|
Sub-CBS Code |
Sub-CBS |
Maximum Tolerable Downtime (MTD) |
Maximum Tolerable Data Loss (MTDL) |
Customer Impact |
Regulatory Impact |
Impact Type |
Current Resilience Status |
Action Required |
|
12.1 |
Vendor Risk Management |
72 hours |
No data loss tolerated |
Indirect service degradation due to delayed risk assessments and onboarding |
Potential non-compliance with BSP third-party risk management guidelines |
Operational / Regulatory |
Generally adequate, periodic reviews in place |
Enhance automation of vendor risk assessments and increase frequency for critical vendors |
|
12.2 |
Third-Party Contract Management |
48 hours |
Minimal loss (≤ 4 hours of contract updates) |
Delays in enforcing SLAs and contractual protections |
Risk of contractual and regulatory breaches |
Legal / Regulatory |
Moderate, reliant on manual processes |
Digitise contract repositories and improve version control |
|
12.3 |
Outsourced Service Monitoring |
24 hours |
No data loss tolerated |
Delayed detection of service degradation affecting customer-facing services |
Heightened supervisory concern if issues go undetected |
Operational / Reputational |
Strong for key vendors, weaker for non-critical ones |
Expand real-time monitoring coverage to all material outsourced services |
|
12.4 |
Service Continuity Planning |
24 hours |
No data loss tolerated |
Prolonged service disruption during third-party incidents |
Breach of operational resilience and outsourcing requirements |
Operational / Systemic |
Partially mature, uneven across vendors |
Standardise continuity requirements and conduct joint resilience testing |
|
12.5 |
Compliance and Regulatory Assurance |
48 hours |
No data loss tolerated |
Limited immediate customer impact |
High risk of regulatory findings or penalties |
Regulatory |
Adequate but resource-dependent |
Strengthen compliance tracking tools and independent assurance reviews |
|
12.6 |
Incident Management and Response |
12 hours |
No data loss tolerated |
Rapid escalation of customer harm if incidents are not managed promptly |
Immediate regulatory scrutiny for major incidents |
Operational / Reputational |
Strong for critical incidents, improving for minor ones |
Enhance third-party incident reporting timelines and escalation protocols |
The establishment of clear and proportionate impact tolerances for CBS-12 Third-Party / Outsourced Service Management enables Metrobank to move beyond traditional recovery metrics and focus on preventing intolerable harm.
By defining outcome-based thresholds for downtime, data loss, and regulatory exposure, Metrobank strengthens its ability to manage systemic risks arising from third-party dependencies.
The assessment highlights that while core controls and governance structures are largely in place, resilience can be further enhanced through greater automation, standardisation of third-party continuity expectations, and expanded monitoring of outsourced services.
Ongoing scenario testing against these impact tolerances will ensure they remain credible, actionable, and aligned with Metrobank’s evolving business model and regulatory landscape.
Overall, this approach supports a proactive, customer-centric, and regulator-ready Operational Resilience posture, reinforcing Metrobank’s ability to withstand, adapt to, and recover from disruptions within its third-party ecosystem.
|
Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-12 Third-Party / Outsourced Service Management | |||||
| CBS-12 DP | CBS-12 MD | CBS-12 MPR | CBS-12 ITo | CBS-12 SuPS | CBS-12 ST |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|