Mapping interconnections and interdependencies is a foundational activity in Operational Resilience, as it provides a clear line of sight between a Critical Business Service (CBS) and the people, processes, technology, and third parties that enable its delivery.
For CBS-12 Third-Party / Outsourced Service Management, dependency mapping is particularly critical due to Metrobank’s reliance on external vendors and service providers for key operational, technology, and support functions.
This mapping exercise identifies how outsourced arrangements are governed, monitored, and sustained, and how failures in any dependency could impact service continuity, regulatory compliance, and customer outcomes.
By systematically documenting these dependencies, Metrobank can better assess vulnerabilities, identify single points of failure, and strengthen resilience across its extended enterprise.
|
Sub-CBS Code |
Sub-CBS |
Dependency Type |
Dependency Detail (What / Who is involved) |
Connectivity (How it connects/interacts with the CBS or other components) |
|
12.1 |
Vendor Risk Management |
People |
Vendor risk analysts, procurement officers, and risk management team |
Conduct vendor due diligence, risk assessments, and ongoing risk reviews that feed into third-party onboarding and oversight processes |
|
|
|
Process |
Vendor risk assessment framework, due diligence procedures, risk rating methodology |
Defines how third-party risks are identified, assessed, approved, and escalated across the CBS lifecycle |
|
|
|
Technology |
Vendor risk management systems, risk registers, and document repositories |
Stores vendor profiles, risk assessments, supporting documents, and approval records used across CBS-12 |
|
|
|
Third Party |
External vendors, outsourced service providers |
Subject to initial and ongoing risk assessments to ensure an acceptable risk posture |
|
12.2 |
Third-Party Contract Management |
People |
Legal team, procurement team, contract managers |
Draft, review, negotiate, and manage third-party contracts supporting CBS-12 |
|
|
|
Process |
Contract lifecycle management, SLA definition, renewal, and termination procedures |
Ensures contractual clarity on service scope, performance, risk ownership, and resilience requirements |
|
|
|
Technology |
Contract management system, document management tools |
Enables access to active contracts, SLAs, and obligations used for monitoring and enforcement |
|
|
|
Third Party |
Legal advisors, external service providers |
Participate in contract negotiations and are bound by agreed contractual terms |
|
12.3 |
Outsourced Service Monitoring |
People |
Vendor managers, service owners, operations team |
Monitor service delivery, performance metrics, and issue resolution for outsourced services |
|
|
|
Process |
SLA monitoring, KPI reporting, and performance review meetings |
Translates contractual obligations into measurable performance oversight |
|
|
|
Technology |
Monitoring dashboards, reporting tools, and ticketing systems |
Collects performance data and supports escalation and corrective action processes |
|
|
|
Third Party |
Outsourced service providers |
Provide service performance data and participate in reviews and remediation |
|
12.4 |
Service Continuity Planning |
People |
Business continuity managers, vendor managers, third-party contacts |
Coordinate continuity planning and recovery arrangements for outsourced services |
|
|
|
Process |
Third-party BCP review, resilience testing, contingency planning |
Ensures outsourced services can continue or recover within acceptable tolerances |
|
|
|
Technology |
BCP repositories, resilience testing tools, and communication platforms |
Supports documentation, testing outcomes, and coordination during disruptions |
|
|
|
Third Party |
Vendors with critical services |
Maintain and test their own BCPs aligned to Metrobank’s service continuity expectations |
|
12.5 |
Compliance and Regulatory Assurance |
People |
Compliance officers, risk managers, and internal audit |
Ensure third-party arrangements meet regulatory and internal policy requirements |
|
|
|
Process |
Regulatory compliance checks, audit reviews, and issue tracking |
Verifies adherence to banking regulations, outsourcing guidelines, and internal standards |
|
|
|
Technology |
Compliance tracking tools, audit management systems |
Records compliance evidence, audit findings, and remediation actions |
|
|
|
Third Party |
Regulators, external auditors, service providers |
Subject to regulatory scrutiny and compliance obligations under outsourcing arrangements |
|
12.6 |
Incident Management and Response |
People |
Incident response team, vendor managers, IT operations |
Coordinate incident detection, escalation, and resolution involving third parties |
|
|
|
Process |
Incident management procedures, escalation protocols, and post-incident reviews |
Defines how third-party incidents are managed to minimise service disruption |
|
|
|
Technology |
Incident management systems, communication, and alerting tools |
Enables rapid notification, tracking, and resolution of incidents impacting outsourced services |
|
|
|
Third Party |
Outsourced service providers |
Participate in incident response, root cause analysis, and corrective actions |
The dependency mapping for CBS-12 Third-Party / Outsourced Service Management highlights the complex network of internal and external dependencies that underpin Metrobank’s ability to manage outsourced services effectively.
By clearly linking people, processes, technology, and third parties to each Sub-CBS, this mapping provides a comprehensive view of how risks, controls, and resilience measures are interconnected.
It enables Metrobank to identify critical dependencies, assess potential points of failure, and ensure that third-party arrangements are aligned with service continuity and regulatory expectations.
Ultimately, this structured mapping strengthens Metrobank’s operational resilience by supporting informed decision-making, proactive risk management, and timely response to disruptions across its extended service ecosystem.
|
Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-12 Third-Party / Outsourced Service Management | |||||
| CBS-12 DP | CBS-12 MD | CBS-12 MPR | CBS-12 ITo | CBS-12 SuPS | CBS-12 ST |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|