[OR] [MBT] [E2] [P1] [S1-S5] [C2] Five Stages of the Plan Phase

The Plan Phase of Metrobank’s Operational Resilience Planning Methodology

Introduction

The “Plan” phase serves as the foundation of Metrobank’s Operational Resilience Framework.

It sets the strategic direction by assessing current capabilities, identifying resilience gaps, formulating a roadmap, confirming risk appetite, and embedding governance structures.

This phase aligns with the Bangko Sentral ng Pilipinas (BSP) guidelines on Operational Resilience: Strengthening Financial Stability in the Philippines (2024), which emphasise the need for financial institutions to proactively identify, prepare for, and adapt to operational disruptions while maintaining critical business services (CBS).

Metrobank’s planning approach ensures that resilience is not merely a compliance exercise but an integrated aspect of enterprise-wide risk management and governance.

Stage 1: Assess Capability and Maturity

[Plan Phase – Stage 1]

Objective

Evaluate the current level of Metrobank’s operational resilience capabilities across people, process, technology, data, and third-party dependencies.

Implementation Summary

Metrobank begins this stage by conducting a Resilience Maturity Assessment across all business units, focusing on how well critical business services (CBS) can withstand disruptions.

This involves using the Resilience Capability Maturity Model (RCMM), which assesses domains such as incident response, business continuity, ICT resilience, and third-party risk management.

Example Implementation

• People: Review staff awareness and training on resilience procedures.
• Process: Evaluate the adequacy of business continuity and crisis management plans.
• Technology: Assess system redundancy, data backup, and recovery capabilities.
• Third Parties: Evaluate resilience dependencies on outsourced providers such as payment processors and IT service vendors.

BSP Compliance Reference

As per BSP’s guidelines, Metrobank must maintain “adequate capabilities to anticipate, withstand, respond to, and recover from operational disruptions.”

This assessment ensures compliance with Section 3: Resilience Capability and Readiness, which requires banks to regularly evaluate resilience performance metrics.

Stage 2: Analyse Gap

[Plan Phase – Stage 2]

Objective

Identify gaps between current resilience maturity and BSP-mandated resilience expectations, with a focus on areas that affect the continuity of critical business services.

Implementation Summary

Metrobank conducts a Gap Analysis comparing the results from Stage 1 against BSP’s resilience requirements and internal policy standards.

Gaps are categorised as strategic, process-related, or technical to prioritise actions effectively.

Example Implementation

• Identify CBS that lack alternate processing arrangements.
• Highlight data centres with single points of failure.
• Detect insufficient monitoring or escalation procedures for outsourced operations.
• Review alignment of Metrobank’s existing BCM framework with BSP Circular No. 808 (IT Risk Management) and Circular No. 1122 (Operational Risk Management).

BSP Compliance Reference

BSP emphasises holistic gap identification under Section 4: Risk and Control Assessment, requiring banks to determine resilience vulnerabilities that could cause intolerable harm to customers or the financial system. Metrobank integrates this by mapping gaps directly to regulatory expectations.

Stage 3: Develop Strategy and Roadmap

[Plan Phase – Stage 3]

Objective

Define a comprehensive Operational Resilience Strategy and Implementation Roadmap to address identified gaps and strengthen resilience capabilities across all CBS.

Implementation Summary

Metrobank’s strategy development focuses on embedding resilience into existing risk management frameworks, aligning with business objectives, and securing senior management endorsement.

The Resilience Roadmap outlines key milestones, ownership, funding requirements, and performance indicators.

Example Implementation

• Define target maturity levels for each CBS based on each individual's risk tolerance.
• Prioritise initiatives such as establishing alternate data centres, enhancing cyber recovery protocols, and conducting integrated resilience exercises.
• Develop a three-year roadmap with quarterly progress checkpoints tied to operational resilience KPIs.

BSP Compliance Reference

This aligns with Section 5: Resilience Strategy and Planning, which requires a strategic approach for embedding resilience and mandates senior management oversight to ensure the strategy reflects the bank’s overall risk appetite and business continuity goals.

Stage 4: Confirm Risk Appetite

[Plan Phase – Stage 4]

Objective

Validate and document Metrobank’s Operational Resilience Risk Appetite, particularly its tolerance for disruption of critical business services.

Implementation Summary

Metrobank defines its Impact Tolerances—the maximum acceptable level of disruption to each CBS before intolerable harm to customers or the market occurs.

These tolerances are measured in terms of time, transaction volumes, or customer impact.

Risk appetite statements are approved by the Board Risk Oversight Committee (BROC) and integrated into Metrobank’s Enterprise Risk Management (ERM) framework.

Example Implementation

• For CBS, such as “Digital Payments and Fund Transfers,” the impact tolerance may be set at 2 hours of downtime.
• Conduct scenario-based stress testing to validate whether current systems can meet these tolerances under simulated disruptions.

BSP Compliance Reference

The BSP guidelines require FIs to “set impact tolerances for each critical business service and integrate these into enterprise-level risk appetite statements.”

This ensures that Metrobank’s resilience objectives are quantifiable and board-approved, as required in Section 6: Impact Tolerance and Risk Appetite.

Stage 5: Develop and Embed Governance

[Plan Phase – Stage 5]

Objective

Establish a governance structure that ensures sustained oversight, accountability, and continuous improvement of Metrobank’s operational resilience framework.

Implementation Summary

Metrobank establishes an Operational Resilience Governance Committee (ORGC) that reports to the Risk Management Committee and the Board of Directors.

Roles and responsibilities are clearly assigned across the Chief Risk Officer (CRO), Chief Information Officer (CIO), and Business Continuity Management Office (BCMO).

Governance policies also ensure periodic reporting, tracking of resilience metrics, and integration with audit and compliance functions.

Example Implementation

• Introduce a Resilience Dashboard reporting monthly to the Board.
• Establish Key Resilience Indicators (KRIs) tied to impact tolerances and performance metrics.
• Mandate annual review of operational resilience frameworks and third-party dependencies.

BSP Compliance Reference

As outlined in Section 7: Governance and Oversight, BSP mandates that “the Board and Senior Management bear ultimate accountability for operational resilience.” Metrobank’s governance framework ensures sustained board engagement and clear escalation channels for resilience risks.

Through the five stages of the “Plan” phase—Assessing Capability, Analysing Gaps, Developing Strategy, Confirming Risk Appetite, and Embedding Governance—Metrobank establishes a strong foundation for achieving operational resilience.

This structured approach ensures complete alignment with BSP’s regulatory expectations and demonstrates Metrobank’s commitment to protecting customer trust, maintaining financial stability, and ensuring uninterrupted delivery of critical business services.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.