[OR] [MBT] [E2] [P3] [S1] [C15] Introducing Cultural Change Management

Introduction

In the context of operational resilience, adopting new processes, frameworks, and systems is only half the challenge. Equally critical—and often more difficult—is embedding a culture of resilience throughout the organisation so that people, behaviours and mindset evolve to support the desired state of continuity and response readiness.

For Metrobank, operating in the Philippines and subject to the regulatory framework of the Bangko Sentral ng Pilipinas (BSP), this means moving beyond compliance — to building an organisational habit of resilience.

This chapter addresses the Cultural Change Management stage within the Sustain phase of operational resilience planning. It outlines how Metrobank can implement cultural change to embed resilience, how this supports the resilience framework required by the BSP, and provides practical implementation steps and examples to guide the bank’s transformation.

The Case for Cultural Change in Operational Resilience

Before diving into implementation steps, it is essential to reflect on why cultural change matters for operational resilience and how it aligns with regulatory expectations:

• Operational resilience frameworks often emphasise identifying critical operations, mapping interdependencies, setting tolerance for disruption, testing, responding and reviewing. The BSP’s “Guidelines on Operational Resilience” (e.g., via Circular No. 1203 and related) require supervised financial institutions (BSFIs) to embed resilience across their governance, risk, continuity and recovery frameworks.
• HoweverFrameworks, plans, and strategies alone do not guarantee that when a disruption strikes, individuals will respond, teams will cooperate, third parties will align, and lessons will be embedded. Culture bridges that gap: it ensures people understand their roles, take personal responsibility, speak up about risks, and act in accordance with the bank’s resilience objectives.
• For Metrobank, this means cultivating behaviours such as: proactively identifying vulnerabilities, advocating resilient design in projects, testing and exercising with seriousness, learning from disruptions, and continuously updating practices.
• From a regulatory compliance perspective, cultural change supports key elements of the BSP guidelines: e.g., governance oversight (board and senior management must understand resilience), the three-lines of defence model, integration of resilience into risk and continuity frameworks, third-party management, testing and review.
• Ultimately, cultural change helps ensure that the Sustain phase of operational resilience is viable: that resilience becomes built into the bank’s DNA rather than being treated as a one-off project.

Implementation Steps for Cultural Change Management

Below is a recommended step-by-step implementation approach for Metrobank to introduce and sustain cultural change in support of its operational resilience programme. For each step, we provide an elaboration and a relevant example.

1. Leadership Commitment & Vision Setting

Elaboration:

• Secure active and visible commitment from the Board of Directors, the Chief Executive Officer, and senior management. They must articulate a clear vision of what resilience means for Metrobank—for its customers, operations, reputation and regulatory standing.
• Define a simple, compelling message (e.g., “Metrobank resilient by design”, “We ensure service continuity for every customer when it matters most”).
• Embed resilience as a priority in strategy, corporate values, performance objectives, and leadership dashboards.
• Ensure that the Board and senior management understand the BSP’s resilience expectations and link those to Metrobank’s cultural ambition.

Example:

Metrobank’s Board approves a “Resilience & Continuity” statement, making it a core value alongside “Customer First” and “Integrity”.

The CEO delivers a town-hall address announcing a new “Resilient Metrobank” initiative, emphasising that every employee – from branch staff to IT – plays a role. The Board receives quarterly resilience-metric reports and asks questions about staff awareness, third-party readiness, and “lessons learned” from exercises.

2. Cultural Assessment & Baseline Measurement

Elaboration:

• Conduct a baseline assessment of current organisational culture with respect to resilience: attitudes, behaviours, awareness, understanding of roles, accountability, prior exercise participation, communication flows, third-party engagement.
• Use surveys, focus groups, interviews, observation, and reviews of past disruptions/exercises.
• Identify gaps: e.g., limited awareness of critical operations, weak coordination between business and IT, low third-party scrutiny, and lack of ownership.
• Establish baseline metrics: e.g., percentage of staff trained in resilience, number of business units with defined critical-operation champions, exercise participation rates, number of lessons-learned action items closed, third-party resilience clauses embedded.

Example:

Metrobank rolls out an internal “Resilience Culture Survey” to all business units and support functions.

Results show that while 70% of IT staff understand the business continuity plan, only 30% of branch operations staff know the bank’s defined “critical operations”. Similarly, < 25% of third-party vendors have been audited for resilience readiness. This baseline becomes the reference point for future improvement.

3. Define Desired Behaviours & Role-modelling

Elaboration:

• Based on the assessment, define a set of desired behavioural traits and role expectations aligned to resilience objectives. For example:

• • Business-unit leaders proactively identify and own their critical operations.
  • Staff promptly escalate anomalies or risks even when outside their normal responsibilities.
  • Third-party vendor managers assess resilience readiness and enforce contract requirements.
  • Project managers embed resilience criteria (e.g., fail-over capability, service continuity clauses) into new initiatives.

• Develop role-modelling by senior leaders (leading by example), resilience champions across business units, and cross-functional teams.
• Communicate and publicise these behaviours widely so they become part of everyday language.

Example:

Metrobank appoints “Resilience Champions” in each business unit – three in branch operations, two in digital banking, one in IT infrastructure, and one in vendor management.

These champions lead monthly resilience forums where near-misses, vendor issues, and exercise outputs are discussed. Senior management, in those forums, share how they responded to a simulated cyber incident and what learning emerged – showing role-modelling.

4. Embed Culture via Training, Communication and Incentives

Elaboration:

• Roll out training programmes tailored by role (board, senior management, business units, support functions, third-parties) on resilience concepts, roles and responsibilities, scenarios, governance, and third-party risk.
• Develop communication campaigns: posters, intranet articles, videos, quizzes, resilience-week events, “What would you do if…” scenario challenges.
• Link performance incentives and recognition programmes to resilience behaviours: e.g., embed resilience KPIs in annual performance plans, recognise teams that successfully execute resilience drills or improve continuity readiness, publish “Resilience Hero” awards.
• Ensure third-party vendor contract managers also receive training in resilience expectations and incorporate vendor-readiness topics in vendor forums.

Example:

Metrobank launches “Resilience Week” every April: each day features a different theme (e.g., “Critical Operations”, “Third-Party Resilience”, “Cyber and Supply-Chain Disruption”, “Business Continuity Exercise Day”).

All staff are offered a short e-learning module. Branch staff complete a micro-training on “ensuring service continuity in a typhoon scenario” (Philippines being prone to natural disasters).

Furthermore, resilience KPIs such as “business unit maintains ≤ X vendor non-compliance issues” are integrated into the staff scorecard.

5. Align Processes, Structures and Systems with Culture

Elaboration:

• Review and adjust business processes, governance structures, and risk frameworks to support the cultural change. This includes:

• • Ensuring the governance structure of the resilience framework (board oversight, first/second/third line of defence) is clearly defined.
  • Embedding resilience ownership roles in business units (e.g., critical-operations owner, third-party resilience manager, incident response lead).
  • Ensuring processes for third-party onboarding include resilience assessments and contract clauses for continuity and exit strategy (in line with BSP guidance).
  • Integrating resilience metrics into existing dashboards, risk registers and business continuity processes.
  • Ensuring systems (such as vendor management systems, incident tracking systems, exercise management systems) reflect the culture.

Example:

Metrobank updates its vendor onboarding process: before contracting a critical service provider (e.g., data-centre operations, core banking outsourcing), the vendor must complete a resilience self-assessment, prove the ability to support Metrobank’s tolerance for disruption, and include a service-continuity clause in the contract.

The vendor management system tracks vendor resilience status monthly. The risk-dashboard now shows resilience KPIs: number of critical-operation owners trained, number of vendor resilience gaps open, and exercise completion rate.

6. Conduct Regular Exercises, Feedback and Learning

Elaboration:

• Plan and execute regular drills, simulations and exercises covering the spectrum of plausible disruptions (cyberattack, natural disaster, vendor failure, payment-system outage) as required by the BSP guidelines. Bureau
• After each exercise or real-life incident, conduct a lessons-learned review and feed improvements into the framework, behaviours, training and process updates.
• Publicise results ( successes and findings ) across the organisation to reinforce what works and where improvement is needed.
• Encourage a “blame-free” culture of reporting near-misses, anomalies, vulnerabilities and ensure corrective actions are visible and tracked.

Example:

Metrobank runs a “vendor failure” simulation exercise: a major outsourced payment-processing provider fails for 8 hours. The exercise involves branch operations, IT, vendor management, communications, and senior leadership.

After the exercise, a report shows that the bank’s tolerance for disruption (8 hours) would have been nearly breached due to a lack of alternative vendor routing.

Findings are shared via the intranet and in unit-town-halls. A remediation plan is tracked: alternate vendor onboarding, revised vendor routing playbook, business-unit resilience training.

7. Monitor, Measure, Recognise and Sustain Momentum

Elaboration:

• Define key performance indicators (KPIs) and culture-metrics (e.g., training completion, exercise participation, reporting of near-misses, vendor session attendance, staff survey scores on resilience awareness).
• Monitor these metrics regularly; provide dashboards to senior leadership; tie into performance reviews and incentives.
• Recognise teams or individuals who demonstrate a resilience mindset and behaviours (e.g., “Resilience Champion of the Quarter”, “Vendor Resilience Award”).
• Periodically refresh the communications campaign to maintain momentum (avoid single-event fatigue).
• Anchor resilience culture into the bank’s ongoing operations so that it becomes “business as usual” rather than a project.

Example:

Metrobank publishes a quarterly “Resilience Scorecard” to the executive committee:

• 95% of staff completed resilience training this quarter
• Participation in branch-level drills increased from 60% to 85%
• Number of vendors with resilience self-assessment completed: 120 (versus target 150)
• Near-miss incidents reported: 35 (versus previous period 20)
  The top-performing business unit receives a “Resilience Excellence” award at the annual all-staff conference.

8. Integrate Continuous Improvement and Embedding into the Sustain Phase

Elaboration:

• As part of the Sustain phase, ensure cultural change is not seen as a one-time initiative but an ongoing evolution.
• Use data from exercises, actual incidents, vendor disruptions, and regulatory updates (e.g., new BSP guidelines) to refine the culture programme.
• Align with the BSP requirement that the operational resilience framework be reviewed, refined and updated when there are material changes in operations, business model or external environment. Bureau of the Treasury
• Maintain a governance loop: board oversight → metrics review → corrective action → cultural reinforcement → training → repeat.

Example:

Following the release of a new BSP Circular updating resilience expectations, Metrobank convenes its resilience steering committee and updates its training curriculum, vendor clauses, and internal communication campaign.

The resilience champions convene to share updated best practices and adapt their business‐unit forums accordingly. The cycle continues into next year’s roadmap.

Compliance Requirements (Examples)

For Metrobank, operating in the Philippines and supervised by the BSP, there are specific compliance requirements in relation to operational resilience. Here are examples:

• Under the BSP’s “Guidelines on Operational Resilience” (via Circular No. 1203 and associated amendments), banks must identify critical operations, set tolerance for disruption, and determine severe but plausible scenarios.
• The BSP requires mapping of interconnections and interdependencies across critical operations (including third-party service providers).
• Banks must integrate resilience into governance (board oversight, three lines of defence) and ensure senior management accountability.
• Banks must include resilience in their annual reports – disclosing the overarching approach and key information on resilience components.
• Incident notification: supervised institutions must inform the BSP within 24 hours of the activation of the incident response plan for critical operations, with details such as nature, duration, root cause, impact, status of tolerance breach, and actions taken.
• Continuous review and refinement: the resilience framework must be regularly reviewed and updated when material changes occur in the business or operating environment.
• Third-party resilience requirements: banks must ensure that service providers involved in critical operations meet or support the bank’s resilience tolerance and contract terms, including exit strategies.

Metrobank should view these regulatory requirements not just as a compliance checklist, but as enablers of building a culture where the institution is prepared, adaptive, and resilient.

Cultivating a resilient culture at Metrobank is fundamental to turning operational resilience from plan into practice. While frameworks, governance, and tools are essential, it is the people—across branches, support functions, vendors, and leadership—who deliver continuity, react when disruptions strike, and learn to adapt and improve.

By following the steps of leadership commitment, assessment, behaviour definition, embedding through training and process alignment, exercising and measuring, and sustaining through continuous improvement, Metrobank can strengthen its resilience posture in a way that aligns with the BSP’s regulatory expectations and supports its long-term operational stability and reputation.

In the Sustain phase of the operational resilience planning methodology, cultural change management is the glue that holds everything together—ensuring that resilience becomes part of the bank’s identity, not just a regulatory requirement or project milestone. With a strong culture, Metrobank will be better positioned to withstand disruptions, serve its customers without interruption, and contribute to the stability of the Philippine financial system.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.