[OR] [MBT] [E2] [P3] [S5] [C19] Conducting Independent Quality Reviews

Introduction

For Metrobank, operating in a dynamic financial-services environment in the Philippines, embedding operational resilience into ongoing governance and control processes is not a one-time project but an enduring capability.

In the Sustain phase of our Operational Resilience Planning Methodology, the “Conduct Independent Quality Review” stage plays a pivotal role: it ensures that the resilient-operations architecture remains effective, compliant, and continuously improving.

This chapter outlines how Metrobank should implement a structured independent review of its operational resilience framework, aligned with the Bangko Sentral ng Pilipinas (BSP) Guidelines on Operational Resilience and tailored to Metrobank’s size, complexity and local market context.

The purpose of the independent quality review is to provide an objective, third-line-of-defence assessment of the operational resilience programme: verifying governance structures, validating controls, identifying gaps, and recommending improvements.

Through systematically conducting such reviews, Metrobank enhances its ability to deliver critical operations through disruption, supports regulatory compliance, and fosters stakeholder confidence.

Implementation Steps with Examples

Below are the key steps Metrobank should follow when conducting an independent quality review of its operational resilience programme:

1. Define the scope and objectives of the review

• What to do: Establish and document the review’s scope (e.g., business units, geographies, outsourced services), its objectives (e.g., compliance-check, control-effectiveness, maturity assessment), timeline, and deliverables.
• Example for Metrobank: The Internal Audit or a designated independent review function sets out a review plan covering the Retail Banking Division, Treasury & Markets, and selected critical third-party service providers for the period January 2024 to June 2025.
• Why it matters: The review must align with the BSP’s expectation that BSFIs (BSP-supervised financial institutions) maintain a robust resilience framework and periodically challenge it.

2. Assemble the review team and establish independence

• What to do: Form a team whose members are independent of the business units under review and the first- and second-line functions. Define roles, responsibilities, reporting lines, and required competencies (e.g., business continuity, ICT risk, third-party risk).
• Example for Metrobank: Metrobank’s Group Internal Audit selects two auditors with experience in business continuity and third-party governance, and engages an external consultant specialised in cyber-resilience controls.
• Why it matters: The BSP guidelines emphasise that the third line (audit) “assesses the design and ongoing effectiveness of the BSFI’s operational resilience efforts” and should challenge the first and second lines.

3. Review governance, policies, and framework alignment

• What to do: Check that Metrobank’s operational resilience governance structure (board oversight, senior-management sponsorship, three-lines-of-defence roles) is documented, up-to-date, and operating effectively. Review whether policies (operational resilience policy, business continuity management, third-party risk management) map to the BSP key elements: critical-operations identification, tolerance for disruption, mapping of interdependencies, scenario testing, recovery/response, and framework review.
• Example for Metrobank: The review verifies that Metrobank’s Board-approved Operational Resilience Policy references the tolerance-for-disruption metric (e.g., maximum 48-hour interruption for the online banking platform) and that the policy has been updated following the BSP Circular.
• Why it matters: Ensuring policy alignment helps Metrobank meet the regulatory requirement that the operational resilience framework be “approved by the board of directors” and integrated with the enterprise-wide risk management approach.

4. Evaluate critical-operations identification and tolerance-for-disruption metrics

• What to do: Assess whether Metrobank has properly identified its critical operations (end-to-end), set tolerance thresholds (e.g., maximum downtime, transaction volumes), and tested those thresholds in scenarios. Inspect documentation of criteria, approvals, and periodic review.
• Example for Metrobank: Review shows that Metrobank listed “ATM cash-dispense service,” “internet banking login/transaction services,” and “corporate payments settlement” as critical operations; the bank set tolerance of 6 hours for ATM downtime and 4 hours for internet banking; and at the last tabletop test, the internet-banking downtime exceeded 4 hours, triggering remediation.
• Why it matters: The BSP guidelines require BSFIs to set disruption tolerances and link them to severe but plausible scenarios. 

5. Assess mapping of interconnections and interdependencies

• What to do: Examine whether Metrobank has conducted end-to-end mapping of each identified critical operation — including people, processes, technology, supporting assets, third-party service-provider dependencies, inward/outward flows, where vulnerabilities exist — and whether the mapping is maintained and updated.
• Example for Metrobank: The review checks that Metrobank’s mapping covers the internet-banking service from user authentication through web portal, mobile app, middleware, data centre, payment-gateway provider, and to third-party cloud-host; and notes that the mapping for mobile-app API call chain is incomplete.
• Why it matters: Understanding internal and external dependencies is key to identifying single points of failure. The BSP guidelines emphasise that mapping allows BSFIs to “identify and resolve vulnerabilities” in the delivery of critical operations.

6. Review risk-planning, third-party-management, and continuity capabilities

• What to do: Verify that Metrobank has assessed risks to the delivery of critical operations (including emerging threats), that controls and mitigation plans are in place, that third-party service providers’ resilience capabilities are governed and aligned, and that business continuity plans (BCP) are integrated with the resilience framework.
• Example for Metrobank: The review finds that Metrobank updated its third-party contracting templates in 2024 to include resilience clauses (service-continuity obligations, exit rights, substitution options) for its cloud-provider partner, and confirms that its BCP for the corporate-payments service is integrated with the resilience framework.
• Why it matters: The guidelines highlight that resilience requires leveraging risk management, BCM, third-party governance, and ICT/cyber frameworks in an integrated way.

7. Conduct testing and scenario exercises, review results

• What to do: Check that Metrobank has executed scenario-based testing (table-top, simulation, live) of critical operations under severe but plausible disruption scenarios (e.g., major typhoon, ransomware attack, major third-party outage), measured outcomes versus tolerance thresholds, documented issues and actions. Evaluate whether lessons learned were incorporated.
• Example for Metrobank: The review finds a live simulation in March 2025 where Metrobank simulated a data-centre power-outage coupled with high-volume ATM settlement load; the mobile-app and ATM services experienced 7 hours of degraded service — exceeding tolerance — and resulted in remediation actions (additional board-approved investment in backup power).
• Why it matters: Testing demonstrates whether the bank can deliver its critical operations through disruption and stay within its tolerances. The BSP guidelines state that testing must be periodic and cover complex interdependencies and scenarios.

8. Review incident-response and recovery-capability

• What to do: Examine whether Metrobank has documented incident-response plans aligned to critical operations, defined roles/responsibilities, escalation triggers, communications plan (internal & external), recovery strategies, and invocation criteria. Ensure past incidents have been analysed, root-cause lessons captured, and recovery metrics measured. Also, ensure that notifications to BSP (within 24 hours of activation) are in place.
• Example for Metrobank: The review confirms Metrobank’s incident-response plan includes a “Critical Operations Incident Response Team”, specifies board escalation within one hour if ATM settlement downtime >4 hours, and that on a November 2024 third-party outage, the bank notified BSP within 24 hours per the guideline.
• Why it matters: The ability to respond and recover from disruption is fundamental to resilience; the BSP requires timely notification and clarity on roles and recovery.

9. Evaluate review, refinement, and continuous-improvement mechanisms

• What to do: Assess whether Metrobank’s operational resilience framework includes periodic (e.g., annual or bi-annual) reviews, triggered reviews in case of material change (business model, technology, third-party), mechanisms to incorporate lessons learned, gap-tracking logs, metrics of control-effectiveness, and independent audit follow-up.
• Example for Metrobank: The review finds that Metrobank’s resilience programme has an annual review schedule; after the March 2025 live-exercise, a post-mortem identified delayed response in mobile-app settlement; a root-cause report and board-approved remediation plan (with closure target end-Q3) exist.
• Why it matters: Resilience is not static — the BSP guidelines emphasise that the framework must be dynamic and revised as the environment changes.

10. Produce review findings, report to the board and senior-management, and track remediation

• What to do: The review team drafts a comprehensive report summarising scope, methodology, findings, control gaps, risk observations, remediation recommendations, priority actions, ownership, and targets. Present to senior management and board (or board committee) and establish tracking of remedial actions (with clear owners and timelines). Ensure follow-up reviews.
• Example for Metrobank: Metrobank’s Independent Quality Review Report is submitted to the Board Risk Committee in July 2025; key findings include incomplete third-party dependency mapping, a breach in the mobile-app tolerance during testing, and a lack of formalised board-reporting metrics. The board approves a remediation plan with quarterly status updates.
• Why it matters: Transparent reporting ensures senior-level visibility and accountability; remediation tracking closes the loop between review and improvement.

Compliance Examples (BSP Operational Resilience Requirements)

• The BSP’s “Guidelines on Operational Resilience” apply to all BSP-supervised financial institutions (BSFIs), including solo and group-wide operations.
• BSFIs must identify critical operations — defined as those processes, services, or activities whose disruption could cause material harm to customers, the institution, or the financial system. Bureau of the Treasury+1
• BSFIs must set tolerance for disruption metrics (time-based, volume/value-based) and test those in severe but plausible scenarios.
• BSFIs must map interconnections and interdependencies (including third-party and external infrastructure) for critical operations.
• BSFIs must notify BSP within 24 hours when the incident response plan for a critical operation is activated; the notification must cover nature, duration, affected operations, whether tolerance breached, and actions taken.
• BSFIs must integrate operational resilience into governance, risk management, business continuity, third-party, and ICT frameworks and must periodically review and update the framework.

By aligning the independent quality review with these regulatory requirements, Metrobank ensures not only internal improvement but also regulatory compliance and readiness for supervisory scrutiny.

The independent quality review stage in the Sustain phase is a vital mechanism for Metrobank to validate the strength, maturity, and effectiveness of its operational resilience framework—and to ensure continuous alignment with evolving threats and regulatory expectations.

By systematically working through the steps of defining scope, assembling an independent team, evaluating governance and controls, testing, deriving lessons, and reporting findings, Metrobank will strengthen its capacity to maintain delivery of critical operations even through significant disruption.

Aligned with the BSP’s operational resilience requirements, this review process not only supports regulatory compliance but also enhances stakeholder confidence and safeguards the bank’s role in the financial system ecosystem.

Ultimately, by institutionalising a culture of independent review and continuous improvement, Metrobank embeds resilience into its operational DNA and positions itself to thrive in a world of ever-increasing complexity.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.