plausible disruptions.
Actionable improvement plans derived from identified gaps during scenario testing.
A governance structure that ensures ongoing oversight, accountability, and continuous improvement.

Together, these outputs not only meet regulatory expectations but also reinforce Maybank’s position as a trusted financial institution committed to customer-centric resilience.

Looking Forward: Continuous Improvement and Adaptation

Operational resilience is not a one-off exercise but an ongoing journey. Maybank’s adoption of the Plan phase has laid a strong foundation, but future success depends on continuous adaptation.

Emerging risks such as geopolitical instability, advanced cyber threats, and climate-related disruptions demand ongoing monitoring and periodic reassessment of impact tolerances and scenarios.

The lessons learned from this phase will inform the “Do, Check, and Act” phases of the Operational Resilience lifecycle, ensuring Maybank remains agile and responsive to evolving challenges.

By embedding resilience into daily operations, governance, and strategy, Maybank safeguards not only its services but also the financial ecosystem it supports.

Final Statement

This submission provides a comprehensive and transparent account of Maybank’s operational resilience planning efforts.

By systematically applying the Plan phase across all ten Critical Business Services, Maybank has demonstrated its commitment to regulatory compliance, operational integrity, and customer trust.

Operational resilience at Maybank is not just about surviving disruptions—it is about ensuring continuity, protecting stakeholders, and maintaining confidence in Malaysia’s leading financial institution.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.