[OR] [MBT] [E2] [P1] [S2] [C4] Analysing Gaps

Analyse Gap

(Part of the “Plan” Phase in Operational Resilience for Metrobank)

Introduction

In the dynamic Philippine financial environment where digitalisation, frequent natural disasters, cyber threats and global disruptions are ever-present, the ability of a financial institution such as Metrobank to deliver its critical operations without failure is fundamental not only for its business sustainability but also for wider financial system stability.

For its Operational Resilience Planning Methodology, Metrobank now enters the Analyse Gap stage — that is, assessing where the bank’s current state falls short of the required resilience standard, and identifying the gap between where it is today and where it needs to be.

In this chapter, we will:

• Review the regulatory and supervisory requirements imposed by the Bangko Sentral ng Pilipinas (BSP) on operational resilience, and how they apply to Metrobank;
• Lay out the practical steps Metrobank should follow in the Analyse Gap stage.
• Provide concrete examples of implementation tailored to Metrobank’s operations; and
• Conclude by summarising how the gap-analysis phase positions Metrobank to advance to the next stage in the Plan phase.

By doing so, Metrobank will build a robust, regulator-aligned operational resilience framework that encompasses identifying critical operations, mapping interdependencies, risk measurement, testing gaps, and remedial planning.

Regulatory/Compliance Requirements – BSP Guidelines on Operational Resilience

Before performing a gap analysis, Metrobank must understand the regulatory baseline.

The BSP has issued guidelines (notably via Circulars and amendments to the Manuals of Regulations for Banks (MORB) / Manual of Regulations for Non-Bank Financial Institutions (MORNBFI)) that set out key elements of operational resilience for BSP-supervised financial institutions (BSFIs).

The key elements of the guidelines include:

1. Governance structure – The Board of Directors must approve the operational resilience framework; senior management must implement it; the three lines of defence (business operations/first line, risk & compliance/second line, internal audit/third line) must be clearly defined.
2. Determine critical operations, tolerance for disruption, and severe but plausible scenarios – Banks must identify which functions/processes/services are “critical operations” (i.e., their disruption would cause material harm to the institution, customers, or financial system). Then set a tolerance for how much disruption is acceptable. Then, the severe but plausible scenarios (e.g., major cyberattacks and natural disasters) against which resilience is tested are defined.
3. Map interconnections and interdependencies—The institution must map how critical operations are delivered end-to-end, including dependencies on people, processes, systems, third parties, and external infrastructure.
4. Plan and manage risks to delivery of critical operations – Leverage risk management frameworks (operational risk, ICT/technology risk, third-party risk) to support critical operations resilience; ensure due diligence on service providers; assess change management; evaluate public infrastructure dependencies.
5. Test ability to deliver critical operations amidst disruption – Integrate business continuity management (BCM) with resilience framework, conduct exercises/scenarios, test ICT processes, incident response, recovery strategies.
6. Respond to and recover from disruption—Incident response plans, roles and responsibilities, clear escalation, communication, and structural arrangements for when disruption occurs.
7. Review, refine, and update the framework—Continuously update the resilience framework to align with the business model, risk appetite, tolerance for disruption, and changing threats.
8. Reporting and notification—Banks must include an overview of their operational resilience approach in their annual reports. Additionally, the BSP must be notified (within 24 hours) when the incident response plan for critical operations is activated.

For Metrobank, this means aligning its gap analysis against internal business requirements and ensuring compliance with the BSP’s expectations.

Implementation Steps for the Analyse Gap Stage

Below is an elaboration of the recommended implementation steps for Metrobank’s Analyse Gap stage, with related examples to illustrate how Metrobank could execute each step in practice.

Step 1: Establish Gap-Analysis Governance & Project Team

Implementation

• Metrobank’s Board of Directors (or a designated Board Committee) endorses the gap-analysis project, specifying objectives (e.g., map current state → identify gaps → prioritise remediations).
• Senior management (e.g., Risk Management, Operational Risk, ICT Risk) appoints a project lead and cross-functional team (business units, technology/ICT, third-party/vendor risk, compliance, internal audit).
• Define terms of reference: scope, deliverables, timeline (e.g., three months), rand resources
• Ensure clarity of roles: first line (business & operations) provides information on the current state; second line (risk & compliance) evaluates; third line (internal audit) will validate after.

Example

Metrobank’s Operational Risk Department coordinates a “Resilience Gap Analysis Working Group” including the Retail Banking head, Corporate Banking head, IT & Cybersecurity head, Vendor Risk head, and BCM lead. The Board authorises the initiative via its Risk Committee.

Step 2: Document the “Required State” – Regulatory & Business Expectations

Implementation

• Using the BSP guidelines above, Metrobank defines what the “target” operational resilience state looks like. For example:
  • Having a Board-approved resilience framework.
  • Setting tolerance for disruption metrics (e.g., 4 hours maximum acceptable outage for online corporate banking).
  • Full mapping of interdependencies for each critical operation.
  • Regular scenario-based testing at least annually.
• Also embed business-specific expectations: e.g., customer service standards, SLA commitments, digital banking uptime.
• Compile an internal “Operational Resilience Requirements Catalogue” combining regulatory, supervisory, business, and stakeholder expectations.
  

Example

Metrobank documents that for its “Online Banking & Mobile App” critical operation: tolerance for disruption is set to no more than 2 hours downtime; severe but plausible scenarios include a ransomware attack on the core banking data centre and a simultaneous power outage at the backup site; service must resume within tolerance; third-party cloud provider must support continuity arrangements.

Step 3: Document the “Current State” – Assessment of Metrobank’s Existing Capabilities

Implementation

• Perform current-state inventory of capabilities: governance arrangements (board oversight, committees), mapping of critical operations, tolerance metrics set, scenario testing executed, interdependency mapping, third-party resilience, ICT resilience, and incident response.
• Use questionnaires, interviews, document review (policies, BCM plans, test reports), control self-assessment, and audit findings.
• Collect evidence: e.g., when was the last scenario test? Are third-party providers assessed for resilience? Has mapping of dependencies been done and updated? Are tolerance metrics formally approved by the Board?

Example

Metrobank’s ICT Risk team reveals that while BCM plans exist for major sites, there is no formally approved “tolerance for disruption” metric for its payments operations. The Vendor Risk team notes that certain third-party service providers have not been subject to resilience testing in the last 24 months. The Business Continuity team reveals that interdependency mapping was conducted two years ago, but has not been refreshed to reflect newer cloud-based services.

Step 4: Perform Gap Analysis – Identify Gaps Between Required and Current State

Implementation

• Compare the required state (from Step 2) with the current state (from Step 3) across each element of the framework (governance, critical operations identification, tolerance setting, mapping, risk planning, testing, response & recovery, review/update).
• For each gap, document: nature of gap, root cause, magnitude (risk/impact), and prioritise (High, Medium, Low) based on how far the current state deviates and the criticality of the operation.
• Use a gap-analysis matrix or dashboard to summarise.

Example

Gap Example 1: Tolerance metrics not defined for payments operations → root cause: lack of Board-level discussion → priority: High (payments operations are critical).

Gap Example 2: Third-party resilience testing outdated → root cause: vendor risk team resourcing constraints → priority: Medium.

Gap Example 3: Interdependency mapping not refreshed for cloud services → root cause: cloud migration not integrated into resilience programme → priority: High.

Step 5: Link Gaps to Regulatory Compliance and Supervisory Expectations

Implementation

• For each identified gap, assess whether it implies non-compliance (or risk of non-compliance) with BSP guidelines. For example, if critical operations are not identified and tolerance is not set, this violates key element #2 of the guidelines.
• Flag any gaps that may trigger supervisory concerns, e.g., inability to notify BSP within the prescribed timeframe, or absence of a Board-approved framework.
• Document regulatory risk and potential supervisory consequences (e.g., enforcement action by BSP) alongside each gap.

Example

Metrobank’s absence of formally approved tolerance metrics for payment operations means it is not in full compliance with the BSP requirement to set tolerances for disruption.

This must be flagged as regulatory risk. If an incident occurs and Metrobank fails to resume services within tolerance or fails to report to BSP, this could lead to supervisory action.

Step 6: Prioritise Remediation Actions and Prepare Gap Remediation Roadmap

Implementation

• Prioritise gaps based on impact to business and regulatory/compliance risk (e.g., High priority = gaps affecting critical operations, regulatory requirements, or systemic risk).
• For each gap, define remediation actions: what must be done, who is accountable, target date, required resources, and key performance indicators (KPIs).
• Develop a roadmap – sequencing of remediation, milestone dates, dependencies, quick wins vs longer-term initiatives.
• Integrate the remediation roadmap with Metrobank’s broader risk management/operational resilience planning process.
  

Example

Remediation Action Example 1: Define and obtain Board approval for tolerance for disruption metrics for all critical operations — Owner: Risk Management; Target date: end Q2 2026. KPI: Board resolution passed; tolerance metrics published.

Remediation Action Example 2: Refresh interdependency mapping for cloud-based payments platform — Owner: ICT Risk; Target date: end Q3 2026. KPI: Completed mapping; vulnerabilities identified; remediation plan developed.

Remediation Action Example 3: Conduct resilience testing for third-party service providers supporting payments operations — Owner: Vendor Risk; Target date: end Q4 2026. KPI: At least one full scenario test executed; results logged; vendor remediation actions tracked.

Step 7: Document Gap Analysis Output and Report to Senior Management/Board

Implementation

• Prepare a formal Gap Analysis Report for senior management and the Board. The report should include: methodology, key required state criteria, current-state snapshot, summary of gaps (with prioritisation), regulatory/compliance implications, remediation roadmap, and resource implications.
• Highlight critical gaps requiring immediate attention and propose decision-points for senior management/Board (e.g., allocation of budget, escalation of high-risk items).
• Obtain Board endorsement of the roadmap and commitment to resource allocation and monitoring.

Example

Metrobank’s Board receives the Gap Analysis Report in its Risk Committee meeting. The report highlights 3 high-priority gaps (payments tolerance metrics, interdependency mapping, third-party testing) and seeks Board approval for a dedicated budget and timeline. The Board approves the roadmap and directs senior management to report quarterly on progress.

Step 8: Establish a Monitoring and Follow-Up Mechanism

Implementation

• Define how Metrobank will monitor progress of remediation actions: e.g., quarterly status updates, dashboard of remediation progress, escalation mechanism for overdue actions.
• Link progress monitoring to the overall operational resilience governance structure (e.g., Board Risk Committee receives updates).
• Ensure that once gaps are closed, evidence is retained (documentation, test results, approvals) for internal audit and BSP supervisory review.

Example

Metrobank implements a Resilience Gap Dashboard in its Governance, Risk & Compliance (GRC) tool. High-priority remediation items show status (green/yellow/red).

At each board meeting, the Risk Committee reviews the top 5 items, with the project lead presenting progress. Overdue items are escalated to senior management for resolution.

The Analyse Gap stage is a pivotal step in Metrobank’s Operational Resilience Planning methodology.

By systematically comparing the “required state” (driven by regulatory, supervisory, and business expectations) with the “current state” (its existing capabilities), Metrobank uncovers where it falls short and what must be done to strengthen resilience.

Through the implementation steps above — from governance setup, current state inventory, gap identification and regulatory linking, to remediation roadmap and reporting — Metrobank establishes a clear and structured path forward.

Completing this gap analysis effectively prepares Metrobank to move into the next stage of the Plan phase: developing and prioritising remediation and enhancement initiatives, integrating operational resilience into its enterprise-risk architecture, and ultimately embedding a resilient operating model that aligns with the BSP’s guidelines and supports the bank’s ability to maintain critical operations through disruption.

Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide
"Plan" Phase of the Operational Resilience Planning Methodology
C2	C3	C4	C5	C6	C7

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.