[OR] [MBT] [E2] [P3] [S4] [C18] Providing Self-Assessment

Introduction

In the Sustain phase of an operational resilience planning methodology, the organisation shifts from building and embedding resilience capabilities to monitoring, verifying, and continuously improving those capabilities so that they remain effective over time.

The “Provide Self-assessment” stage is therefore crucial: it enables Metrobank to take a forward-thinking and proactive stance, to measure how well its resilience framework is performing, identify gaps, and drive action to strengthen those areas before a disruption occurs.

This chapter presents a detailed roadmap of implementation steps, with examples relevant to Metrobank in the Philippines (including compliance with BSP’s operational resilience guidelines) and illustrative application in a banking context.

Implementation Steps & Practical Examples

Below are the key steps that Metrobank should undertake in its self-assessment work, aligned to the Sustain phase, with examples tailored to its context.

Step 1 – Define the scope and objectives of the self-assessment

What to do

• Clarify which parts of the operational resilience framework will be assessed (governance, critical-operations mapping, tolerance for disruption, scenario testing, third-party dependencies, recovery capabilities, etc.).
• Set the objectives: e.g., “verify that critical operations are still correctly identified and mapped”, “confirm that our tolerance for disruption remains valid given the changed business environment”, “ensure third-party resilience meets our requirements”.
• Assign Roles and responsibilities: which team/unit will lead the self-assessment (e.g., Operational Risk team, Resilience Office), who will be accountable, and who will provide data.
• Determine the timeline and frequency: e.g., every 12 months, or more frequently after major changes.

Example for Metrobank

• Metrobank decides that its self-assessment will cover all domestic banking operations (branches, digital banking, and payments clearing) and associated vendor dependencies for the upcoming fiscal year.
• The objective is to validate that the bank remains compliant with the BSP’s new guidelines on operational resilience, particularly the identification of critical operations and tolerance thresholds.
• The Operational Risk department, together with Internal Audit (“third line”), will lead the assessment and report to the Board Risk Committee.

Step 2 – Collect and review the relevant documentation and data

What to do

• Gather existing policies, procedures, frameworks: e.g., Metrobank’s operational resilience policy, business continuity plans, recovery plans, vendor-outsourcing policies.
• Retrieve key mappings: list of critical operations, supporting assets (people, technology, information, facilities), and interdependencies.
• Retrieve tolerance metrics: time-to-recover, volume/transaction thresholds, customer impact limits.
• Retrieve previous test results, incident records, and lessons-learned logs.
• Compare documentation against the latest regulatory requirements (in this case, BSP’s guidelines) to ensure alignment.

Example for Metrobank

Metrobank reviews its critical operations catalogue and sees that while payments clearing and digital retail banking were listed initially, the mobile-wallet top-up service has grown significantly and may now warrant critical status.

It also obtains its last two scenario-testing results, incident logs from the past 12 months (including system outages and cyber incidents), and vendor risk assessments for key outsourced services (e.g., data centre hosting).

The bank checks the policy wording against the BSP guidelines to ensure that terms such as “tolerance for disruption,” “severe but plausible scenario,” and “mapping of interconnections and interdependencies” are reflected.

Step 3 – Perform the self-assessment questionnaire and gap analysis

What to do:

• Use a structured self-assessment questionnaire (SAQ) aligned to the resilience framework (e.g., governance, identification of critical operations, tolerance setting, mapping, testing, third-party management, recovery & response).
• For each question or criterion, rate compliance (e.g., “Fully compliant”, “Partially compliant”, “Non-compliant”).
• Document evidence and identify gaps (where controls/practices do not meet the framework or regulatory expectations).
• Prioritise gaps by risk severity and impact (e.g., those affecting critical operations or exceeding tolerance thresholds).

Example for Metrobank:

Using an SAQ derived from the BSP guidelines (which call for self-assessment questionnaires as part of compliance).

Metrobank completes items such as:

• “Has the Board approved criteria for identifying critical operations?” → Metrobank: “Yes” — evidence: Board minutes 2023.
• “Has the tolerance for disruption been set for each identified critical operation?” → Metrobank: “Partially compliant” — some operations have time-to-recover metrics; others only broad qualitative statements.
• “Has mapping of interconnections and inter-dependencies (including third parties) been carried out and updated?” → Metrobank: “Non-compliant” — last mapping done in 2022; vendor landscape has changed.
• “Are regular scenario tests performed to verify that critical operations can be delivered through severe but plausible disruptions within tolerance?” → Metrobank: “Partially compliant”.

Metrobank then produces a gap-analysis sheet that shows, for instance, the need to update the third-party mapping and to revise tolerance metrics for its mobile-wallet service (which has grown).

Step 4 – Design and implement improvement action plans

What to do

• For each identified gap, develop an action plan: define the remediation task, the responsible owner, the target completion date, and the success criteria.
• Integrate those action plans into Metrobank’s broader operational resilience programme and link to governance oversight (Board/Risk Committee).
• Ensure resources are allocated, and that progress is tracked via regular updates.
• Where appropriate, integrate these action plans with business-continuity, recovery, and crisis-management initiatives.

Example for Metrobank

Based on the gap analysis, Metrobank develops an action plan:

• Gap: Vendor/inter-dependency mapping outdated — Task: conduct updated mapping of third-party vendors supporting critical operations, especially the data-centre provider and cloud-services providers; Owner: Head of Vendor Risk; Due date: Q2 2025; Success criteria: complete vendor list, identify substitutable vendors, integrate into resilience map.
• Gap: Tolerance for disruption not defined for mobile-wallet top-up service — Task: define time-to-recover (TTR) metric (e.g., 2 hours), volume/transaction threshold (e.g., 99 % uptime for 24-hour window), and update policy; Owner: Head of Digital Banking; Due date: Q3 2025; Success criteria: board approval & inclusion in resilience framework.
• Gap: Scenario-testing frequency lower than desirable — Task: schedule annual full-scale test + semi-annual shorter table-top; Owner: Business Continuity Manager; Due date: Q4 2025; Success: test results submitted, lessons logged, action items tracked.

The Board Risk Committee reviews these action plans quarterly, monitors status, and ensures that all gaps are closed within acceptable timeframes.

Step 5 – Monitor, report, and escalate findings

What to do

• Establish monitoring metrics and dashboards showing compliance status, gap-closure progress, key incidents, test outcomes, and resilience-performance indicators.
• Provide periodic reports (e.g., quarterly) to senior management and the Board: summarising self-assessment results, major findings, trending issues, and action-plan progress.
• Escalate any major breaches of tolerance for disruption, or evidence that a critical operation cannot be delivered within tolerance, to the senior management or Board immediately.
• Ensure transparency: for example, according to BSP guidelines, BSFIs must report to BSP within 24 hours when an incident response plan for critical operations is activated.
• Plan for re-assessment: set the next self-assessment cycle, incorporate lessons learned, and update the framework accordingly.

Example for Metrobank

• Metrobank implements a dashboard that tracks: number of open action-items from the self-assessment, % of critical operations with defined tolerance metrics, vendor-mapping coverage, % of updated vendors, scenario-testing results/percentage passed.
• In Q1 2025, the dashboard showed: 30% gap-items still open, 85% of critical operations with current tolerance metrics, vendor-mapping 70% complete. This was presented to the Board Risk Committee.
• A vendor outage in the cloud platform in March that lasted 3 hours triggered the incident-response plan for the mobile-wallet critical operation: Metrobank notified BSP within 24 hours, as required, including the nature of the disruption, affected critical operation, whether tolerance was breached (yes, 3 hours > 2-hour target), and actions taken.
• The Board was escalated. The remediation action plan was reopened, and the schedule was compressed.

Step 6 – Embed continuous improvement and learning

What to do

• Use findings from self-assessment and real-life incidents to update the operational resilience framework: critical-operation lists, tolerance metrics, scenario lists, and vendor assessments.
• Conduct lessons-learned workshops after major disruptions or test failures.
• Align with the evolving threat environment (cyber threats, natural disasters, climate-related hazards, vendor supply-chain risks) and regulatory developments (e.g., changes in BSP guidelines or expectations).
• Reinforce governance and culture: ensure that operational resilience is a “business-as-usual” discipline across functions, not just a compliance exercise.

Example for Metrobank

• After the vendor-outage incident, Metrobank held a lessons-learned session: discovered that notification protocols were unclear and that the mobile-wallet business lacked a backup-provider contract.
• The bank updated its framework to include “subsidiability of outsourced services” assessment, increased scenario-testing to include simultaneous cyber-attack + vendor failure, and added climate-scenario (e.g., major typhoon disruption) given the Philippine context.
• The Acton plans and policy documents were updated, and training sessions for business units and third-party risk teams were refreshed.
• Going forward, Metrobank plans to perform self-assessment mid-year, not just annually, to ensure a forward-looking posture.

Compliance Requirements – Highlights from BSP Guidelines

Here are some of the key regulatory requirements (or regulatory-expectation themes) from the BSP guidelines that Metrobank must incorporate into its self-assessment and operational resilience programme:

• The guidelines apply to all BSP-supervised financial institutions (BSFIs) on both a solo and group-wide basis (including parent banks and material entities).
• BSFIs must identify their critical operations (activities, processes, services, and supporting assets) where disruption could cause material harm to the institution, its customers, or the financial system.
• BSFIs must set a tolerance for disruption for each identified critical operation — this is the maximum level of disruption the institution is willing to accept (time-based metric, volume/transaction thresholds, customer impact) under severe but plausible scenarios.
• BSFIs must determine a range of severe but plausible scenarios (of varying nature, severity, and duration) relevant to their business and risk profile.
• BSFIs must map interconnections and inter-dependencies (internal, third-party, intragroup) for the delivery of critical operations.
• BSFIs must integrate their operational resilience framework into existing governance, risk-management and business-continuity arrangements (i.e., operational risk management, outsourcing/third-party risk, business-continuity, cyber-resilience) rather than treat it as separate.
• BSFIs must conduct regular testing of their capability to deliver critical operations through disruption within tolerance (scenario testing, business-continuity exercises).
• Reporting and notification: BSFIs must disclose in their annual reports the overarching approach to operational resilience, and must inform the relevant supervisory department of BSP within 24 hours of activation of their incident-response plan for a critical operation, specifying the nature/duration/root cause of disruption, affected critical operations, status of tolerance breach, and actions taken.
• The guidelines emphasise that operational resilience is not optional but a core requirement in support of financial-system stability and continuity of essential services.

By aligning Metrobank’s self-assessment stage to these regulatory expectations, the bank ensures both compliance and improved resilience.

The self-assessment process becomes a means not just of “checking a box” but of continuously strengthening the organisation’s ability to deliver critical services under stress.

The “Provide Self-assessment” stage of the Sustain phase represents a pivotal juncture in Metrobank’s operational resilience journey.

By methodically assessing how well its resilience framework is functioning, identifying and prioritising gaps, executing remediation plans, and embedding a culture of continuous improvement, Metrobank not only meets regulatory expectations from the BSP but also positions itself to stay ahead of evolving threats and disruptions.

In doing so, the bank safeguards its ability to deliver critical operations reliably, supports its customers, and maintains trust in the financial system.

As the bank moves forward, the self-assessment cycle should become an integral component of its business-as-usual risk-governance framework—ensuring that resilience is not a one-time effort, but a dynamic, forward-looking capability.

Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide
"Sustain" Phase of the Operational Resilience Planning Methodology
C14	C15	C16	C17	C18	C19

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

	If you have any questions, click to contact us.