Regulatory Requirements for Identifying CBS as part of a BSN's OR Program
Purpose of the Chapter
![[OR] [MCB] [E3] [C2] [CBS] Requirement for Identifying CBS](https://no-cache.hubspot.com/cta/default/3893111/bd65fe4d-534f-46df-b6c0-582fec491315.png)
The purpose of this chapter is to introduce the concept of operational resilience and explain its relevance to critical infrastructure organisations, using Malakoff Corporation Berhad as a case example.
While operational resilience has its roots in the financial sector—particularly through frameworks such as those developed by the Basel Committee on Banking Supervision (BCBS)—its principles are increasingly applicable to non-financial sectors that deliver essential services.
This chapter aims to help readers understand how organisations like Malakoff can proactively identify vulnerabilities, safeguard critical business services, and ensure continued delivery of essential outputs under conditions of stress or disruption.
To provide a comprehensive response, we need to understand the regulatory context and obligations for Malakoff Corporation Berhad (Malakoff), especially as they relate to Operational Resilience.
However, it's important to clarify the following:
- Malakoff is not a bank; it is an independent water and power producer in Malaysia, listed on Bursa Malaysia.
- Basel operational resilience frameworks, especially those issued by the Basel Committee on Banking Supervision (BCBS), are targeted primarily at financial institutions, especially banks.
- As such, Malakoff is not directly subject to Basel III or BCBS operational resilience frameworks. Instead, they may be subject to sectoral guidelines (e.g. from the Energy Commission (Suruhanjaya Tenaga) or the National Security Council) for critical infrastructure protection and business continuity.
However, assuming you are drawing a parallel for best practices in operational resilience or using Basel guidance as a benchmark for non-banking organisations like Malakoff, here's how we can break this down:
General Requirement for Identifying Critical Business Services (Based on Basel & Global Operational Resilience Standards)
Even for non-banks, when aligning to Basel/BCBS principles for operational resilience, organisations like Malakoff are expected to:
1. Identify Critical Business Services (CBS):
-
- Determine which services, if disrupted, would cause significant harm to customers, the economy, or national security.
- For Malakoff, these could include:
- Electricity generation and distribution operations
- Desalination and water treatment services
- Energy trading platforms
2. Map Resources Supporting CBS:
-
- Identify people, technology, processes, data, third parties, and facilities supporting each CBS.
3. Set Impact Tolerances:
-
- Define maximum tolerable disruption (e.g., 2 hours of blackout in a high-priority region).
- Consider reputational, financial, and safety impacts.
4. Scenario Testing:
-
- Test resilience against cyberattacks, power plant failures, climate-related disasters, or supply chain interruptions.
5. Governance & Accountability:
-
- Ensure board-level ownership of operational resilience.
- Regular reporting, oversight, and audit trails.
6. Communication Plans:
-
- Clear internal and external communication strategies during disruption.
7. Continual Improvement:
-
- Regular reviews, post-incident learning, and updating resilience plans.
What Central Banks Expect (If Malakoff Were a Financial Institution)
Since Malakoff is not a bank, it does not report to central banks like BNM (Bank Negara Malaysia) for operational resilience under Basel. However, if we translate expectations from Bank Negara Malaysia’s Operational Resilience expectations for financial institutions (such as through its Risk Management in Technology (RMiT) and BCP Guidelines), they would typically expect:
- Formal Identification of Critical Services
- End-to-End Mapping
- Established Recovery Time Objectives (RTO)
- Third-Party Risk Management
- Cybersecurity Controls
- Board and Senior Management Oversight
- Regular Simulation Testing
- Incident Reporting to the Regulator
Summary for Malakoff (in the Context of an Operational Resilience Report)
If Malakoff were to submit an Operational Resilience Report (to the Malaysian government, not a central bank), it would likely need to include:
|
Component |
Details Expected |
|
Critical Business Services |
Identification of key services, e.g., power and water supply, grid balancing |
|
Resource Mapping |
People, IT systems (SCADA), fuel supply chains, vendors |
|
Impact Tolerances |
Time-based thresholds for recovery, safety, economic or national impacts |
|
Governance |
Resilience oversight by senior leadership |
|
Testing and Validation |
Tabletop, live drills, scenario analysis |
|
Third-party Dependencies |
Vendors for turbines, fuel, and ICT systems |
|
Reporting & Communication |
How disruptions will be communicated internally and to the public or authorities |
Which Regulators Matter to Malakoff?
While not a bank, Malakoff reports to regulators such as:
|
Regulator |
Role |
|
Suruhanjaya Tenaga (Energy Commission) |
Oversees electricity generation and supply resilience |
|
Ministry of Energy and Natural Resources |
Policy oversight and strategic planning |
|
National Security Council (MKN) |
Involvement during a national crisis or infrastructure attacks |
|
Department of Environment (DOE) |
Environmental compliance also affects resilience from natural hazards |
|
Bursa Malaysia / Securities Commission |
Corporate governance and disclosure expectations |
To summarise:
- Malakoff is not directly regulated under Basel operational resilience frameworks, which are meant for banks.
- However, Malakoff can adopt best practices from Basel/BCBS to enhance its own operational resilience, especially given its role in national infrastructure.
- Regulators such as Suruhanjaya Tenaga and MKN would expect Malakoff to identify critical business services, ensure continuity under disruption, and establish governance, testing, and communications frameworks as part of national resilience efforts.
Summing Up …
This chapter explores how Malakoff Corporation, as Malaysia’s largest independent power and water producer, can strengthen its operational resilience by adopting a structured approach aligned with international regulatory standards.
Operational resilience goes beyond traditional recovery plans—it focuses on the organisation’s ability to prevent, adapt, respond to, and recover from disruptive events while maintaining delivery of critical services.
The chapter outlines how Malakoff can identify and prioritise its Critical Business Services (CBS)—such as power generation, water treatment, and grid support—and map the resources, systems, and third-party dependencies necessary to maintain them during times of stress.
In addition, the chapter examines the role of national regulators, such as the Energy Commission (Suruhanjaya Tenaga) and the National Security Council (MKN), in setting expectations for resilience in the energy sector.
While Malakoff is not governed by central bank frameworks like those of Bank Negara Malaysia, it nonetheless operates within a regulatory environment that increasingly demands resilience in the face of cyber threats, climate risks, and systemic disruptions.
By adopting operational resilience practices—such as setting impact tolerances, conducting scenario testing, and strengthening governance—Malakoff and similar organisations can enhance their readiness and agility to withstand shocks, thereby protecting national infrastructure and public interest.
![[OR] [MCB] [E3] [CBS] [1] [DP] Electricity Generation and Distribution Operations](https://no-cache.hubspot.com/cta/default/3893111/9d1279df-e780-4c40-b0f3-0d4c2cd0d19d.png)
![[OR] [MCB] [E3] [CBS] [1] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/7a01ce57-7eef-485e-b95c-151da63b76db.png)
![[OR] [MCB] [E3] [CBS] [1] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/40519e5a-fd0d-4f5e-b057-781e8bd42c37.png)
![[OR] [MCB] [E3] [CBS] [1] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/6d55e3f5-8af4-4fae-85ae-713c8f8fb941.png)
![[OR] [MCB] [E3] [CBS] [1] [SuPS] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/636eb8e0-1e3a-4f73-a212-05dccf9ceb01.png)
![[OR] [MCB] [E3] [CBS] [1] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/0375fe31-0faf-4b68-8da6-531826fa878e.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the [OR-3] OR-300 Operational Resilience Implementer course and the [OR-5] OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
