[OR] [MBT] [E2] [P1] [S5] [C7] Developing and Embedding Governance

Develop and Embed Governance

(Part of the “Plan” Phase in Operational Resilience for Metrobank)

Introduction

Developing and embedding governance is the cornerstone of Metrobank’s operational resilience journey. Governance provides the structure through which resilience is managed, monitored, and continually improved.

It defines the “who,” “what,” and “how” of operational resilience, clarifying accountability, assigning ownership, and ensuring alignment with business priorities and regulatory requirements.

Establishing a clear governance framework ensures that resilience is not treated as an isolated function but as an organisation-wide capability for a large and interconnected financial institution like Metrobank.

This governance foundation enables the bank to respond confidently to disruptions, maintain the delivery of critical business services, and uphold trust with customers, regulators, and stakeholders.

Purpose of Governance in Operational Resilience

The primary goal of developing and embedding governance is to create a structured and sustainable framework integrating resilience principles into Metrobank’s existing management systems. This framework ensures that operational resilience activities are:

• Coordinated across departments and business lines.
• Measurable through defined indicators and performance metrics.
• Aligned with the Bangko Sentral ng Pilipinas (BSP) regulatory mandates and the bank’s strategic objectives.
• Embedded into corporate culture through leadership oversight and continuous engagement.

Implementation Steps

Step 1: Establish an Operational Resilience Governance Structure

The first step is to define the governance structure that will oversee resilience across Metrobank. This typically includes:

• Board of Directors and Senior Management – Responsible for setting strategic direction, approving resilience policies, and ensuring adequate resources.
• Operational Resilience Steering Committee (ORSC) – Oversees implementation, monitors progress, and ensures integration across risk, IT, operations, and business units.
• Operational Resilience Office (ORO) – Serves as the central coordinating body responsible for day-to-day management of the operational resilience framework.
• Business Unit Resilience Coordinators – Ensure resilience requirements are embedded into departmental activities and business continuity strategies.

Example

Metrobank’s Board Risk Oversight Committee (BROC) may formally approve the bank’s Operational Resilience Policy and assign the Risk Management Group (RMG) as the executive owner of the OR Framework, supported by Group Technology and Operations (GTO) for service delivery dependencies.

BSP Compliance Reference

According to the BSP’s Operational Resilience Guidelines (2024), banks must establish clear governance and accountability structures where the Board and Senior Management are ultimately responsible for resilience outcomes.

The guidelines emphasise the need for defined reporting lines, cross-functional coordination, and formal oversight mechanisms for resilience initiatives.

Step 2: Define Roles, Responsibilities, and Accountability

A well-defined governance model clarifies who is accountable for what.

Roles and responsibilities should be detailed in the Operational Resilience Policy and aligned with existing risk governance frameworks.

Key roles include:

• Board of Directors: Approves the OR strategy and ensures alignment with risk appetite.
• Senior Management: Oversees implementation, monitors performance, and allocates resources.
• Chief Risk Officer (CRO): Integrates OR within enterprise risk management (ERM).
• Chief Information Security Officer (CISO): Ensures cyber resilience and IT continuity align with OR objectives.
• Business Unit Heads: Identify critical business services, map dependencies, and manage resilience within their domains.

Example

If a major service outage occurs in Metrobank’s digital banking platform, the CISO and the Head of GTO would be directly accountable for technical response and recovery, while the CRO ensures escalation and alignment with the OR governance framework.

BSP Compliance Reference

BSP Circular No. 1120 (2021) on the Operational Risk Management Framework mandates the clear delineation of roles and accountability at all levels—particularly for senior management and risk committees—to ensure effective oversight and timely incident escalation.

Step 3: Develop the Operational Resilience Policy and Framework

The Operational Resilience Policy formalises the governance structure and the foundation for implementing resilience practices. It should cover:

• The purpose and scope of operational resilience.
• Governance and reporting structure.
• Roles and responsibilities across all levels.
• Linkages with risk management, business continuity, ICT risk, and outsourcing management.
• Key metrics and reporting protocols.

Example

Metrobank’s policy may stipulate that all critical business services must have a defined Impact Tolerance and Recovery Objective approved by the ORSC and reported quarterly to the Board Risk Oversight Committee.

BSP Compliance Reference

The BSP Guidelines on Operational Resilience (2024) require financial institutions to establish a documented Operational Resilience Framework that integrates business continuity, ICT, and third-party risk management, ensuring continuity of critical operations during disruptions.

Step 4: Integrate Governance into Existing Risk and Compliance Functions

Operational resilience should not function in isolation but should be aligned with existing risk management and compliance systems. Integration ensures synergy and avoids duplication of effort.

Integration areas include:

• Enterprise Risk Management (ERM): Align resilience assessments with risk appetite statements.
• Business Continuity Management (BCM): Synchronise business continuity strategies and recovery priorities.
• Information Security: Embed cyber resilience requirements.
• Vendor Management: Include resilience criteria in outsourcing and service-level agreements (SLAs).

Example

When Metrobank conducts its annual risk and control self-assessment (RCSA), the operational resilience team collaborates with the ERM unit to ensure that identified vulnerabilities (e.g., third-party payment gateway risks) are addressed in resilience planning and reporting.

BSP Compliance Reference

The BSP requires integration of operational resilience into the institution’s risk governance, compliance monitoring, and internal audit frameworks, ensuring end-to-end accountability and transparency.

Step 5: Embed Governance into Culture and Daily Operations

Governance must go beyond formal structures—it must become part of Metrobank’s culture. This involves continuous communication, training, and leadership engagement to foster awareness and accountability.

Actions to embed governance include:

• Conducting awareness sessions for employees on their roles in resilience.
• Including resilience objectives in employee performance KPIs.
• Running simulation exercises and scenario testing with Board and senior management participation.
• Promoting cross-functional collaboration through the OR Steering Committee.

Example

Metrobank’s quarterly “Resilience Review Meetings” bring together leaders from IT, Risk, Operations, and Customer Service to discuss recent incidents, lessons learned, and readiness improvements.

BSP Compliance Reference

The BSP highlights that resilience must be embedded across the organisation, with regular training and communication to build a culture that prioritises operational continuity and customer protection.

Key Deliverables

• Operational Resilience Governance Framework Document
• Operational Resilience Policy and Reporting Structure
• Defined Roles and Accountability Matrix
• Governance Committee Terms of Reference (TOR)
• Integration Plan with ERM, BCM, and ICT Functions
• Resilience Awareness and Training Programme

A strong governance framework is the foundation upon which Metrobank’s operational resilience capability is built. It ensures that resilience is led from the top, implemented across all levels, and reinforced by a culture of accountability.

By embedding governance into its daily operations, Metrobank positions itself to meet both its strategic and regulatory obligations—particularly under the Bangko Sentral ng Pilipinas Operational Resilience Guidelines—while safeguarding customer trust and financial stability.

Effective governance transforms operational resilience from a compliance exercise into a strategic enabler—one that supports Metrobank’s mission to “keep your trust” even in the face of disruption

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.