What we do Scope Our network Positions Work with us About Contact
Risk · Resilience · Cyber · Change

Independent risk
assurance &
senior judgement.

Across APAC and the Middle East, regulated institutions are not struggling with a lack of frameworks, policies, or controls. They are struggling with a harder question:

"If we are challenged today, will our position stand up clearly, consistently and confidently?"

Start a conversation What we do
ORP2b at a glance
75%
Repeat businessfrom regulated clients
350+
Domain expertsacross 20+ countries
24hr
Turnaroundon engagement scoping
15+
Yearsin practice · founded Singapore 2011
Independent Assurance· FEAT Principles· Operational Resilience· MAS Notice 655· AI Risk & Governance· DORA· Technology Risk· BCBS 239· Cyber Security· CBUAE· Third Party Risk· Senior Judgement· Defensibility Under Scrutiny· NACSA Direction 8 & 9· Independent Assurance· FEAT Principles· Operational Resilience· MAS Notice 655· AI Risk & Governance· DORA· Technology Risk· BCBS 239· Cyber Security· CBUAE·
What we do

The challenge is
defensibility under scrutiny.

"ORP2b provides independent, senior-led assurance to help leadership determine — what is defensible today, where exposure exists despite artefacts, what actions are proportionate, necessary, and owned."

Our approach is judgement-led, independent, and platform-agnostic. Delivered with domain and senior-led accountability. The scope of what we do is focused and time-boxed.

We are not a framework factory. We do not produce policy for its own sake. We tell leadership what will stand up — and what won't.

01
"If a serious cyber incident occurs, will our cyber risk posture withstand regulatory review, audit challenge, and board scrutiny?"
Cyber & Technology Risk Assurance
Regulatory defensibility of cyber posture · clarity of ownership and escalation · Technology Risk COE
02
"If a major disruption occurs, are our resilience claims credible and defensible across entities and markets?"
Operational Resilience Readiness
Critical process mapping · impact tolerances · governance and execution readiness · BCM-DR
03
"Which outsourcing or third-party arrangements would expose us if challenged today?"
Third-Party Risk & Outsourcing
Critical dependencies · accountability gaps · regulatory defensibility of outsourcing posture
04
"Are we securing the right outcomes from our transformation and change management initiatives?"
Change Management & QA
Governance and Quality Assurance · Project & Programme delivery · Transformation & Change
Full scope

Risk. Resilience.
Cyber. Change.

ORP2b delivers across four interconnected domains — each with advisory, experts for hire, training, and niche products available alongside assurance work. All delivered through a flexible, platform-agnostic model.

Operational Resilience & GRC
  • ERM, NFRM, ORM frameworks
  • Process risk & governance
  • Third party & supply chain
  • BCP / DR / Crisis management
  • Scenarios & stress testing
  • AI risk & governance
  • Compliance & assurance
  • Continuous controls monitoring
IT & Cyber Security
  • Technology risk
  • VAPT
  • Cloud security
  • Information security
  • SOC
  • Identity & access management
  • Threat & risk assessment
  • Maturity assessments
Transformation & Change
  • Transformation strategy
  • Project / programme management
  • Quality assurance
  • Testing & reliability engineering
  • Business process reengineering
  • Front-to-back delivery
Learning & Products
  • Skills assessment & training design
  • Certifications & performance
  • Change management & culture
  • ERM-ORM-GRC solution
  • Cyber GRC & VAPT products
  • Testing automation & reliability
  • Client lifecycle management
Assurance & Advisory
Independent validation, senior-led reviews, regulatory defensibility assessments — Lane A ORP2b-led engagements
Experts for Hire
On-demand access to 350+ curated domain experts matched to scope, seniority, and jurisdiction — flexible and time-boxed
Delivery model
PMO & governance · Build-Operate-Transfer · Managed services · Hybrid, remote, onsite across APAC & Middle East
Our network

Boutique independence.
Institutional capacity.

ORP2b operates through a three-layer delivery architecture — so "can you actually staff this?" always has a credible answer, without the overhead structure that dilutes boutique advisory.

Our expert network spans 20+ countries, covering every domain we deliver. Experts are matched to scope, tagged by mode — validator, advisor, implementer — and convened under ORP2b leadership. This is not a staffing pool. It is a curated capability.

350+
Domain experts globally
20+
Countries represented
75%
Repeat client rate
Singapore Malaysia UAE Philippines India Hong Kong Kuwait Saudi Arabia UK & EU Australia
Three-layer delivery
Practitioner leadership
Senior-led origination, advisory, and quality control. Every engagement has named practitioner accountability — not a project manager in front of junior resource.
Strategic delivery partnerships
A select number of complementary specialist firms where ORP2b delivers specific scope inside larger engagements — geographic, technical, or sector-specific.
Curated expert network
350+ domain specialists matched to engagement scope. Not a staffing pool — a managed capability that ORP2b convenes, leads, and stands behind.
Partnership credential
Strategic CCP Partner
Cybersecurity Malaysia — recognised national cybersecurity competency partner
ORP2b Positions

What we believe.
Publicly.

A real position forces real refusals. These are views earned through engagement, regulatory observation, and production experience. Each invites disagreement. Below them: the arguments that demonstrate them.

01
Examinability is the real test

Policy is not evidence. Supervisors are increasingly asking institutions to demonstrate their AI and resilience frameworks operate — not merely that they exist. A validation report is the beginning of that demonstration, not the end.

AI Governance
02
AI risk is NFRM

Firms treating AI risk as a separate domain will fail convergent supervision. It belongs inside NFRM, operational resilience, and ICT risk — not outside them. The frameworks already exist. The discipline is applying them to AI.

Non-Financial Risk
03
Validation is the missing capability

Independent validation and challenge of AI and risk frameworks is the gap most regulated institutions have — and the one regulators will close next. Building that capability internally takes years. Independent assurance earns time while it is built.

Assurance
04
Supervisory speed is the new speed

Regulatory clocks have outrun quarterly consulting cycles. Institutions that cannot match regulator cadence — on AI, on resilience, on technology risk — will lose the initiative. Firms running six-month engagement cycles compound that problem.

Regulatory
Published arguments
Work with us

Join the
expert network.

ORP2b's delivery capacity operates through a curated network of senior practitioners — mobilised per engagement for specific technical or domain depth. This is not a staffing pool. It is a convened capability that ORP2b leads and stands behind.

If you are a senior practitioner in any of the domains below and would consider project-based collaboration, we would like to hear from you.

Domains we are building in
Non-Financial Risk Operational Resilience AI Risk & Governance Model Validation Technology Risk Cyber Security BCBS 239 / Data Risk VAPT Third Party Risk Transformation QA FRAML BCM / DR
What engagement looks like
Project-based — discrete engagements matched to your availability and domain
ORP2b-led — you deliver the domain expertise; ORP2b holds the client relationship and engagement governance
Senior only — we are not building a junior resource pool. Practitioners must be able to operate independently at board or CRO level
APAC and GCC — primary geographies are Southeast Asia, UAE, Kuwait, Saudi Arabia and broader MENA
Express interest
Tell us about yourself. If there is a fit, we will follow up directly — no automated responses.
About ORP2b

Founded 2011.
Practitioner-led. Independent.

ORP2b was founded in Singapore in 2011 by Rajit Punshi after a 21-year career at Standard Chartered, culminating as Group Head of Operational Risk Policy and Process. Today ORP2b operates as an independent risk assurance and senior judgement firm across APAC and the Middle East — with a curated leadership team and expert network spanning 20+ countries.

75% repeat business 24hr turnaround Founded 2011 CCP Partner — Cybersecurity Malaysia ORP2bTech Sdn Berhad — Malaysia NACSA Direction 8 — Active Bid APAC · Middle East · EU-UK

Our engagements span regulated banks, digital banks, and central bank mandates. The question is always the same: if challenged today by a supervisor, a board, or an auditor — will the institution's position hold? We provide the independent, senior view that helps leadership answer that question honestly.

Leadership
RP
Rajit Punshi
Founder & Principal

21-year career at Standard Chartered, last role Group Head of Operational Risk Policy & Process. Recognised as one of the "Top 50 Faces of Operational Risk" globally post-GFC. Past Board Member, ORX — the world's largest operational risk data consortium.

Operational Risk AI Governance Resilience Regulatory
LinkedIn rajitpunshi@orp2b.com
A
Akshaya
CIO & Project Advisor · 25+ years

Senior technology and transformation leader with 25+ years across financial services. Brings Group CIO-level perspective to technology governance, digital transformation, strategic sourcing, and IT outsourcing — from strategy through execution.

Technology Governance Digital Transformation IT Outsourcing Strategic Sourcing
LinkedIn
N
Nilo
Financial Services & Digital · 25+ years

Practitioner with 25+ years across financial services and digital business in Asia. Deep expertise in financial services operations, digital banking, and risk — bringing institutional knowledge of regional market dynamics across Southeast Asia.

Financial Services Digital Banking SE Asia Risk

LinkedIn
350+ expert network — skills by domain

Our curated expert network covers every domain we deliver — matched to scope, seniority, and jurisdiction. What follows is the skills landscape available across the 350+ practitioners we convene.

Non-Financial Risk & Operational Resilience
ERM / ORM frameworks NFRM design & validation RCSA & assurance Operational resilience Important business services Impact tolerance setting BCP / DR / Crisis management Scenario & stress testing Process risk & governance Third party & outsourcing risk Supply chain risk Risk appetite & policy Internal controls Fraud risk Risk culture
Technology Risk & AI Governance
AI risk & governance Model validation FEAT readiness AI model inventories Technology risk frameworks ICT risk assurance BCBS 239 / RDARR Data risk governance MAS Notice 655 DORA compliance Quantum readiness Cloud risk Technology risk COE Continuous controls monitoring RegTech & GRC solutions
Cyber & Information Security
Cyber risk assurance VAPT Cloud security Mobile banking security SOC design & review Identity & access management Threat & risk assessment Cyber resilience Information security frameworks NACSA Direction 8 audit NACSA Direction 9 — post-quantum CBUAE cyber Cyber GRC Virtual CISO Privacy & GDPR Security benchmarking
Transformation, Change & Learning
Programme & project management Quality assurance Testing & reliability engineering SDLC assurance Business process reengineering Murex & capital markets tech Digital transformation Build-Operate-Transfer COE design Training design & delivery Skills assessment Certifications Change management & culture FRAML Client lifecycle management
Malaysian subsidiary · 100% owned by ORP2b
ORP2bTech
Sdn Berhad
Incorporated in Malaysia · Technology Risk, Cyber & AI Governance
BNM — Bank Negara Malaysia NACSA — Cyber Security Act 2024 CCP Partner — Cybersecurity Malaysia Engagements available under ORP2b or ORP2bTech
ORP2bTech Sdn Berhad
In-market presence

ORP2bTech Sdn Berhad is a 100% subsidiary of The Operational Risk Practice Pte. Ltd. (ORP2b), incorporated in Malaysia as the group’s in-market entity for technology risk, cyber assurance, and AI governance under BNM and NACSA frameworks.

For Malaysian regulated institutions, NCII entities, and government procurement, ORP2bTech provides a locally incorporated counterparty — with full backing of ORP2b’s 15-year practitioner depth and 350+ expert network.

BNM regulated NACSA jurisdiction CCP Partner 100% ORP2b subsidiary
NACSA Direction No. 8
Active bid
Cybersecurity Audit — NCII Entities

Direction No. 8 mandates independent cybersecurity audits for all NCII entities at least once every two years under the Cyber Security Act 2024 (Act 854), enforceable from 17 July 2025.

ORP2b audit capability
Compliance-based audit against Act 854, NACSA Directives, and sector-specific codes of practice
Risk-based audit covering threat modelling, vulnerability assessment, and control effectiveness
Technical testing: VAPT, SOC review, identity and access management, cloud security
Audit reporting to NACSA Chief Executive within the mandated 30-day completion window
An NCII-designated client has invited ORP2b to bid for Direction 8 audit delivery. NACSA auditor approval will be pursued upon engagement award, with client sponsorship.
NACSA Direction No. 9
Capability ready
Post-Quantum Cryptography Migration

Direction No. 9 mandates that NCII entities provide data to support Malaysia’s national post-quantum cryptography migration programme — covering cryptographic inventory, migration readiness, and quantum risk exposure.

ORP2b capability
Cryptographic inventory assessment and classification of quantum-vulnerable systems
Quantum risk exposure assessment and crypto-agility roadmap development
NCII entity data submissions aligned to NACSA Direction 9 reporting requirements
Governance framework for post-quantum migration programme oversight
Methodology developed through an active post-quantum cryptography readiness engagement with a Gulf central bank. Directly applicable to NACSA Direction 9 requirements.
AI Risk & Governance
Capability ready
AI Governance Validation & Assurance

BNM’s Responsible AI and NACSA’s emerging AI security requirements create convergent obligations for Malaysian regulated institutions. AI risk sits inside NFRM and technology risk — not outside them.

ORP2b capability
AI model inventory, classification, and governance framework validation
Independent validation of AI risk frameworks against BNM Responsible AI and FEAT principles
Board and senior management examinability assessment — can your AI governance withstand regulatory challenge?
AI risk integrated into NFRM, operational resilience, and technology risk frameworks
Active engagements across MAS, CBUAE, and BNM-regulated institutions. AI governance validation is the fastest-growing area of supervisory expectation across ASEAN and GCC.
Contact

The conversation
earns the engagement.

If you have a risk assurance, resilience, cyber, or transformation challenge — or if you are responding to a supervisory expectation and need an independent view — we would like to hear what it is.

Email
ask@orp2b.com · rajitpunshi@orp2b.com
Headquarters
Singapore · ORP2b Pte. Ltd.
Operations
Singapore · Malaysia · UAE
Operating presence
APAC · India · Middle East · EU-UK

Perspectives — add entry

Add each perspective below. Use the editorial headline and core argument — not the LinkedIn opener. The entry stands alone on the site as an ORP2b position.