[OR] [MBT] [E2] [P1] [S1] [C3] Assessing Capability and Maturity

Assess Capability and Maturity

(Part of the “Plan” Phase in Operational Resilience for Metrobank)

Introduction

In the increasingly complex and interconnected banking environment, operational resilience is not merely a compliance exercise—it is a cornerstone of sustaining customer trust, business continuity, and systemic stability.

For Metrobank, operating in the Philippines under the supervision of the Bangko Sentral ng Pilipinas (BSP), assessing its current capability and maturity is a critical step within the “Plan” phase of the Operational Resilience Planning Methodology.

This chapter outlines Metrobank's approach to Assess Capability and Maturity, details the implementation steps with illustrative examples, and aligns them with BSP’s “Guidelines on Operational Resilience.”

By performing a robust assessment, Metrobank will clearly understand its readiness to deliver critical operations through disruptions, identify gaps, and prioritise enhancements. The output of this phase will form the baseline and drive the rest of the operational resilience programme.

Establish the Assessment Framework

Implementation Steps:

Define the scope of assessment

• Metrobank should begin by defining what aspects of operational resilience will be assessed: governance, people, processes, technology, third-party dependencies, and culture.
• For example: Determine whether the assessment covers only the domestic Philippines operations, or group‐wide (if Metrobank has foreign branches or subsidiaries) — the BSP guideline expects solo and group-wide frameworks.

Select the maturity model and capability domains

• Choose or tailor a maturity model (e.g., 1–5 scale: Initial, Managed, Defined, Quantitatively Managed, Optimising).
• Identify capability domains relevant to Metrobank’s operational resilience — e.g., Critical Operations Identification, Tolerance Setting, Interconnection Mapping, Risk Management, Testing & Exercises, Incident Response, Continuous Improvement.

Define assessment criteria and metrics

• For each domain, define criteria (qualitative descriptions) and measurable indicators (quantitative where possible).
• Example: For “Testing & Exercises”, criteria may include “frequency of exercises”, “types of scenario coverage”, and “board‐level reporting of outcomes”.
• What constitutes “mature”? For example, exercises covering cross‐unit, third-party dependencies and varying durations, with root-cause analysis and lessons learned being fed back into the framework.

Secure board and senior management endorsement

• As per BSP guidelines, the board of directors is responsible for oversight, and senior management must implement and ensure capability assessment and reporting.
• Metrobank’s Board must approve the assessment framework; Senior Management must allocate resources, define the schedule and ownership.

Example in Metrobank Context:

Metrobank’s Operational Risk Committee (ORC) agrees to adopt a maturity model across seven domains of resilience.

A baseline kick-off meeting is held where the Head of Operational Risk presents the framework to Senior Management and obtains formal approval.

Metrobank decides that both the head-office operations in Makati and its major provincial branches will be included in the assessment scope.

Conduct Capability & Maturity Assessment

Implementation Steps:

Data collection (self-assessment, interviews, documentation review)

• Distribute questionnaires to business units, risk, compliance, IT, third-party management, etc.
• To validate questionnaire responses, conduct interviews with key process owners (e.g., payments operations, ATM network, mobile-banking platform).
• Review existing documentation: business continuity plans (BCPs), incident logs, third-party outsourcing contracts, previous internal audit findings, and key risk indicators (KRIs) on operational disruptions.

Evaluate current state against criteria

• For each domain and sub-domain, score the current maturity level.
• Identify strengths (e.g., robust BCP in the head office) and weaknesses (e.g., lack of mapped dependencies on third-party cloud service providers.
• For instance, in the “Interconnection Mapping” domain, Metrobank might find that while system dependencies are documented, upstream third‐party vendor dependencies (and their outsourcers) are not fully mapped.

Benchmarking and peer-analysis (where applicable)

• If available, Metrobank may compare its maturity with that of peer banks (though data may be limited).
• Alternatively, use BSP’s Self‐Assessment Questionnaire (SAQ) as a reference.

Gap analysis and prioritisation

• Document the gap between the current state and the target (or “desired” state for each
• capability domain.
• Prioritise gaps based on factors such as risk exposure, criticality of operations impacted, regulatory urgency, and cost-benefit.
• Example: If Metrobank identifies that its tolerance‐for-disruption metrics are undefined for its mobile-banking platform, and that platform is critical, then this gap is a high priority.

Report to Senior Management and Board

• Prepare a report that summarises current maturity, key gaps, risk implications, and recommended next steps.
• The board must review and approve the findings and the prioritised action plan, aligning resource allocation.

Example in Metrobank Context:

During the assessment, Metrobank finds that while BCP testing for branch operations is conducted annually, stress tests for cyber-induced disruption on mobile and internet banking are missing.

The maturity score for “Testing & Exercises” is rated “2 – Managed” instead of the target “4 – Quantitatively Managed”.

As a result, Metrobank prioritises designing and implementing cross‐channel cyber disruption exercises within 12 months.

Assess Alignment with BSP Compliance Requirements

Implementation Steps:

Map assessment domains against BSP’s operational resilience key elements

• The BSP guidelines list key elements such as: governance structure; determining critical operations, tolerance for disruption, severe but plausible scenarios; mapping interconnections & interdependencies; planning and managing risks; testing; response & recovery; review and update.
• Metrobank should map each maturity domain to one or more of these key elements, ensuring no compliance gap remains.

Identify specific compliance requirements applicable to Metrobank

• For example:
  • The guidelines apply to all BSP-supervised financial institutions (BSFIs) on a solo and group basis.
  • The Board and Senior Management responsibilities.
  • Requirement to set tolerance for disruption and document severe but plausible scenarios (e.g., “Big One” earthquake + cyber-attack).
  • Mapping of interconnections, including outsourced services and service providers and their sub-tiers.
  • Business continuity management (BCM) and testing must cover critical operations and severe but plausible scenarios.
  • Incident response plan including a catalogue of officers/personnel, internal/external communication, and classification of events.
  • Reporting and notification: BSFIs must notify the appropriate supervising department of BSP within 24 hours if the incident response plan for critical operations is activated.
  • Disclosure: BSFI must include in its annual report their approach to operational resilience (and by extension their maturity).

Evaluate Metrobank’s status vis-à-vis compliance

• For each requirement, check whether Metrobank is fully compliant, partially compliant, or non-compliant.
• Example: Metrobank may have defined some severe but plausible scenarios (e.g., typhoon impact), but may not yet include a coordinated cyber-attack + branch outage scenario, hence partially compliant.

Incorporate compliance findings into the maturity gap analysis

• Mark gaps that pose regulatory non-compliance separately—these should receive high priority in the action plan.
• Example: If Metrobank does not currently have a board‐approved criterion for identifying critical operations (as required by BSP), then this is a compliance gap.

Prepare a compliance report for the Board

• Summarise Metrobank’s level of alignment with BSP guidelines, highlight areas of regulatory risk and the remediation plan.
• Ensure that Senior Management commits to timelines, resource allocation, and monitoring of progress.

Example in Metrobank Context:

Metrobank maps its current state: The Board has oversight of Operational Risk, but no specific board committee dedicated to operational resilience (governance domain).

The BSP requirement for board oversight and three lines of defence for resilience is not fully met.

This gap is flagged as high priority. In addition, Metrobank has no formal annual disclosure in the annual report of its resilience approach—another compliance gap.

Define Target Maturity and Roadmap for Improvement

Implementation Steps:

Set target maturity levels per domain

• E.g., within 24 months, Metrobank targets “4 – Quantitatively Managed” in “Critical Operations Identification” and “3 – Defined” in “Mapping Interconnections & Dependencies”.
• Ensure targets are realistic, linked to the risk profile and size of operations.

Develop an improvement roadmap with initiatives, timelines, and owners

• For each domain and gap: define specific initiatives, the responsible business unit, budget/resource, and timeline.
• Example: Initiative “Define and document Metrobank’s tolerance for disruption per critical operation” – Owner: Operational Risk; Timeline: Q1–Q3 next year; Budget: PHP X.
• Another initiative: “Conduct cross-channel cyber-disruption exercise” – Owner: IT Risk; Timeline: Q2 next year.

Prioritise initiatives by risk, regulatory urgency, and inter-dependencies

• Use a prioritisation matrix (high/regulatory risk vs low).
• Compliance gaps flagged earlier (e.g., board committee, annual disclosure) should be “urgent”.

Integrate into enterprise planning and monitor progress

• Ensure roadmap is part of Metrobank’s enterprise risk management (ERM) plan and is tracked via KRI/KPI dashboard.
• Senior management should review roadmap progress periodically (e.g., quarterly) and report to the Board.

Define a measurement and tracking framework

• Set indicators: e.g., number of critical operations identified, time to restore critical operations (during exercises), number of vendor dependencies mapped, percentage of business units completing maturity assessment.
• Use dashboards and heatmaps to show progress.

Example in Metrobank Context:

Metrobank sets target maturity: “By the end of 2026, all critical operations will have defined disruption-tolerance metrics, documented third-party chain dependencies, and tested at least one severe cyber scenario involving branch closure.”

A three-year roadmap is developed: Year 1 focuses on governance, critical operations identification and tolerance‐setting; Year 2 on mapping, outsourcing, and testing; Year 3 on embedding lessons learned, continuous improvement and disclosure.

Senior Management receives quarterly status updates at the Risk & Audit Committee meeting.

Review and Validate Assessment with Stakeholders

Implementation Steps:

Engage key stakeholders for validation workshops

• Conduct workshops with business lines, IT, operations, third-party management, compliance, internal audit, and risk to review findings, maturity scores, gaps, and proposed roadmap.
• This fosters buy-in and helps refine the assessment (e.g., correct any misunderstandings or missing data).

Validate maturity ratings and prioritisation with senior management

• Senior management should review the maturity assessment and agree on ratings, targets, and roadmap priorities.
• Adjust based on input from Senior Management and Board feedback.

Obtain Board approval of assessment results and roadmap

• Prepare a Board presentation summarising: current capability/maturity state, regulatory compliance status (BSP alignment), key gaps, target maturity, improvement roadmap, resource implications.
• The board approves the roadmap and emphasises management accountability.

Communicate assessment results broadly within Metrobank

• Inform business units and relevant stakeholders of findings, the roadmap, and their role in execution.
• Raise awareness that operational resilience is a bank-wide endeavour, not only a risk function task.

Embed into governance and performance management

• Align KPIs and incentives where appropriate (e.g., business unit heads may have resilience-related objectives).
• In the internal audit plan, include periodic check‐ins on the progress of the roadmap and maturity improvements.

Example in Metrobank Context:

Metrobank convenes a half-day resilience workshop with operations, IT, compliance and vendor management units. They walk through the maturity assessment results and gaps.

Based on feedback, the roadmap is updated (e.g., vendor dependency mapping initiative timeline advanced). The Board formally approves the roadmap at its next meeting and resolves that the Risk & Audit Committee will receive quarterly updates.

Business unit heads are informed that one KPI for next year is “% of key vendor dependencies identified and mitigation plans in place”.

Establish Continuous Monitoring and Maturity Review Cycle

Implementation Steps:

Implement key performance and maturity indicators

• Set up dashboards to track progress: e.g., “% of critical operations with defined tolerance”, “# of inter-dependency maps completed”, “# of testing exercises conducted”, “time to restore critical operations in exercise”.
• Link to risk appetite and ensure escalation if indicators cross thresholds.

Schedule periodic maturity reassessments

• At least annually, Metrobank should reassess maturity per domain, compare with the prior year, and update targets and roadmap accordingly.
• Also trigger reassessments when there is a material change in business model, technology, or regulatory environment. The BSP guideline emphasises that the operational resilience framework must be dynamic.

Incorporate lessons learned from exercises, incidents and audits

• Use findings from testing, actual disruptions, internal audits or regulatory reviews to recalibrate maturity levels and adjust improvement plans.

Board and Senior Management review

• At each review, Senior Management reports to the Board on progress, changes in target maturity, new gaps, and resource requirements.
• Board revisits risk appetite and tolerance for disruption as needed.

Report to regulators/disclosures

• Metrobank must meet BSP’s disclosure requirement: include an overview of its operational resilience approach in the annual report. 
• Additionally, any activation of the incident response plan for critical operations must be notified to BSP within 24 hours. 

Example in Metrobank Context:

Metrobank implements a quarterly dashboard visible to senior management showing key resilience metrics. Next year, they will schedule a full maturity reassessment in Q4.

When the annual cyber-disruption test is executed, root-cause findings reveal a weakness in vendor communication during the incident — this is captured in the next roadmap update.

The Board receives a progress memo each quarter, and in the annual report, Metrobank dedicates a section summarising its resilience framework and key initiatives.

The “Assess Capability and Maturity” chapter marks a pivotal step in Metrobank’s operational resilience journey.

Through systematic establishment of an assessment framework, rigorous evaluation of the current state, alignment with the BSP’s operational resilience guidelines, definition of target maturity and roadmap, stakeholder validation, and continuous tracking, Metrobank builds the foundation for resilience by design—not merely resilience by reaction.

By doing so, Metrobank not only positions itself to withstand and recover from disruptions (whether natural disasters, cyberattacks, or third-party vendor failures) but also demonstrates to regulators, customers, and the broader financial ecosystem its commitment to delivering critical operations reliably.

This baseline of capability and maturity empowers the bank to move into subsequent phases of the Operational Resilience Planning Methodology with confidence and clarity.

Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide
"Plan" Phase of the Operational Resilience Planning Methodology
C2	C3	C4	C5	C6	C7

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.