[OR] [MBT] [E2] [P2] [S1] [C9] Identifying Critical Business Services

Identifying Critical Business Services (CBS)

(Stage of the “Implement” Phase – Operational Resilience Planning Methodology for Metrobank)

Introduction

In the context of operational resilience, identifying critical business services is a foundational step. For Metrobank (Philippines), this means systematically cataloguing and analysing the business services that—if disrupted—would pose significant harm to the Bank, its customers, or the broader financial system.

Under the governance of the Bangko Sentral ng Pilipinas (BSP), banks are required to embed operational resilience into their frameworks, integrating with existing governance, risk management and business continuity structures.

Readers from Metrobank are to note that BSP uses the term "Critical Business Services" for "Critical Operations."  In this eBook, the term "Critical Business Services" will be treated as "Critical Operations."

In this chapter, we describe how Metrobank should approach the “Identify Critical Business Services” stage, covering implementation steps, practical examples mapped to its defined CBS codes (CBS-1 to CBS-12), and compliance alignment with the BSP’s guidelines.

Step 1: Establish Governance and Define Scope

Implementation Step

1. Ensure oversight of the identification process at the Board and Senior Management levels (e.g., Board Risk Committee, Operational Resilience Steering Committee).
2. Define the scope of the criticality assessment: which business units, geographies (domestic Philippines, overseas branches), channels (digital, branch, ATM), and third-party relationships are covered.
3. Confirm alignment with BSP’s expectation that an operational resilience framework is built on existing governance, risk management, business continuity and third-party risk management structures.

Example for Metrobank

• The Board approves a policy stating “Metrobank shall identify all Critical Business Services (CBS) and map dependencies to maintain service delivery under disruption scenarios.” This aligns with the policy statement requirement under BSP.
• Define the scope to include both Philippine operations (domestic branches, digital banking) and overseas remittance/foreign-exchange services.
• Assign Senior Management (e.g., Chief Operations Officer) to lead the CBS inventory initiative, supported by enterprise risk, business continuity, and IT resilience functions.

Step 2: Inventory Business Services and Map to Defined CBS Codes

Implementation Step

1. Compile a comprehensive inventory of all business services offered by Metrobank (internal and external facing).
2. Map each service to a predefined CBS code (in this case, CBS-1 through CBS-12).
3. For each service, record key details: service owner, business unit, channel(s), underlying systems, supporting applications, third-party providers, geographic dependencies, rand regulatory obligations.

Example for Metrobank

• CBS-1: Deposit and Withdrawal Services – e.g., acceptance of retail deposits, teller withdrawals at branches and via digital channels, and branch cash operations support
• CBS-2: Payments and Fund Transfers – e.g., retail transfers, payroll payments, inter-bank transfers via Philippine Clearing House, digital transfer.
• CBS-3: ATM and Branch Cash Services – e.g., ATM network operations (including replenishment), branch cash-handling, cash-in/cash-out via ATMs.
• And so on through CBS-12: for example, CBS-12 Third-Party/Outsourced Service Management might include outsourced data-centre operations, vendor-managed ATM network services, and outsourced collections platforms.

By mapping services in this way, Metrobank creates a structured catalogue of critical services aligned with its operational resilience framework.

Step 3: Assess Criticality and Set Tolerance for Disruption

Implementation Step

1. For each identified service, assess its criticality by determining the potential impact of a service disruption on customers, business operations, reputation, and the financial system.
2. Determine the service’s impact tolerance—how much disruption (in time or degraded performance) can be sustained without unacceptable harm.
3. Align with BSP’s requirement that BSFIs identify their critical operations, set tolerance levels for disruption, and remain within those limits.
4. Document severe but plausible disruption scenarios for each service (e.g., natural disaster, cyber-attack, vendor outage, power failure, pandemic event).

Example for Metrobank

• For CBS-1 (Deposit and Withdrawal Services):
  • Criticality: If deposit/withdrawal services are disrupted for several hours, customers cannot access funds, branch operations may shut down, and reputational damage and regulatory red flags may occur
  • Impact tolerance: Example – Metrobank may set a tolerance of ‘no more than 4 hours’ of downtime for major branches and digital withdrawal channels under the worst-case scenario.
  • Scenario: Major typhoon causes branch network loss of power for 8 hours + ATM connectivity loss; cyber-attack cripples digital channel temporarily.

• For CBS-6 (Treasury and Capital Markets Operations):
  • Criticality: Disruption could affect liquidity, trading, and settlement operations, and could cause systemic risk.
  • Impact tolerance: Metrobank may set a 2-hour tolerance for settlement interruptions, with full trading recovery within 24 hours.
  • Scenario: Disaster at primary data centre; alternative site fails to pick up in time; treasury operations degrade.

Step 4: Map Dependencies and Interconnections

Implementation Step

1. For each critical service, map its internal and external dependencies, including systems, infrastructure, data flows, staff, third-party providers, outsourced services, geographic locations, and the supply chain.
2. Identify inter-dependencies among services (for example, CBS-2 depends on CBS-7 Digital & Online Banking Services) and potential single points of failure.
3. Use this mapping to identify vulnerabilities in the delivery of critical services, as required by the BSP’s guidelines: “map interconnections and interdependencies… identify and resolve vulnerabilities in the delivery of critical operations”. Philstar.com+1

Example for Metrobank

• For CBS-3 (ATM and Branch Cash Services):
  • Internal dependencies: cash replenishment logistics (couriers, CIT), ATM switch systems, network connectivity, branch cash loaders, and branch staffing.
  • External dependencies: third-party ATM servicing company, third-party network provider, cash-in-transit vendor.
  • Inter-dependencies: Branch cash withdrawal services (CBS-3) depend on deposit services (CBS-1) for funding; digital channels (CBS-7) may reduce branch load, so an outage in CBS-7 may increase demand for CBS-3.

• For CBS-12 (Third-Party/Outsourced Service Management):
  • Dependency map: outsourced data-centre provider, cloud-service vendor, ATM network vendor, digital payments platform vendor.
  • These dependencies affect many other CBS codes—e.g., CBS-9 (Credit Card Issuing and Acquiring Services) and CBS-10 (Overseas Remittance and Foreign Exchange Services) rely on outsourced vendor platforms.

Step 5: Prioritise Critical Business Services for Resilience Efforts

Implementation Step

1. Based on criticality and dependency mapping, prioritise the CBS codes for resilience planning, testing and investment.
2. Assign risk-rankings (high/medium/low) or similar weighting to each CBS.
3. Develop a roadmap for resilience initiatives (e.g., system redundancy, vendor contingency planning, branch fallback capability) aligned with higher-priority services.

Example for Metrobank

• High priority:
  • CBS-1 (Deposit and Withdrawal Services) – highest customer exposure.
  • CBS-7 (Digital and Online Banking Services) – growing digital channel importance, high risk if disrupted.
  • CBS-12 (Third-Party/Outsourced Service Management) – because many other services depend on outsourced/vendor ecosystems.

• Medium priority:
  • CBS-3 (ATM and Branch Cash Services) – still critical, but may have manual fallback via branches.
  • CBS-5 (Loan and Credit Services) – important, but less time-sensitive in an acute disruption scenario.

• Lower priority (but still included):
  • CBS-8 (Wealth Management & Trust Banking) – fewer retail customers, but still material.
    Metrobank then builds its resilience roadmap: e.g., by Q4 FY2025, implement vendor contingency plans for digital channels supporting CBS-7; by Q1 FY2026, establish a secondary data centre for CBS-1 systems; by Q2 FY2026, perform crisis scenario testing for CBS-12 vendor outages.

Step 6: Document and Report Critical Business Services Inventory

Implementation Step

1. Document the full inventory of CBS codes, including descriptions, business units, service owners, impact tolerance, dependencies, risk rankings, and priority levels.
2. Maintain version control to ensure updates as business services evolve (new products, channels, outsourcing arrangements).
3. Prepare reporting for Senior Management and the Board, e.g., including the “Critical Business Services” summary in the annual operational resilience report, as required by BSP.
4. Link the CBS inventory to the next phases (e.g., Business Continuity Planning, Testing & Exercising, Response & Recovery).

Example for Metrobank

• An Excel or database table lists CBS-1 to CBS-12, with each row capturing metadata:
  • CBS code: CBS-2
  • Service name: Payments and Fund Transfers (retail & corporate)
  • Service owner: Head of Retail Payments
  • Business unit: Payments & Treasury Division
  • Impact tolerance: maximum 3 hours of downtime
  • Dependencies: inter-bank clearing systems, digital platform, third-party payment processor
  • Risk ranking: High
  • Priority for resilience roadmap: Q4 2025 initiative

• The Board receives a quarterly update summarising the status of CBS inventory, highlighting any changes (e.g., new service added, impact tolerance revised), and linking to any resilience gaps identified.

Step 7: Review and Update Regularly

Implementation Step

1. Embed a review cycle for the CBS inventory and associated criticality assessments—at least annually, or when material changes occur (new product, new channel, outsourcing arrangement change, regulatory change).
2. Ensure alignment with the evolving regulatory environment (for example, changes in BSP’s guidelines).
3. Use the review to refine the critical services list, adjust impact tolerances, refresh dependency mapping, and update resilience priorities.

Example for Metrobank

• After launching a new mobile wallet service under CBS-7, Metrobank adds it to the inventory in Q1 2026, assesses its criticality, maps its dependencies, and assigns a priority for resilience testing.
• As part of the review, the Bank revisits the impact tolerance for CBS-10 Overseas Remittance & Foreign Exchange Services in light of regulatory or market changes (e.g., increase in remittance volumes).
• Senior Management receives an annual “Operational Resilience Update”, which includes changes to CBS inventory, outcomes of any scenario tests, and recommended adjustments to impact tolerances or controls.

Compliance Considerations – BSP Guidelines

Metrobank must ensure its work to identify critical business services aligns with key regulatory expectations under the BSP’s “Guidelines on Operational Resilience” (Circular No. 1203, Series 2024). Key compliance aspects include:

• The guidelines apply to all BSP-supervised financial institutions (BSFIs) and require both a solo and group-wide framework where applicable.
• BSFIs must integrate operational resilience into existing governance and risk management frameworks (operational risk, business continuity, third-party risk, cyber resilience).
• Critical operations must be identified, tolerance for disruption set, interconnections and dependencies mapped, and severe but plausible scenarios considered. B
• BSFIs must include an overview of their operational resilience approach, including critical business services, in their annual report.
• The self-assessment and transition plan: BSFIs are required to submit a self‐assessment within one year of the circular’s effectivity.

For Metrobank, accordingly, the CBS identification stage must not merely be a one-time project but be integrated into the ongoing governance, documentation, and reporting cycle to satisfy BSP expectations and drive real resilience.

Identifying critical business services is a strategic and operational imperative for Metrobank’s operational resilience journey.

By systematically mapping Metrobank’s CBS Codes (CBS-1 to CBS-12), assessing criticality, mapping dependencies, setting tolerance for disruption, prioritising resilience efforts, and embedding ongoing review and compliance reporting, Metrobank positions itself to weather disruptions—from natural disasters to cyber events—and to maintain uninterrupted delivery of services to its customers and the real economy.

With the BSP’s guidelines as a benchmark, this stage paves the way for robust continuity planning, testing and recovery phases that follow in the operational resilience methodology.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.