[OR] [BC] [E2] [C1] OR Planning Methodology

eBook 2: Chapter 1

Introduction to the Operational Resilience Planning Methodology for Bank of Commerce

Introduction

For Bank of Commerce, operational resilience is not a one-time initiative but a structured and evolving capability that enables the Bank to continue delivering critical business services despite disruptions.

In line with regulatory expectations such as BSP Circular No. 1203 and global best practices, Bank of Commerce adopts a three-phase Operational Resilience Planning Methodology—Plan, Implement, and Sustain—to systematically build, operationalise, and embed resilience across the organisation.

This methodology ensures that resilience is developed through a logical progression: first, by understanding current capabilities and defining a strategic direction; then, by operationalising resilience at the level of critical business services; and finally, by embedding resilience into the organisation’s culture, governance, and continuous improvement processes.

Purpose of the Chapter

The purpose of this chapter is to provide a structured overview of the three phases of the Operational Resilience Planning Methodology adopted by Bank of Commerce. It aims to:

• Explain the sequence and interrelationship between the Plan, Implement, and Sustain phases
• Clarify the objectives and expected outcomes of each stage within the methodology
• Prepare stakeholders to apply a consistent and disciplined approach to operational resilience
• Establish a common framework that aligns business, risk, and technology functions

By the end of this chapter, readers will understand how the methodology translates operational resilience from a conceptual requirement into a practical, organisation-wide capability.

Overview of the Three Phases of Operational Resilience Planning Methodology

The Operational Resilience Planning Methodology for Bank of Commerce is structured into three integrated phases:

• Phase 1: Plan – Establishing the foundation, direction, and governance for resilience
• Phase 2: Implement – Operationalising resilience across critical business services
• Phase 3: Sustain – Embedding resilience into organisational culture and continuous improvement

Each phase consists of five stages, ensuring a comprehensive and systematic approach.

Phase 1: Plan – Establishing the Foundations

The Plan phase focuses on understanding the Bank’s current resilience posture, identifying gaps, and defining a structured roadmap aligned with strategic objectives and regulatory expectations.

Stage 1: Assess Capability and Maturity

This stage evaluates the Bank’s current operational resilience capabilities across business continuity, IT disaster recovery, cyber resilience, and risk management. Maturity assessments help identify strengths and weaknesses relative to industry standards and BSP expectations.

Stage 2: Analyse Gap

Following the assessment, gaps between current capabilities and desired resilience outcomes are identified.

These gaps may relate to governance, processes, technology, third-party management, or readiness for scenario testing.

Stage 3: Develop Strategy and Roadmap

A multi-year operational resilience strategy is developed, supported by a prioritised roadmap.

This includes defining key initiatives, milestones, resource requirements, and timelines to close identified gaps.

Stage 4: Confirm Risk Appetite

The Bank defines its tolerance for disruption and aligns resilience objectives with its overall risk appetite. This ensures that resilience decisions are consistent with business priorities and regulatory expectations.

Stage 5: Develop and Embed Governance

A formal governance structure is established, including roles, responsibilities, escalation protocols, and oversight mechanisms. This ensures accountability and alignment across all business units and functions.

Phase 2: Implement – Operationalising Resilience

The Implement phase translates strategy into action by focusing on the Bank’s critical business services and ensuring their resilience through detailed analysis, testing, and improvement.

Stage 1: Identify Critical Business Services

The Bank identifies services whose disruption would cause significant harm to customers or the financial system. These services become the focal point for resilience planning and investment.

Stage 2: Map Processes and Resources

Each critical business service is mapped to its supporting processes and resources, including people, technology, facilities, and third-party providers. This mapping highlights interdependencies and potential points of failure.

Stage 3: Set Impact Tolerance

The Bank defines the maximum acceptable level of disruption for each critical business service.

This may include metrics such as maximum tolerable downtime, transaction-impact thresholds, and customer-impact levels.

Stage 4: Conduct Scenario Testing

Severe but plausible scenarios—such as cyberattacks, system outages, or natural disasters—are tested to evaluate the Bank’s ability to remain within defined impact tolerances. This stage validates resilience capabilities and identifies weaknesses.

Stage 5: Improve Lessons Learned

Insights from scenario testing and real incidents are analysed and used to strengthen processes, controls, and recovery strategies. Continuous improvement ensures that resilience capabilities evolve in response to emerging risks.

Phase 3: Sustain – Embedding and Enhancing Resilience

The Sustain phase ensures that operational resilience becomes an integral part of the Bank’s culture, decision-making, and day-to-day operations.

Stage 1: Introduce Cultural Change

Resilience is embedded in organisational values and behaviours.

Leadership promotes a resilience mindset, encouraging proactive risk identification and accountability across all levels.

Stage 2: Develop Communication Strategy

Clear communication protocols are established for internal and external stakeholders during both normal operations and disruptions.

This includes crisis communication and stakeholder engagement strategies.

Stage 3: Implement Training and Awareness

Regular training programmes and awareness initiatives are conducted to ensure that employees understand their roles in maintaining resilience and responding to disruptions.

Stage 4: Provide Self-Assessment

Business units conduct periodic self-assessments to evaluate their resilience capabilities, identify gaps, and ensure alignment with organisational standards and regulatory expectations.

Stage 5: Conduct Independent Quality Review

Independent reviews, such as internal audits or external assessments, validate the effectiveness of the operational resilience framework and ensure continuous compliance and improvement.

The three-phase Operational Resilience Planning Methodology—Plan, Implement, and Sustain—provides Bank of Commerce with a structured and comprehensive approach to building resilience.

By progressing from foundational planning to operational execution and continuous improvement, the Bank ensures that its critical business services remain resilient in the face of evolving risks.

This methodology not only supports regulatory compliance but also strengthens the Bank’s ability to deliver consistent, reliable services to its customers.

Ultimately, it transforms operational resilience from a regulatory requirement into a strategic capability that enhances trust, stability, and long-term sustainability.

Blogs marked [x] are under construction.

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.