[OR] [MCB] [E3] [C2] [CBS] Requirement for Identifying CBS

Regulatory Requirements for Identifying CBS as part of a BSN's OR Program

Purpose of the Chapter

The purpose of this chapter is to introduce the concept of operational resilience and explain its relevance to critical infrastructure organisations, using Malakoff Corporation Berhad as a case example.

While operational resilience has its roots in the financial sector—particularly through frameworks such as those developed by the Basel Committee on Banking Supervision (BCBS)—its principles are increasingly applicable to non-financial sectors that deliver essential services.

This chapter aims to help readers understand how organisations like Malakoff can proactively identify vulnerabilities, safeguard critical business services, and ensure continued delivery of essential outputs under conditions of stress or disruption.

To provide a comprehensive response, we need to understand the regulatory context and obligations for Malakoff Corporation Berhad (Malakoff), especially as they relate to Operational Resilience.

However, it's important to clarify the following:

• Malakoff is not a bank; it is an independent water and power producer in Malaysia, listed on Bursa Malaysia.
• Basel operational resilience frameworks, especially those issued by the Basel Committee on Banking Supervision (BCBS), are targeted primarily at financial institutions, especially banks.
• As such, Malakoff is not directly subject to Basel III or BCBS operational resilience frameworks. Instead, they may be subject to sectoral guidelines (e.g. from the Energy Commission (Suruhanjaya Tenaga) or the National Security Council) for critical infrastructure protection and business continuity.

However, assuming you are drawing a parallel for best practices in operational resilience or using Basel guidance as a benchmark for non-banking organisations like Malakoff, here's how we can break this down:

General Requirement for Identifying Critical Business Services (Based on Basel & Global Operational Resilience Standards)

Even for non-banks, when aligning to Basel/BCBS principles for operational resilience, organisations like Malakoff are expected to:

1. Identify Critical Business Services (CBS):

• • Determine which services, if disrupted, would cause significant harm to customers, the economy, or national security.
  • For Malakoff, these could include:
    • Electricity generation and distribution operations
    • Desalination and water treatment services
    • Energy trading platforms

• • Identify people, technology, processes, data, third parties, and facilities supporting each CBS.

• • Define maximum tolerable disruption (e.g., 2 hours of blackout in a high-priority region).
  • Consider reputational, financial, and safety impacts.

• • Test resilience against cyberattacks, power plant failures, climate-related disasters, or supply chain interruptions.

• • Ensure board-level ownership of operational resilience.
  • Regular reporting, oversight, and audit trails.

• • Clear internal and external communication strategies during disruption.

• • Regular reviews, post-incident learning, and updating resilience plans.

What Central Banks Expect (If Malakoff Were a Financial Institution)

Since Malakoff is not a bank, it does not report to central banks like BNM (Bank Negara Malaysia) for operational resilience under Basel. However, if we translate expectations from Bank Negara Malaysia’s Operational Resilience expectations for financial institutions (such as through its Risk Management in Technology (RMiT) and BCP Guidelines), they would typically expect:

1. Formal Identification of Critical Services
2. End-to-End Mapping
3. Established Recovery Time Objectives (RTO)
4. Third-Party Risk Management
5. Cybersecurity Controls
6. Board and Senior Management Oversight
7. Regular Simulation Testing
8. Incident Reporting to the Regulator

Summary for Malakoff (in the Context of an Operational Resilience Report)

If Malakoff were to submit an Operational Resilience Report (to the Malaysian government, not a central bank), it would likely need to include:

Which Regulators Matter to Malakoff?

While not a bank, Malakoff reports to regulators such as:

To summarise:

• Malakoff is not directly regulated under Basel operational resilience frameworks, which are meant for banks.
• However, Malakoff can adopt best practices from Basel/BCBS to enhance its own operational resilience, especially given its role in national infrastructure.
• Regulators such as Suruhanjaya Tenaga and MKN would expect Malakoff to identify critical business services, ensure continuity under disruption, and establish governance, testing, and communications frameworks as part of national resilience efforts.

Summing Up …

This chapter explores how Malakoff Corporation, as Malaysia’s largest independent power and water producer, can strengthen its operational resilience by adopting a structured approach aligned with international regulatory standards.

Operational resilience goes beyond traditional recovery plans—it focuses on the organisation’s ability to prevent, adapt, respond to, and recover from disruptive events while maintaining delivery of critical services.

The chapter outlines how Malakoff can identify and prioritise its Critical Business Services (CBS)—such as power generation, water treatment, and grid support—and map the resources, systems, and third-party dependencies necessary to maintain them during times of stress.

In addition, the chapter examines the role of national regulators, such as the Energy Commission (Suruhanjaya Tenaga) and the National Security Council (MKN), in setting expectations for resilience in the energy sector.

While Malakoff is not governed by central bank frameworks like those of Bank Negara Malaysia, it nonetheless operates within a regulatory environment that increasingly demands resilience in the face of cyber threats, climate risks, and systemic disruptions.

By adopting operational resilience practices—such as setting impact tolerances, conducting scenario testing, and strengthening governance—Malakoff and similar organisations can enhance their readiness and agility to withstand shocks, thereby protecting national infrastructure and public interest.