[OR] [MBT] [E2] [P2] [S5] [C13] Improving Lessons Learned

Improving Lessons Learned

(Stage of the “Implement” Phase – Operational Resilience Planning Methodology for Metrobank)

Introduction

As one of the Philippines’ leading universal banks, Metropolitan Bank & Trust Company (Metrobank) is dedicated to maintaining operational resilience in the face of evolving financial, technological, and geopolitical risks.

In the “Implement” phase of its Operational Resilience Planning Methodology, the Improving Lessons Learned stage serves as the cornerstone for continuous enhancement — ensuring that every incident, scenario test, or disruption becomes an opportunity for learning and improvement.

This stage transforms past challenges into future strengths. By systematically capturing, analysing, and integrating lessons learned, Metrobank can refine its response mechanisms, enhance service continuity, and strengthen governance across all Critical Business Services (CBS), including Payments and Fund Transfers, Deposit and Withdrawal Services, and ATM Operations.

In alignment with the Bangko Sentral ng Pilipinas (BSP)’s Operational Resilience Guidelines (issued under BSP Memorandum M-2022-043 and related circulars), Metrobank is expected to institutionalise feedback loops to evaluate and update resilience practices.

These guidelines emphasise proactive risk management, adaptability, and an evidence-based culture of improvement to support overall financial stability in the Philippines.

Purpose of the Improving Lessons Learned Stage

The objective of this stage is to ensure that every operational incident, test, or resilience exercise generates actionable insights that strengthen Metrobank’s operational resilience framework.

Lessons learned must lead to measurable improvements — whether in control design, response coordination, communication effectiveness, or system recovery time.

This process contributes to Metrobank’s long-term resilience maturity by:

• Identifying systemic weaknesses before they escalate into critical disruptions.
• Enhancing response and recovery procedures for critical business services.
• Reinforcing a culture of accountability and continuous improvement.
• Ensuring compliance with BSP operational resilience expectations.

Implementation Steps

Step 1: Collect and Document Lessons Learned

After each scenario test, incident, or business disruption, Metrobank teams must systematically collect data and observations from all relevant stakeholders, including the Business Continuity, Risk, Operations, and IT departments.

Key actions:

• Conduct structured post-incident or post-exercise debriefs (“After-Action Reviews”).
• Capture observations, gaps, and successes in the Lessons Learned Log.
• Record metrics such as Recovery Time Actual (RTA) vs Recovery Time Objective (RTO).

Example:

During a power outage simulation at the Metrobank Head Office, IT teams observed a 15-minute delay in activating the backup data centre due to communication gaps.

This observation was recorded and classified as a “procedural delay,” triggering review and training improvements.

Step 2: Analyse Root Causes and Impacts

Each lesson learned should be reviewed to determine its root cause and potential systemic impact on critical services.

Key actions:

• Apply root cause analysis tools (e.g., 5 Whys, Fishbone Diagram).
• Assess which CBS systems or processes were most affected.
• Identify contributing factors such as resource shortages, unclear escalation, or technology dependencies.

Example:

In a disruption to Payments and Fund Transfers (CBS-2), analysis revealed that delayed incident escalation was due to unclear role ownership. This root cause analysis led to a revised incident response matrix defining explicit decision rights and escalation triggers.

Step 3: Prioritise Improvements and Assign Ownership

The lessons learned must be translated into targeted corrective and preventive actions.

Key actions:

• Categorise actions as Immediate, Medium-term, or Strategic.
• Assign responsible units and deadlines for each improvement item.
• Integrate improvement actions into Metrobank’s Operational Resilience Action Tracker.

Example:

A repeated network latency issue identified during testing of ATM Services (CBS-3) prompted IT Infrastructure to commit to deploying network redundancy by Q2 2026, while Risk Oversight monitors implementation progress.

Step 4: Integrate into Frameworks, Policies, and Training

Operational improvements must be embedded into the bank’s frameworks, policies, and staff training programs.

Key actions:

• Update the Business Continuity Plan (BCP) and Crisis Management Procedures.
• Incorporate new controls or metrics into the Operational Risk Management Framework.
• Deliver targeted training or communication refreshers to staff.

Example:

Following a phishing-related disruption, Metrobank’s Security Operations Centre incorporated new response checklists, and HR mandated quarterly phishing simulations for all employees in sensitive functions.

Step 5: Validate Improvements Through Retesting

To ensure effectiveness, improvements must be retested and validated in subsequent scenario tests or live events.

Key actions:

• Design follow-up exercises focusing on previously identified weaknesses.
• Measure performance improvement (e.g., reduced downtime, faster escalation).
• Confirm closure of improvement actions in official reports.

Example:

A follow-up cyber incident simulation showed a 35% reduction in detection-to-response time — validating the success of the prior procedural and training enhancements.

Step 6: Report and Review at Management Level

All findings, actions, and improvement results should be consolidated and presented to senior management and relevant governance committees.

Key actions:

• Present a “Lessons Learned Summary Report” during Operational Risk Committee meetings.
• Highlight major trends, recurring issues, and achieved improvements.
• Recommend policy updates for Board approval when systemic changes are required.

This practice aligns with BSP expectations for transparent governance and the Board’s ultimate accountability for maintaining operational resilience.

Example of BSP Compliance References

Metrobank’s improvement of lessons learned directly supports compliance with the following BSP requirements:

Template for Management Review: Lessons Learned Summary

Summing Up…

The Improving Lessons Learned stage marks the evolution of Metrobank’s operational resilience from reactive management to proactive foresight. By embedding structured learning mechanisms, Metrobank ensures that each experience — whether a crisis, test, or near-miss — becomes a catalyst for institutional growth.

This ongoing process not only refines Metrobank’s resilience posture but also reinforces its commitment to BSP’s expectations for continuous enhancement, robust governance, and sustained public confidence.

Through this discipline, Metrobank strengthens its ability to safeguard customer trust, protect critical operations, and uphold the stability of the Philippine financial ecosystem.

Ultimately, operational resilience is not a static goal — it is a dynamic journey of learning, improving, and adapting to an ever-changing risk landscape.

Metrobank’s structured approach to improving lessons learned ensures that it remains ahead of emerging challenges while continually raising the benchmark for resilience excellence in the banking industry.

Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide
"Implement" Phase of the Operational Resilience Planning Methodology
C8	C9	C10	C11	C12	C13

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.