CBS-12 Third-Party / Outsourced Service Management
Severe but plausible scenarios (SbPS) are hypothetical events that pose significant threats to the continuity of critical business services, yet remain within the realm of realistic possibility.
In the context of Metrobank's CBS-12 Third-Party / Outsourced Service Management, these scenarios help identify vulnerabilities across vendor management, contract oversight, service monitoring, continuity planning, regulatory compliance, and incident response.
By testing the bank’s resilience against these scenarios, the organisation ensures that operational limits are understood, impact tolerances are maintained, and customer trust is safeguarded.
Table P5: Identify Severe but Plausible Scenarios for CBS-12
|
Sub-CBS Code |
Sub-CBS |
Severe but Plausible Scenario |
Impact/Effect |
Proactive Risk Management Action |
Link to Integration of Cyber and ICT Risks |
|
12.1 |
Vendor Risk Management |
Major vendor suffers ransomware attack |
Disruption of critical services supplied by the vendor, delayed transactions |
Vendor due diligence, continuous monitoring, and cyber resilience assessment |
Aligns with ICT risk management by evaluating vendor cyber controls and response capabilities |
|
12.2 |
Third-Party Contract Management |
Contractual dispute leading to service suspension |
Potential breach of service level agreements, regulatory non-compliance |
Periodic contract review, inclusion of continuity clauses, and legal oversight |
Integration of contract and ICT risk mitigates gaps in service continuity obligations |
|
12.3 |
Outsourced Service Monitoring |
Multi-site outsourced service outage |
Delay in transaction processing, operational downtime |
Real-time monitoring dashboards, escalation protocols, and redundancy planning |
ICT risk monitoring tools provide early alerts of outages and cyber anomalies |
|
12.4 |
Service Continuity Planning |
An extended power outage at a major outsourced data centre |
Inability to deliver critical banking services within the impact tolerance |
Business continuity plan activation, backup site switching, and staff readiness exercises |
Cyber-physical integration ensures recovery plans address both ICT failures and cyber threats |
|
12.5 |
Compliance and Regulatory Assurance |
Regulatory audit uncovers non-compliance due to third-party practices |
Regulatory fines, reputational damage |
Periodic audits, compliance reporting, and training for vendors |
Cybersecurity audits embedded in regulatory compliance processes |
|
12.6 |
Incident Management and Response |
Coordinated cyber-attack on multiple third-party systems |
Data breaches, service unavailability, and reputational harm |
Incident response plan, tabletop exercises, communication protocols |
Direct link to ICT risk management ensures rapid containment and mitigation of cyber threats |
Identifying severe but plausible scenarios for CBS-12 enables Metrobank to systematically stress-test its third-party and outsourced service management processes.
Through this proactive approach, the bank strengthens operational resilience, ensures regulatory compliance, and integrates cyber and ICT risk considerations into everyday vendor and service management activities.
These scenarios are critical not as predictions, but as strategic tools to validate readiness, uncover vulnerabilities, and maintain uninterrupted service delivery even under extreme conditions.
Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.




![Banner [Table] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/f4f3c007-e864-48cd-8bc1-0242c8b7fd86.png)
![Banner [Summing] [OR] [E3] Identify Severe but Plausible Scenarios](https://no-cache.hubspot.com/cta/default/3893111/446ccb83-e056-40d0-aae5-834d73c13f43.png)
![[OR] [MBT] [E3] [CBS] [12] [DP] Third-Party Outsourced Service Management](https://no-cache.hubspot.com/cta/default/3893111/7c07a042-eb9c-4f76-bf19-10435fa89d38.png)
![[OR] [MBT] [E3] [CBS] [12] [MD] Map Dependency](https://no-cache.hubspot.com/cta/default/3893111/f3043f5e-a02d-4463-94db-25e2488c9c8a.png)
![[OR] [MBT] [E3] [CBS] [12] [MPR] Map Processes and Resources](https://no-cache.hubspot.com/cta/default/3893111/6e3d60b9-54c5-47d4-9b44-5c842a90a2e7.png)
![[OR] [MBT] [E3] [CBS] [12] [ITo] Establish Impact Tolerances](https://no-cache.hubspot.com/cta/default/3893111/437dedd1-0563-4237-ab7b-4f8cc85522ba.png)
![[OR] [MBT] [E3] [CBS] [12] [ST] Perform Scenario Testing](https://no-cache.hubspot.com/cta/default/3893111/f99d5c42-5159-4b7b-a657-c407b0bc1dad.png)





![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)








