[OR] [MBT] [E2] [P2] [S2] [C10] Mapping of Processes and Resources

Map Processes and Resources

(Stage of the “Implement” Phase – Operational Resilience Planning Methodology for Metrobank)

Introduction

In the “Implement” phase of operational resilience planning, the “Map Processes and Resources” stage is pivotal. This chapter outlines how Metrobank in the Philippines can systematically map its internal processes and resources—people, technology, facilities, third-party interfaces—so that resilience efforts are grounded in actual operational realities.

By doing so, Metrobank positions itself to meet the resilience expectations set by the Bangko Sentral ng Pilipinas (BSP) and ensures that disruption scenarios, interdependencies and recovery capabilities are clearly understood and accounted for.

For Metrobank's operational resilience methodology, this chapter provides a blueprint that can be adapted to the local context while drawing on Metrobank’s example in the financial sector environment of the Philippines.

Step 1: Identify Critical Operations and Supporting Assets

Implementation steps:

1. Convene a cross-functional working group (business units, IT, operations, risk, compliance) to define what constitutes a critical operation for Metrobank (i.e., functions whose disruption would cause material harm to customers, viability of the bank or the wider financial system).
2. For each critical operation, map the supporting assets (people, technology systems, information flows, facilities, third parties).
3. Document the mission-critical processes and sub-processes, and link them to the supporting assets from step 2.
4. Prioritise which critical operations merit the highest resilience focus, guided by Metrobank’s risk profile and the BSP’s criteria.

Example for Metrobank:

• Critical operation: Branch-based deposit taking and online banking fund transfers.
  • Supporting assets: branch staff, core banking system, internet connection, backup data centre, third-party connectivity to payment networks.

• Critical operation: Card authorisation (via ATM/POS), real-time processing.
  • Supporting assets: card-switch infrastructure, vendor network, key staff, and telecommunications links.

Compliance linkage (BSP):

The BSP’s Guidelines on Operational Resilience require that BSFIs identify their “critical operations” and their “supporting assets” (people, technology, information, facilities, external dependencies), which, if disrupted, could cause material harm.

Metrobank has already referenced BSP Circular No. 1203 in its Corporate Governance Manual.

Step 2: Map Interconnections and Interdependencies

Implementation steps:

1. For each critical operation and its supporting assets, chart how they interconnect with other operations, systems and external service providers (vendors, utilities, third-party platforms).
2. Develop visual process flows or matrices that show dependencies (internal and external) – e.g., which vendor provides which service, which internal system is upstream/downstream of another, where single points of failure exist.
3. Identify cascading impacts: a disruption in one process or vendor may affect multiple critical operations. Tag these in the map.
4. Review and validate with stakeholders: business units, vendor management, IT and risk teams, to ensure accuracy and completeness.

Example for Metrobank:

• The online banking fund transfer process depends on the bank’s core banking system (internal), the internet service provider (external), and the national payment infrastructure (external).
• The ATM network depends on a third-party vendor switch, telecommunications link, power supply, and internal monitoring system. A telecom outage could cascade into ATM authorisation failure, thus affecting a second critical operation.
• Mapping reveals that both the branch deposit system and online banking share the same backup data centre, introducing a common-mode risk.

Compliance linkage (BSP):

The BSP emphasises that BSFIs must “map interconnections and interdependencies” in their delivery of critical operations, particularly across internal processes, service providers and third-party relationships.

For Metrobank, this means ensuring that its vendor contracts and risk management reflect these mapped dependencies and that single points of failure are identified and addressed.

Step 3: Catalogue Resources and Allocate Responsibilities

Implementation steps:

1. Create an inventory of all resources supporting critical operations—people (roles and backups), systems (hardware, software, databases), facilities (data centres, branches, network nodes), third-party service providers (outsourcing arrangements).
2. Define governance and responsibility: assign process owners, resilience lead, IT lead, vendor management lead, continuity/back-up lead.
3. Develop resource maps detailing who does what in disruption, including alternates, succession plans, and remote working capabilities.
4. Identify any resource gaps or weaknesses (e.g., no alternate data centre, single vendor with no backup, insufficient staffing for recovery).
5. Prioritise remediation of gaps in line with the criticality ranking established in Step 1.

Example for Metrobank:

• People: For the card authorisation process, identify the primary approval team in Manila, a secondary team in Luzon, shift rotation plans for after business hours, and remote access and credentials.
• Systems: Inventory includes core banking application, ATM network switch, backup data centre, and cloud-based disaster recovery site. Check configuration, patching, and maintenance schedules.
• Facilities: Main data centre in Metro Manila, backup site in a nearby region; branch premises with limited operations under power/flood conditions.
• Third-party: Vendor contracts for ATM switch, vendor for digital banking platform, telecommunications provider. Include SLAs, resilience clauses, and alternative providers.

Compliance linkage (BSP):

The Guidelines require BSFIs to align governance, risk management and operational resilience structures.

According to BSP Circular No. 1203, senior management must implement the resilience framework and allocate resources effectively; the board of directors must approve the framework.

Metrobank’s Corporate Governance Manual already references board oversight of such frameworks.

Step 4: Establish Disruption Tolerance and Scenario Mapping

Implementation steps:

1. For each critical operation, determine a disruption-tolerance: how long the operation can be unavailable or degraded and still meet regulatory/ business needs and not breach customer, reputational or systemic risk thresholds.
2. Identify a range of “severe but plausible” disruption scenarios relevant to Metrobank’s environment (e.g., major cyberattack, prolonged internet/telecom outage, regional flooding, vendor failure, pandemic resurgence).
3. Map the impact of each scenario on the critical operations and supporting resources (using the maps created in Steps 1-3).
4. Use the mapping to assess where tolerances may be breached and where additional resilience measures are required (redundancy, backup vendors, alternate site, manual fallback).
5. Document and review with senior management and the risk committee for approval and oversight.

Example for Metrobank:

• Tolerance: For online banking fund transfers, Metrobank may set a “normal recovery within 2 hours, maximum tolerated outage 4 hours before customer impact becomes unacceptable”.
• Scenario: A cyberattack disables the ATM switch vendor for 6 hours. Mapping shows that branch cash-withdrawal, ATM network and POS card services are impacted. Tolerance is exceeded, so risk mitigation includes an alternate vendor switch or fallback manual authorisation.
• Scenario: Typhoon floods the main data centre region, power outage lasts 12 hours. Mapping indicates that both online banking and branch systems are impacted. Tolerance is exceeded; therefore plan must include a geographically distant alternate site, a hot standby, staff remote work, and vendor telecom backup.

Compliance linkage (BSP):

The guidelines require BSFIs to set their tolerance for disruption and determine severe but plausible scenarios of varying nature, seriousness and duration, relevant to their business and risk profile.

This ensures Metrobank’s resilience approach is robust and aligned with the expectation of the regulator that operations proceed within acceptable resilience thresholds.

Step 5: Link to Recovery & Response Resources

Implementation steps:

1. With the mapping of processes, dependencies and scenario impact, link each critical operation to the defined response and recovery resources (e.g., incident response teams, alternate sites, vendor fallback, manual workarounds).
2. Define detailed run-books or playbooks for each scenario-type (e.g., cyberattack, vendor outage, region-wide power failure) that reference the mapped processes and resources.
3. Verify that the resource inventory supports the run-books (people know their roles, systems stand ready, vendor SLAs include resilience clauses).
4. Schedule and plan for testing of the recovery/response mechanisms — use the mapping to prioritise what needs testing most frequently.
5. Monitor resource adequacy and process-mapping currency (update when business changes, new systems onboarded, vendor changes).

Example for Metrobank:

• For a vendor ATM switch outage: The playbook triggers vendor fallback procedure, the communications team mobilises, branch staff are alerted to manual withdrawal options, and customers are notified via mobile app. The mapping shows which branches are most impacted (for example, remote branches reliant on that switch).
• For flooding of the main data centre: The plan activates the alternate data centre in a different region, remote workforce access is activated, branches are routed to the alternate site, and the restoration timeline is tracked. Mapping previously identified that certain branch systems rely on the main site.
• Testing: Metrobank schedules a vendor-switch outage simulation every six months. The mapping enables realistic test orchestration, verifying that both internal teams and external vendors can meet the tolerance thresholds defined.

Compliance linkage (BSP):

The BSP guidelines emphasise that BSFIs must test their ability to deliver critical operations amid disruption under severe but plausible scenarios.

Furthermore, BSFIs must have a clear incident response plan and recovery capabilities for designated critical operations. Metrobank needs to ensure its mapping is tightly integrated with these plans.

Step 6: Continuous Review and Resource Adjustment

Implementation steps:

1. Establish a regular review cycle (e.g., annually, or upon significant business change) for the mapping of processes and resources.
2. Feed in lessons learned from tests, incidents, vendor changes, business expansion or contraction, mergers/acquisitions, and regulatory changes.
3. Update the inventory, interdependency maps, tolerance thresholds, resource allocations, and vendor list accordingly.
4. Report on mapping status and resource adequacy to senior management/board and to the risk & resilience committee.
5. Ensure the mapping process is embedded in business-as-usual change management: whenever a new system, service or vendor is onboarded/terminated, the mapping and resource inventory is updated accordingly.

Example for Metrobank:

• After a real incident (e.g., a telecommunications outage that impacted online banking for 1 hour), Metrobank revisits its mapping: the telecom link was not previously captured as a third-party vendor dependency for that operation. It adjusts the map, re-ranks the criticality, redefines alternative connectivity options and updates the response plan.
• When Metrobank introduces a new digital banking channel or partners with a fintech vendor, the process mapping is revised to incorporate new dependencies and resources; staff training is scheduled; the tolerance threshold is revisited.
• The board’s quarterly report includes a slide showing process-mapping coverage, identified resource gaps, and action items. The resilience lead highlights that two vendor contracts (for data centre cooling and backup power) are due for renewal and will need updated SLAs to meet resilience requirements.

Compliance linkage (BSP):

The guidelines expect that operational resilience is not a one-off effort but a continuous management process. BSFIs must review and enhance their frameworks, governance and arrangements periodically.

Metrobank’s corporate governance documents already reflect the obligation for regular review of policies and systems.

Mapping processes and resources is the cornerstone of implementing an operational resilience framework.

For Metrobank, through the steps of identifying critical operations, mapping interdependencies, integrating resource inventories, defining tolerances and scenario-linkages, linking to recovery/response mechanisms and embedding continuous review, the institution builds a resilient operational foundation.

This supports compliance with the BSP’s Guidelines on Operational Resilience (Circular No. 1203) and positions Metrobank to deliver critical services consistently, even under disruptive conditions.

For Metrobank, adopting the same rigorous mapping stage ensures that your operational resilience journey is grounded in clarity, alignment and readiness.

Encouragingly, once the mapping is complete, the bank (or your organisation) can move confidently into the next phases—testing, embedding culture, monitoring and governance—knowing that you have a solid map of what you deliver, how you deliver it and what it takes to keep delivering under stress.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.