CBS-12 Third-Party / Outsourced Service Management
![[OR] [MBT] [E3] [CBS] [12] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/437dedd1-0563-4237-ab7b-4f8cc85522ba.png)
Establishing impact tolerances is a core requirement of Operational Resilience, ensuring that Metrobank can continue to deliver critical business services within acceptable disruption thresholds, even when supported by third parties or outsourced arrangements. For CBS-12 Third-Party / Outsourced Service Management, impact tolerances define the maximum level of disruption that Metrobank can tolerate before causing intolerable harm to customers, breaching regulatory obligations, or undermining market confidence.
In line with regulatory expectations and the principles outlined in “What is Impact Tolerance in Operational Resilience, impact tolerances are expressed through outcome-focused measures such as Maximum Tolerable Downtime (MTD) and Maximum Tolerable Data Loss (MTDL), rather than traditional recovery objectives.
These tolerances reflect Metrobank’s risk appetite, the criticality of third-party dependencies, and the potential systemic impact of prolonged disruption.
![Banner [Table] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/627c33a8-714d-40af-9a2b-0d7957fb8afa.png)
Table P4: Establish Impact Tolerance for CBS-12
|
Sub-CBS Code |
Sub-CBS |
Maximum Tolerable Downtime (MTD) |
Maximum Tolerable Data Loss (MTDL) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
12.1 |
Vendor Risk Management |
72 hours |
No data loss tolerated |
Indirect service degradation due to delayed risk assessments and onboarding |
Potential non-compliance with BSP third-party risk management guidelines |
Operational / Regulatory |
Generally adequate, periodic reviews in place |
Enhance automation of vendor risk assessments and increase frequency for critical vendors |
|
12.2 |
Third-Party Contract Management |
48 hours |
Minimal loss (≤ 4 hours of contract updates) |
Delays in enforcing SLAs and contractual protections |
Risk of contractual and regulatory breaches |
Legal / Regulatory |
Moderate, reliant on manual processes |
Digitise contract repositories and improve version control |
|
12.3 |
Outsourced Service Monitoring |
24 hours |
No data loss tolerated |
Delayed detection of service degradation affecting customer-facing services |
Heightened supervisory concern if issues go undetected |
Operational / Reputational |
Strong for key vendors, weaker for non-critical ones |
Expand real-time monitoring coverage to all material outsourced services |
|
12.4 |
Service Continuity Planning |
24 hours |
No data loss tolerated |
Prolonged service disruption during third-party incidents |
Breach of operational resilience and outsourcing requirements |
Operational / Systemic |
Partially mature, uneven across vendors |
Standardise continuity requirements and conduct joint resilience testing |
|
12.5 |
Compliance and Regulatory Assurance |
48 hours |
No data loss tolerated |
Limited immediate customer impact |
High risk of regulatory findings or penalties |
Regulatory |
Adequate but resource-dependent |
Strengthen compliance tracking tools and independent assurance reviews |
|
12.6 |
Incident Management and Response |
12 hours |
No data loss tolerated |
Rapid escalation of customer harm if incidents are not managed promptly |
Immediate regulatory scrutiny for major incidents |
Operational / Reputational |
Strong for critical incidents, improving for minor ones |
Enhance third-party incident reporting timelines and escalation protocols |
![Banner [Summing] [OR] [E3] Establish Impact Tolerance](https://no-cache.hubspot.com/cta/default/3893111/5e80e50f-5e3e-44ea-8c43-16bf42d4f3b5.png)
The establishment of clear and proportionate impact tolerances for CBS-12 Third-Party / Outsourced Service Management enables Metrobank to move beyond traditional recovery metrics and focus on preventing intolerable harm.
By defining outcome-based thresholds for downtime, data loss, and regulatory exposure, Metrobank strengthens its ability to manage systemic risks arising from third-party dependencies.
The assessment highlights that while core controls and governance structures are largely in place, resilience can be further enhanced through greater automation, standardisation of third-party continuity expectations, and expanded monitoring of outsourced services.
Ongoing scenario testing against these impact tolerances will ensure they remain credible, actionable, and aligned with Metrobank’s evolving business model and regulatory landscape.
Overall, this approach supports a proactive, customer-centric, and regulator-ready Operational Resilience posture, reinforcing Metrobank’s ability to withstand, adapt to, and recover from disruptions within its third-party ecosystem.
![[OR] [MBT] [E3] [CBS] [12] [DP] Third-Party Outsourced Service Management](https://no-cache.hubspot.com/cta/default/3893111/7c07a042-eb9c-4f76-bf19-10435fa89d38.png)
![[OR] [MBT] [E3] [CBS] [12] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/f3043f5e-a02d-4463-94db-25e2488c9c8a.png)
![[OR] [MBT] [E3] [CBS] [12] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/6e3d60b9-54c5-47d4-9b44-5c842a90a2e7.png)
![[OR] [MBT] [E3] [CBS] [12] [SuPS] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/6de9bd0a-8756-40ae-9112-e8a3d5f8999e.png)
![[OR] [MBT] [E3] [CBS] [12] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/f99d5c42-5159-4b7b-a657-c407b0bc1dad.png)
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.
More Information About OR-5000 [OR-5] or OR-300 [OR-3]
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
