[OR] [CBC] [E3] [CBS] [1] [SuPS] Identify Severe but Plausible Scenarios

CBS-1 Retail Deposit & Account Services

Introduction

In alignment with the expectations of Bangko Sentral ng Pilipinas under Circular No. 1203 Series of 2024 (Operational Resilience Guidelines), financial institutions such as China Bank are required to identify Severe but Plausible Scenarios (SuPS) that could disrupt their Critical Business Services (CBS).

These scenarios must go beyond traditional disaster recovery assumptions and consider extreme yet realistic disruptions, including cyber-attacks, third-party failures, technology outages, and operational breakdowns.

For CBS-1 Deposit and Account Services, the identification of such scenarios ensures that China Bank can assess vulnerabilities across the service lifecycle—from onboarding to transaction processing and reporting—and demonstrate resilience within defined impact tolerances.

The table below outlines recommended severe but plausible scenarios, their potential impacts, proactive risk management actions, and how they integrate with Cyber and ICT Risk Management, consistent with regulatory expectations and BCM Institute guidance.

Table P5: Identify Severe but Plausible Scenarios for CBS-1

Sub-CBS Code	Sub-CBS	Severe but Plausible Scenario	Impact / Effect	Proactive Risk Management Action	Link to Integration of Cyber and ICT Risks
1.1	Customer Onboarding and Account Application	Digital onboarding platform outage due to cloud service failure	Inability to onboard new customers; reputational damage	Implement multi-region cloud redundancy; offline onboarding fallback	Cloud resilience, availability monitoring, third-party ICT risk
1.2	Customer Identification and Verification (KYC/CDD)	Failure of e-KYC vendor or biometric system compromise	Delays in onboarding; regulatory breaches (AML/KYC)	Maintain secondary KYC providers; manual verification procedures	Third-party cyber risk, identity system security
1.3	Account Approval and Opening	Core banking system approval workflow failure due to system bug	Account opening delays; backlog accumulation	Pre-production testing, automated workflow monitoring	Application resilience, SDLC security controls
1.4	Initial Funding and Deposit Booking	Payment gateway disruption or settlement system outage	Failed funding transactions; customer dissatisfaction	Integration with multiple payment channels; reconciliation buffers	Payment system cyber resilience, network dependency
1.5	Product Terms Setup and Account Parameter Maintenance	Unauthorized configuration changes due to privileged access compromise	Incorrect interest rates/fees; financial loss	Enforce privileged access management (PAM), dual controls	Identity access management (IAM), insider threat monitoring
1.6	Deposit Transactions Processing	Core banking outage during peak transaction period	Transaction delays; inability to process deposits	High-availability architecture; real-time monitoring; failover systems	Core banking resilience, infrastructure redundancy
1.7	Withdrawal and Funds Access Processing	ATM/POS network outage due to telecom failure or cyberattack	Customers unable to withdraw funds; reputational damage	Multi-network routing; telecom redundancy; cash contingency plans	Network resilience, DDoS protection
1.8	Account Servicing and Customer Maintenance	CRM system outage or data corruption incident	Inability to update customer records; service delays	Data backup, system replication, periodic integrity checks	Data resilience, backup and recovery controls
1.9	Interest, Fees, and Charges Processing	Batch processing failure due to system error or data corruption	Incorrect charges; financial discrepancies	Automated reconciliation; batch validation controls	Data integrity controls, processing system monitoring
1.10	Statement, Passbook, and Balance Reporting	Failure in reporting engine or data warehouse outage	Customers unable to access statements; compliance issues	Secondary reporting systems; data replication	Data warehouse resilience, reporting system security
1.11	Digital Account Access and Channel Integration	Mobile/online banking platform cyberattack (e.g., DDoS or ransomware)	Service unavailability; customer access disruption	Web application firewall (WAF), DDoS protection, incident response drills	Cyber resilience, application security, SOC monitoring
1.12	Reconciliation and Exception Management	Reconciliation system failure or delayed batch processing	Financial mismatches; operational risk exposure	Automated reconciliation tools; exception escalation workflows	Data processing resilience, audit trail monitoring
1.13	Fraud Detection and Transaction Monitoring	AI/AML monitoring system outage or model failure	Increased fraud risk; undetected suspicious transactions	Redundant fraud monitoring systems; manual review escalation	Cyber analytics resilience, AI model governance
1.14	Regulatory Reporting and Compliance Monitoring	Regulatory reporting system outage or data submission failure	Non-compliance penalties; regulatory sanctions	Pre-submission validation; backup reporting processes	Regulatory system resilience, secure data transmission
1.15	Incident Response, Business Continuity, and Service Recovery	Major cyberattack (e.g., ransomware) impacting multiple systems	Prolonged service outage; systemic operational disruption	Enterprise incident response plan; regular DR testing; cyber recovery strategy	Integrated cyber and BC/DR planning, SOC and CERT coordination

Banner [Summing] [OR] [E3] Identify Severe but Plausible Scenarios

The identification of Severe but Plausible Scenarios for CBS-1 Deposit and Account Services enables China Bank to shift from a reactive to a proactive operational resilience posture.

By systematically analysing disruptions across people, process, technology, and third-party dependencies, the bank can ensure that its critical services remain within defined impact tolerances, even under extreme stress conditions.

Consistent with Bangko Sentral ng Pilipinas guidelines, the integration of Cyber and ICT risks into each scenario is essential, reflecting the increasing convergence of operational resilience and cyber resilience.

Ultimately, these scenarios form the foundation for scenario testing, resilience validation, and continuous improvement, ensuring that China Bank can sustain trust, maintain regulatory compliance, and deliver uninterrupted services to its customers in times of crisis.

eBook 3: Starting Your OR Implementation
CBS-1 Deposit & Account Services
CBS-1 DP	CBS-1 MD	CBS-1 MPR	CBS-1 ITo	CBS-1 SuPS	CBS-1 ST

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.