Third-party and outsourced service arrangements are critical enablers of Metrobank’s delivery of important business services.
However, they also introduce concentration risk, dependency risk, and potential operational vulnerabilities beyond the Bank’s direct control.
This section maps the processes and resources supporting each Sub-CBS under CBS-12 Third-Party / Outsourced Service Management, covering people, technology, third parties, and upstream/downstream dependencies.
The mapping provides transparency on how services are delivered end-to-end and establishes a robust foundation for scenario testing, impact tolerance validation, and resilience improvement actions, in line with operational resilience regulatory requirements.
|
Sub-CBF Code |
Sub-CBS |
Processes |
People |
Technology (Applications & Infrastructure) |
Third-Party Vendors |
Upstream / Downstream Dependencies |
|
12.1 |
Vendor Risk Management |
• Vendor onboarding and due diligence • Risk assessment (financial, operational, cyber, ESG) • Risk tiering and approval • Ongoing vendor risk review |
• Third-Party Risk Management Team • Procurement • Enterprise Risk Management • Information Security • Legal & Compliance |
• Vendor risk management system • GRC platform • Cyber risk assessment tools • Document management system |
• External risk assessment firms • Cybersecurity assessors • Credit rating agencies |
Upstream: Business units requesting vendors, regulatory requirements Downstream: Contract management, outsourced service delivery, audit, and compliance reviews |
|
12.2 |
Third-Party Contract Management |
• Contract drafting and negotiation • SLA and KPI definition • Legal review and approval • Contract storage and renewal tracking |
• Legal Department • Procurement • Business owners • Vendor managers |
• Contract lifecycle management system • E-signature platform • Secure document repositories |
• External legal counsel • Contract management solution providers |
Upstream: Vendor risk approval, business service requirements Downstream: Service monitoring, dispute resolution, service continuity planning |
|
12.3 |
Outsourced Service Monitoring |
• SLA/KPI monitoring • Performance reporting • Issue and breach management • Vendor review meetings |
• Vendor relationship managers • Business unit service owners • Operations teams |
• Performance monitoring dashboards • Service management tools • Reporting and analytics platforms |
• Outsourced service providers (IT, facilities, call centres, payment processors) |
Upstream: Contractual SLAs, operational data feeds Downstream: Incident management, customer service delivery, and management reporting |
|
12.4 |
Service Continuity Planning |
• Review of vendor BCP/DR plans • Alignment with Metrobank BCM • Testing and scenario exercises • Exit and substitution planning |
• Business Continuity Management Team • Vendor managers • IT Disaster Recovery teams |
• BCM management system • DR testing platforms • Communication tools |
• Recovery site providers • Cloud service providers • Alternate service providers |
Upstream: Critical business service impact tolerances, vendor dependency mapping Downstream: Crisis management, recovery execution, regulatory assurance |
|
12.5 |
Compliance and Regulatory Assurance |
• Regulatory compliance checks • Audit coordination • Evidence collection and reporting • Remediation tracking |
• Compliance officers • Internal Audit • Risk Management • Vendor managers |
• GRC systems • Audit management tools • Regulatory reporting platforms |
• External auditors • Regulatory advisory firms |
Upstream: Regulatory obligations, vendor risk ratings Downstream: Regulatory submissions, board, and senior management reporting |
|
12.6 |
Incident Management and Response |
• Third-party incident detection and escalation • Impact assessment on CBS • Coordination with vendors • Post-incident review |
• Incident response team • IT operations • Cybersecurity team • Vendor managers • Communications team |
• Incident management system • SIEM and monitoring tools • Collaboration and alerting platforms |
• Outsourced IT providers • Cybersecurity vendors • Telecommunications providers |
Upstream: Outsourced service monitoring, vendor alerts Downstream: Customer impact management, regulatory notification, service recovery |
The mapping of processes and resources for CBS-12 Third-Party / Outsourced Service Management demonstrates how Metrobank’s reliance on external parties is governed, monitored, and safeguarded across the full service lifecycle.
By clearly identifying people, processes, technology, third parties, and interdependencies, the Bank is better positioned to understand potential points of vulnerability and concentration risk.
This structured mapping directly supports scenario testing, enabling Metrobank to assess how disruptions at third-party providers could impact important business services and whether impact tolerances remain within acceptable limits.
More importantly, it provides a practical foundation for targeted resilience enhancements—such as strengthening exit strategies, improving monitoring, and diversifying suppliers—ensuring that third-party reliance remains robust, controlled, and aligned with regulatory expectations for operational resilience.
|
Building Resilient Banking Operations: The Metrobank Operational Resilience Implementation Guide |
|||||
| eBook 3: Starting Your OR Implementation |
|||||
| CBS-12 Third-Party / Outsourced Service Management | |||||
| CBS-12 DP | CBS-12 MD | CBS-12 MPR | CBS-12 ITo | CBS-12 SuPS | CBS-12 ST |
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|