实现东南亚银行的运营弹性

How banks can prepare,adapt,and thrive amid risingrisks JonasHeckmannJulianGranger-BevanMaksimRyabukhinThomasGarside Operational resilience is the capability of a bank to continue delivering itscriticaloperations and services during periods of disruption, according toThe BaselCommitteeon BankingSupervision. Achieving this has become both increasingly challenging and vital. Banks todayfacea volatile environment marked by escalating cyber threats, technology interdependencies,complex third-party relationships, and potential global disruptions, frompandemicsto large-scale technology incidents. In this context, resilience cannot be treated merely as a compliance obligation. Itmustbe a strategic priority for boards and C-suite executives seeking to protect customers,safeguard reputation, maintain competitiveness, ensure long-term viability, and upholdfinancial systemstability. Since the Basel Committee published its Principles for Operational Resilience in 2021,regulators worldwide have introduced frameworks with the shared goal of protectingcustomers and preserving financial stability. Drawing on global experience,Oliver Wymanhas supported more than 15 banks acrossNorth America, Europe (including preparations for the Digital Operational Resilience Act[DORA]), and Australia. We expect Southeast Asian banks to follow a similar path as regionalregulators formalize their own frameworks, integrating business continuity, IT risk, andthird-party risk management into a comprehensive, harmonizedapproach. This report draws on extensive conversations with regulators, boards, and C-suite executivesacross Southeast Asia. It distils their most pressing concerns, challenges, and insights intofive critical priorities to help banks meet regulatory expectations, embed resilience at theheart of operations, and strengthen their ability to protect customers and financial stability. The following sections explore five critical priorities for Southeast Asian banks as theystrengthen their operationalresilience: •Clarify what operational resilience means — and how it complements, rather thanreplaces, business continuitymanagement.•Define critical business services and set impact tolerances to focus resources wherecustomer and market impact isgreatest.•Manage third- and fourth-party risks amid growing reliance on cloud providers andinterconnectedecosystems.•Navigate the operational resilience journey by learning from global leaders and aligningstrategies with regulatoryexpectations.•Establish clear ownership and governance to embed accountability acrosstheorganization. PRIORITY1CLARIFY WHAT OPERATIONAL RESILIENCE MEANS —AND HOW IT COMPLEMENTS, RATHER THAN REPLACES,BUSINESS CONTINUITYMANAGEMENT Operational resilience is a capability within a bank’s non-financial risk managementframework. It is not neatly tied to any particular risk event;1instead, it represents thecapability to deliver critical business services — a narrowly defined set of essential services— through severe but plausible disruptions. These are typically events lasting several days,such as a third-party provider failure, a natural disaster, or a prolonged systemoutage. Crucially, operational resilience does not replace business continuity management but rathercomplements it. However, the boundaries between the two often require clarification,especially because many regulatory frameworks integrate both topics into a singlesetof requirements. Examplesinclude: •The Australian Prudential Regulation Authority’s (APRA) CPS 230, which combinesresilience and business continuity management in its Prudential Standard on OperationalRiskManagement•Monetary Authority of Singapore’s (MAS) Guidelines on Business Continuity Management,which already incorporate operational resilience concepts such as critical businessservices and customerimpact•Bank Negara Malaysia’s (BNM) Policy Document on Business Continuity Management,which also adopts many resilience principles within its broaderapproach While these guidelines often bring the two topics together, operational resilience andbusiness continuity management serve distinct objectives, scopes, and successmeasures: PRIORITY2DEFINE CRITICAL BUSINESS SERVICES AND SETIMPACTTOLERANCES DEFINING CRITICAL BUSINESS SERVICES AT THE FIRSTLEVEL A bank’s operational resilience journey begins with defining and aligning on critical businessservices — the essential services delivered to customers and the wider financial system.Every subsequent decision about resilience, from investments to impact tolerances, flowsfrom this definition. The Australian Prudential Regulation Authority (APRA) defines critical businessservicesas those that, if disrupted beyond agreed tolerance levels, would cause materialharmto customers or the financial system. While regulators leave institutions to determine whichservices qualify, they offer guidance through “expected lists.” For example, BNM highlightsservices such as ATM and cash deposit access, online and