[OR] [MBT] [E2] [P1] [S3] [C5] Developing Strategy and Roadmap

Develop Strategy and Roadmap

(Part of the “Plan” Phase in Operational Resilience for Metrobank)

Introduction

In Metrobank's overall Operational Resilience Planning methodology, the “Develop Strategy and Roadmap” stage serves as the critical bridge between a clear understanding of the bank’s current resilience and the aspirational future state.

Having completed assessments of the current environment (e.g., risk profile, business continuity maturity, third-party dependencies, scenario testing) and defined the desired resilience outcomes, this stage now focuses on translating those insights into a structured strategic plan that aligns with organisational objectives, regulatory expectations, and stakeholder needs.

For Metrobank – a full-service universal bank operating in the Philippines under the supervision of the Bangko Sentral ng Pilipinas (BSP) – this means developing an actionable, measurable roadmap aligned with the bank’s business strategy and regulatory requirements for operational resilience.

The roadmap outlines what must be done, when, by whom, with what resources, and how progress will be measured.

In this chapter, we will outline the implementation steps for the strategy and roadmap stages, provide context-specific examples, and explicitly link them to relevant BSP guidelines on operational resilience.

Implementation Steps

Here are the core implementation steps for Metrobank’s “Develop Strategy and Roadmap” stage, each with elaboration and example.

1. Define Strategic Objectives and Resilience-Target States

Elaboration

• Review the outputs of the earlier assessment, e.g., identified critical operations, current tolerance for disruption, gap analysis of resilience capabilities, third-party dependencies, and scenario test outcomes.
• Translate these into clear strategic objectives. For example: “Ensure uninterrupted access to retail deposits for 99.9% of customers under major disruption scenario X”; or “Achieve recovery of core payments infrastructure within 4 hours of disruption.”
• Define target states for resilience maturity, such as upgrading business continuity arrangements, strengthening third-party exit strategies, improving cyber-resilience metrics, and harmonising crisis communication protocols.
• Align these objectives with Metrobank’s overall corporate strategy (growth, digital banking, risk appetite) and regulatory expectations (e.g., BSP’s tolerance for disruption metrics).

Example for Metrobank

• Objective 1: Within 12 months, reduce the time to restart the core retail banking platform (for deposit/withdrawal) after a significant incident to under 4 hours.
• Objective 2: By end-2026, ensure all critical third-party service providers serving core payments and settlement operations are subject to agreed resilience SLAs and exit/transition plans, aligned with Metrobank’s tolerance for disruption.
• Objective 3: Elevate third-line defence testing and scenario-based exercises to cover at least four “severe but plausible” disruption scenarios per annum, including cyber-attack and natural disaster, as required by BSP.

2. Prioritise Initiatives and Determine Sequencing

Elaboration

• For each strategic objective, identify a set of initiatives (projects or programmes) that will move Metrobank toward the target state.
• Use prioritisation criteria: alignment with regulatory requirements; risk impact (the distance from the current state to the target state); cost and resource requirements; urgency (e.g., exposure to severe scenarios); dependencies; and business value.
• Establish a high-level sequencing: which initiatives need to happen first, which can run in parallel, and which depend on others.
• Identify “quick wins” (early deliverables) as well as long-term items (multi-year programmes).

Example for Metrobank

• Initiative A (high priority/quick win): Conduct and refresh the mapping of all critical operations and their interdependencies, including third-party service providers, within the next 3 months.
• Initiative B (medium priority): Revise the business continuity and incident response plans for the payments infrastructure to reduce recovery time and target delivery in 9 months.
• Initiative C (long-term): Contractually embed operational resilience criteria and recovery SLAs into all new and existing third-party provider agreements, phased over 18–24 months.

3. Develop Implementation Roadmap and Milestones

Elaboration:

• For each initiative, define major milestones and deliverables; a timeline (start and end dates); responsible owner(s); key resources (budget, technology, staffing); and success criteria and metrics.
• Group initiatives into phases (e.g., Phase 1 – Foundation; Phase 2 – Enhancement; Phase 3 – Optimisation).
• Ensure that the roadmap is time-boxed and realistic, with built-in review points (e.g., quarterly) and opportunities for corrective action.
• Ensure that dependencies are captured (e.g., Initiative B depends on the completion of Initiative A).
• Provide visibility into the roadmap to the Board, senior management, and relevant stakeholders to build buy-in and ensure oversight.

Example for Metrobank:

• Phase 1 (Q1–Q2 2026):
  • Complete full critical operations mapping (Milestone 1: mapping document approved by Risk & Compliance Committee).
  • Define disruption-tolerance metrics for each critical operation and submit them to the Board for approval (Milestone 2).

• Phase 2 (Q3–Q4 2026):
  • Conduct the first scenario-based exercise (Milestone 3).
  • Revise the incident response plan based on findings (Milestone 4).

• Phase 3 (2027):
  • Embed resilience criteria into third-party contracts (Milestone 5).
  • Achieve < 4-hour recovery for payments infrastructure (Milestone 6).
  • Report annual operational resilience status in the annual report to satisfy BSP notification/disclosure requirements.

4. Integrate Regulatory and Compliance Requirements

Elaboration

• Map the relevant regulatory requirements (in Metrobank’s case, those of the BSP’s operational resilience guidelines) into the roadmap.
• Ensure that initiatives and milestones explicitly reference compliance deliverables: e.g., board-approved criteria for critical operations, tolerance for disruption metrics, periodic testing requirements, third-party resilience expectations, and self-assessment questionnaire submission.
• Include internal reporting mechanisms and external regulatory notifications (e.g., activation of the incident response plan must be reported to BSP within 24 hours) and disclosures (in the annual report) as part of the roadmap.
• Identify any regulatory deadlines or phased implementation windows.
• Ensure the roadmap includes KPIs and milestones that demonstrate regulatory compliance and improvements in resilience.

Example for Metrobank

• Regulatory requirement: The BSP guidelines require that all BSP-supervised financial institutions (BSFIs) identify critical operations, set tolerance for disruption, map interdependencies, plan/manage risks, test resilience, respond and recover, and review/refine the framework.
• For Metrobank, ensure the roadmap includes:
  • Board approval of criteria for critical operations and tolerance for disruption.
  • Mapping interconnections and interdependencies of critical operations and service providers.
  • Testing of the ability to deliver critical operations under “severe but plausible” scenarios.
  • Notification to BSP within 24 hours upon activation of the incident response plan for critical operations.
  • Disclosure of the resilience framework approach in Metrobank’s annual report.
• These regulatory triggers are embedded as milestones in the roadmap: e.g., self-assessment questionnaire by year-end; audit of third-party resilience by Q1 2026; first full scenario test by Q4 2026.

5. Allocate Resources and Governance for Execution

Elaboration

• Define the governance structure for executing the roadmap: e.g., establish an Operational Resilience Steering Committee (senior management) and a Programme Office (foot soldiers).
• Assign initiative owners and cross-functional teams (business units, IT, risk, compliance, continuity, third-party management).
• Allocate budget, technology investments, and staff capacity.
• Clarify decision points, escalation paths, and Board/senior management oversight.
• Ensure alignment with the three lines of defence model: first line (business units & operations), second line (risk & compliance oversight), and third line (internal audit). The BSP guidelines emphasise this structure.
• Embed monitoring and reporting mechanisms: e.g., a monthly dashboard to senior management showing progress vs roadmap, key metrics (e.g., % critical operations mapped, % contracts compliant, time-to-recover testing result).
• Establish a change-control process: the roadmap is a living plan and must adapt to evolving threats, business model changes, and regulatory updates.

Example for Metrobank

• Governance: Metrobank establishes an Operational Resilience Steering Committee, chaired by the Head of Risk and a Programme Office in the Operational Risk Management Department.
• Owners: For Initiative A (mapping), Business Units (Retail, Wholesale, Payments) are first-line owners; IT & Business Continuity are support functions; second line is Risk & Compliance; third line is Internal Audit.
• Resources: A budget of PHP 15 million is allocated for 2025 for mapping tools, scenario-simulation software, and external resilience consultancy.
• Monitoring: Monthly progress reports to senior management; quarterly updates to Board Risk Committee; key metric dashboards include % critical operations mapped, number of third-party contracts reviewed, number of scenario tests completed.
• Change-control: At the end of each phase, the roadmap will be reviewed and updated to reflect new threats (e.g., rising cyber threats), business expansions (e.g., new digital channels), and regulatory changes (e.g., BSP issuing further guidance).

6. Define Metrics, Monitoring, and Review Mechanisms

Elaboration

• For each initiative and the overall strategic objective, define clear metrics (Key Performance Indicators – KPIs) and Key Risk Indicators (KRIs) to track progress and performance.
• Examples of metrics: number of critical operations mapped; % of third-party providers with resilience SLAs; average time to recover a service in scenario test; number of scenario tests per year; number of incidents where tolerance for disruption was breached.
• Establish dashboards, reporting cadences (monthly, quarterly, annually).
• Build in review mechanisms: periodic (e.g., annually) full reviews of the roadmap, adjustments to initiatives, and realignment of targets in response to business model changes or the threat environment.
• Incorporate lessons learned from scenario tests, actual incidents, and near-misses into the continuous improvement of the roadmap.
• Ensure the outcome links back to regulatory obligations: e.g., BSP expects BSFIs to review and refine their operational resilience framework continuously.

Example for Metrobank

• KPIs:
  • 100% of critical operations identified and Board-approved by the end of Q2 2025.
  • 90% of critical third-party providers will be incorporated in the resilience programme by the end of Q2 2026.
  • Recovery time for core payments infrastructure tested <4 hours in at least two scenario tests in 2026.
  • Annual disclosure in the annual report of the resilience framework, progress, and gaps (to comply with BSP).
    
    
• KRIs:
  • Number of third-party incidents with service downtime > tolerance for disruption.
  • Number of scenario test failures (i.e., recovery time exceeded tolerance) per annum.
  • % of business units that have not updated their resilience plan in the last 12 months.
    
    
• Review: 
  
  • At the end of 2026, Metrobank performs a roadmap review, adjusts initiative priorities based on the results of initial mapping and scenario testing, and updates resource allocations for 2026-2027 accordingly.

7. Communicate and Engage Stakeholders

Elaboration

• Effective communication is critical: all relevant stakeholders (Board, senior management, business units, support functions, third-party providers, regulators) must understand the strategy, roadmap, their roles and expectations.
• Develop a communication plan: launch the roadmap, provide regular updates, conduct staff training or awareness sessions, and deliver third-party briefings.
• Engage business units early: resilience is not just an IT/BCP activity but a business-unit responsibility.
• Engage third-party providers: ensure they understand their role in Metrobank’s resilience roadmap (e.g., inclusion of resilience clauses in contracts).
• Keep the regulator informed: Metrobank must ensure that it provides disclosures and notifications in line with BSP’s guidelines (e.g., when the incident response plan is activated).

Example for Metrobank

• Launch event: In Q1 2026, Metrobank hosts a senior-management resilience briefing, releasing the roadmap document and assigning initiative owners.
• Training: By Q2 2026, business units will receive tailored training on critical operations, tolerance for disruption, and their roles in scenario tests.
• Third-party engagement: By Q3 2026, Metrobank will hold vendor resilience workshops for its top 50 third-party providers to communicate the roadmap, governance expectations, and resilience SLAs.
• Regulator communication: Metrobank schedules quarterly regulatory update meetings with the BSP supervisory team and ensures Annual Report disclosures in 2026 reference the resilience strategy and roadmap as required.

8. Kick-Off and Execute the Roadmap, Monitor Progress, Adjust Accordingly

Elaboration

• With governance established, initiatives prioritised, roadmap approved, resources allocated, and stakeholders engaged, we move into execution.
• Track progress against milestones, provide regular status updates, identify issues/roadblocks, and escalate as needed.
• Evaluate interim results: e.g., first mapping completed, initial scenario test results, contract reviews started.
• Adjust the roadmap as needed: business environment changes (e.g., new digital channel, regulatory update), the threat landscape evolves (e.g., new cyber risk), resource constraints, or test results indicate the need to change direction.
• Maintain continuous improvement: resilience is dynamic — the roadmap must evolve in response to internal and external changes.
• At defined intervals (e.g., annually), conduct a full review of the roadmap, update strategic objectives if required, and refresh initiatives and sequencing.

Example for Metrobank

• Execution: In Q1 2026, Initiative A begins: a mapping exercise led by the Programme Office, with weekly status updates to the Steering Committee.
• Milestone achieved: by the end of Q2 2026, the mapping report will be presented and approved.
• Interim scenario test: In Q4 2026, Metrobank simulates a major cyber-attack combined with a systems outage; results show recovery time of 6 hours (breach of target <4 hours).
• Adjustment: Based on test results, the roadmap is updated in Jan 2026 to include an additional initiative: “Enhance alternate payments platform architecture” with a target of Q4 2026.
• Continued monitoring: monthly dashboards indicate that 80% of third-party contracts remain unreviewed; ABS (Action Breakthrough Strategy) has been initiated to accelerate vendor contract reviews.

Compliance Requirements for Metrobank under BSP Operational Resilience Guidelines

When developing its strategy and roadmap, Metrobank must explicitly consider the following regulatory requirements issued by the Bangko Sentral ng Pilipinas (BSP), which are embedded into its roadmap:

• Scope of Application: The guidelines apply to all BSP-supervised financial institutions (BSFIs), including banks such as Metrobank. These must prepare an operational resilience framework at both the solo and group level (if applicable).
• Identification of Critical Operations and Tolerance for Disruption: BSFIs must identify their critical operations (end-to-end) and set a tolerance for disruption (time-based, volume/transaction-based, etc).
• Mapping of Interconnections and Interdependencies: BSFIs must map the people, processes, technology, information, facilities, and third-party/intragroup dependencies that underlie the delivery of critical operations.
• Risk Planning and Management: BSFIs must plan and manage risks to critical operations delivery, leveraging frameworks for operational risk, business continuity, ICT risk, and third-party risk.
• Testing and Capacity to Deliver Critical Operations Through Disruption: BSFIs must test their ability to deliver critical operations under “severe but plausible” scenarios, and review/adjust based on findings.
• Response, Recovery, and Notification: BSFIs must have incident response and recovery plans. When the incident response plan is activated for a critical operation, BSFIs must inform the relevant BSP supervising department within 24 hours.
• Governance and Oversight (Three-Lines-of-Défence): The board of directors must approve the operational resilience framework and oversee the three lines of defence model (business units/operations; risk & compliance; internal audit).
• Disclosure: BSFIs must disclose in their annual report the overarching approach to operational resilience and key information on the resilience components.

In Metrobank’s roadmap, these compliance requirements must be built in as milestones, deliverables, and monitoring points — not as a separate “compliance afterthought.” This ensures that resilience and compliance go hand in hand.

In summary, the “Develop Strategy and Roadmap” stage for Metrobank is where theory becomes action: assessment results and resilience ambitions are translated into a structured, sequenced, resourced and governed plan that both advances the bank’s resilience maturity and satisfies regulatory obligations under BSP’s operational resilience guidelines.

By following the defined implementation steps — from defining strategic objectives, prioritising initiatives, developing the roadmap, embedding compliance requirements, allocating governance/ resources, defining monitoring metrics, and executing/adapting the plan — Metrobank positions itself to move from the current state toward the desired future state of operational resilience.

Crucially, this roadmap is not static; it must evolve with the business model, threat environment, technology landscape, and regulatory expectations.

With clear ownership, transparent progress tracking, stakeholder engagement, and a feedback loop of lessons learned, Metrobank can ensure that its resilience strategy remains both robust and relevant — ultimately enabling it to deliver critical operations through disruption, protect its customers, preserve its viability, and contribute to the stability of the Philippines’ financial system.

Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide
"Plan" Phase of the Operational Resilience Planning Methodology
C2	C3	C4	C5	C6	C7

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.