search
Highlights

    Achieving Operational Resilience For Banks In Southeast Asia

    Strategies for banks to adapt and thrive amid rising risks
    By Jonas Heckmann, Julian Granger-Bevan, Maksim Ryabukhin, and Thomas Garside
    Home  // . //  Insights //  Achieving Operational Resilience For Banks In Southeast Asia

    Operational resilience has become a defining priority for Southeast Asia’s banking industry. Since the Basel Committee published its Principles for Operational Resilience in 2021, regional regulators have accelerated efforts to protect customers and maintain financial stability. Along with heightened regulatory scrutiny, banks face growing cyber threats, ecosystem risks, and greater reliance on technology. To succeed, institutions must prioritize resilience as an organizational priority and create an environment that supports its effective scaling across all levels.

    Delays in embedding resilience can lead to regulatory penalties, severe operational failures and reputational damage. Now is the moment for boards, the C-suite, and senior executives to integrate resilience as a core tenet of operations and risk management. Transforming compliance into a strategic advantage will strengthen your institution’s stability, customer confidence, and long-term sustainability in an unpredictable and fast-evolving market.

    Five priorities for Southeast Asia banks to achieve operational resilience

    Based on our past work with banks in North America, Europe, and Australia, we expect banks to integrate business continuity, IT risk, and third-party risk management into a comprehensive, harmonized approach as regulators in Southeast Asia formalize their own frameworks.

    Our report, “Five Priorities For Banks In Southeast Asia To Build Operational Resilience”, draws on extensive conversations with regulators, boards, and C-suite executives across the region. Below we identify five actionable priorities for embedding operational resilience and protecting critical business services against disruption.

    Priority 1: Clarify what operational resilience means

    Operational resilience is the ability to sustain delivery of critical business services — even during multi-day disruptive events such as third-party outages or cyberattacks. Unlike business continuity management, which aims to restore operations to a pre-disruption state, operational resilience accepts that disruption is inevitable and prioritizes the end-customer and market impact. 

    Crucially, operational resilience does not replace business continuity management but rather complements it. However, the boundaries between the two often require clarification, especially because many regulatory frameworks integrate both topics into a single set of requirements. Examples include:

    • The Australian Prudential Regulation Authority’s (APRA) CPS 230, which combines resilience and business continuity management in its Prudential Standard on Operational Risk Management.
    • Monetary Authority of Singapore’s (MAS) Guidelines on Business Continuity Management, which already incorporate operational resilience concepts such as critical business services and customer impact.
    • Bank Negara Malaysia’s (BNM) Policy Document on Business Continuity Management, which also adopts many resilience principles within its broader approach.

    While these guidelines often bring together the two topics, operational resilience and business continuity management serve distinct objectives, scopes, and success measures.

    Exhibit 1: A comparison between business continuity management and operational resilience
    Source: Oliver Wyman analysis

    Priority 2: Define critical business services and set impact tolerances

    Every operational resilience journey begins by rigorously identifying critical business services — the core functions that, if disrupted, would materially harm customers or the financial system. Regulators offer guidance but rely on banks to define, scope, and prioritize these services. For example, BNM points to ATM access, digital banking, card payments, call centers, and payment clearing as default “critical” areas.

    Not all-important services qualify as “critical” under operational resilience. Distinguishing between the two helps prioritize efforts effectively. Common examples include:

    • Know your customer onboarding: Key for compliance but short-term disruptions rarely affect customers broadly.
    • Internal payroll: Vital for employee morale but delays of several days rarely threaten stability.
    • Payments system: Foundational technology, but resilience focuses on how critical services rely on it, not on the system’s resilience itself, which falls under business continuity management frameworks.

    Banks often refine definitions to focus on where customer impact occurs. Without this step, services risk being defined too broadly, ambitions become unrealistic, and resilience investments spread too thin. For example, “settlement of payment transactions” sounds straightforward, but requires precision. Does it include all or only large value payments? Domestic and international? All channels or only selected ones? These clarifications are essential for credible, achievable impact tolerances.

    Once critical business services are defined, banks must set impact tolerances — thresholds for how much disruption can occur before causing material harm to customers. How these tolerances are then achieved depends on the bank's capabilities.

    Two examples illustrate this practice. A UK-based digital bank built a fully independent stand-in platform on a separate provider, ensuring uninterrupted 24/7 payments. By contrast, a US brick-and-mortar bank set a flexible tolerance. In a severe but plausible scenario, it processes 85% of payments above $500,000 and 85% of smaller priority payments received before 4:00 pm by day’s end, using manual backups and reconciliation procedures that supplement automated workflows.

    Priority 3: Manage third- and fourth-party risks amid growing reliance on cloud providers

    Operational resilience extends far beyond the bank’s walls, reaching a network of external vendors, suppliers, and service providers. Through our work with leading institutions, we have observed four strategies banks are using to manage these dependencies effectively: strengthen due diligence and contracting; minimize concentration risks; understand fourth-party risk; and involve third parties in scenario testing.

    Priority 4: Navigate the operational resilience journey  

    Embedding operational resilience is a two-to-three-year journey, requiring new skills, deeper risk/IT/business integration, and a shift in culture across the bank. Most banks that we have supported on their operational resilience journey have followed a structured five-step process.

    Exhibit 2: A five-step process to build a sustainable operational resilience program
    Source: Oliver Wyman analysis

    From our work with banks, a few key lessons emerge in operational resilience: delivering business value is crucial, necessitating alignment with business objectives and risk management rather than treating it merely as compliance. Strong foundations with a clear framework and critical service alignment are also essential to avoid costly setbacks. Starting with a pilot for one or two critical services allows for early adjustments and helps build necessary organizational capabilities. Integrating resilience into the technology roadmap ensures sustainability without immediate transformation. Lastly, fostering a culture that sees resilience as a strategic enabler protects reputation and ensures long-term viability.

    Priority 5: Establish clear ownership and governance for resilience success

    Effective resilience requires clear accountability. The board sets strategic direction, challenges priorities, and approves plans. Group risk teams coordinate early policy work, but ultimate ownership of each critical business service and its impact tolerance should sit with a senior executive or executive minus one, even if parts of the service are delivered by other divisions. This ensures clear, end-to-end accountability for resilience outcomes.  

    In banks with a mature Three Lines of Defense framework, some institutions also appoint a Chief Resilience Officer, often within group operations. This role typically coordinates operational resilience activities across the enterprise, while group risk focuses on advisory and assurance responsibilities.

    Why banks must strengthen their operational resilience now

    Regulatory expectations in Southeast Asia are evolving rapidly — with new requirements and intensified oversight for systemically important banks. As risk complexity grows, only institutions that act now will safeguard market leadership and protect customer trust. Institutions that act now will solidify market leadership, enhance stakeholder confidence, and better weather future shocks.

    Authors
    You Might Also Be Interested In

    Driving Tangible Resilience Improvements

    Strengthening operational resilience is a major priority for boards, executives, and regulators.

    Preparing For The New Digital Operational Resilience Rules

    The rewards from better operational resilience are potentially enormous, no longer optional, and now need widespread engagement from across the organization.

    How Southeast Asia Can Expand Access To Transition Finance

    To enable Southeast Asia to deliver a net-zero transition, we explore how businesses can develop credible transition plans to obtain capital market financing.

    How To Capitalize On Southeast Asia's Exceptional Growth

    Uncover the factors driving growth and find out how market players in the region can capitalize on the opportunity to fast track their strategic ambitions.