The volume of change made in production environments, for example, is correlated against metrics that measure stability and capacity of the operating environment. While production environment changes had risen by 25 per cent in the last few years, Girn said these were appropriate "within context of our risk appetite".
Service quality is also closely measured, in particular the Net Promoter Score (NPS) for RBA's internal service desk.
A barrage of scans
Some 70 per cent of the emails RBA receive are malicious in nature, Girn revealed. The bank's external perimeter is faced with a "barrage" of scans and probes to the tune of a probe every two seconds. Metrics also matter in cyber security too, which is an "inherent dimension of operational resilience".
"It can be tempting to use the many industry surveys to depict the risks and threats in your own environment," Girn said. "This is not often wise. Knowing the heartbeat of your own environment and how it prevents, detects, and responds is a far healthier option in the race towards cyber resilience."
This security posture is backed with fortnightly security intelligence calls with a number of central banks and a biannual gathering of the CIOs of east Asian central banks, Girn said.
Keep on running
With resilience realised, organisations are "fit to run" and then meet the demand to "reimagine and renew", Girn said.
To keep a handle on the potential "sea of projects" happening at any one time, RBA focuses on the top 20 most strategically important ones with regular reports to track progress. They called it their 'Enterprise Master Schedule'.
However "often a smaller project can trip over a larger one, especially when inter-dependencies are misunderstood", Girn said. Independent internal teams conduct quality certifications on live projects and more than 80 per cent of the advice is adopted by projects in the initiate, design and deliver phases. Girn explained: "It's no good getting independent advice, if this is ignored and filed away."
Blockchain beyond discussion
The third imperative - a focus on innovation or 'renewal' - was no longer just a nice to have, Girn said. One approach RBA uses is by running codefests.
"This involves idea generation, an eight-hour coding challenge, demonstrations to prove concepts, a business-judging panel, and winners and ideas being sponsored to the production world," he said.
Last year, the winning entry implemented a capability for simultaneously communicating trade confirmations to counterparties. More recently programmers were set to work on developing a "compelling demonstration" of Blockchain concepts which resulted in a number of viable proof-of-concepts.
"The aim was to go beyond just a discussion of the theoretical uses and actually have some working solutions to debate and discuss," Girn said.
Sign up for CIO Asia eNewsletters.