eBook OR

[OR] [RCBC] [E3] [CBS] [1] [SuPS] Identify Severe but Plausible Scenarios

Written by Moh Heng Goh | Apr 17, 2026 5:41:46 AM

CBS-1 Retail Deposit & Account Services

Introduction

Identifying Severe but Plausible Scenarios (SuPS) is a critical component of operational resilience, enabling Rizal Commercial Banking Corporation (RCBC) to assess how its critical business services may be disrupted under extreme yet realistic conditions.

As highlighted in BCM Institute guidance, these scenarios should go beyond routine incidents and reflect high-impact events such as cyberattacks, infrastructure failures, third-party disruptions, and natural disasters.

In line with BSP Circular No. 1203 Series of 2024, Philippine banks are required to test their ability to remain within defined impact tolerances under severe but plausible scenarios.

These scenarios must incorporate cyber and ICT risks, third-party dependencies, and external systemic shocks. For CBS-1 Deposit and Account Services, this ensures that RCBC can maintain customer access to funds and essential banking services even during major disruptions.

Table P5: Identify Severe but Plausible Scenarios for CBS-1   

Sub-CBS Code

Sub-CBS

Severe but Plausible Scenario

Impact / Effect

Proactive Risk Management Action

Link to Integration of Cyber and ICT Risks

1.1

Customer Onboarding and Account Application

Digital onboarding platform outage due to cloud failure

Inability to onboard new customers

Implement an alternate manual onboarding and multi-cloud redundancy

Cloud resilience, system redundancy

1.2

Customer Identification and Verification (KYC/CDD)

Failure of the AML screening system or the third-party watchlist provider

Non-compliance risk, onboarding delays

Establish backup screening tools and offline verification procedures

Third-party risk, data integrity controls

1.3

Account Approval and Opening

Core banking system downtime

Delay in account activation

Implement high-availability architecture and failover systems

Core banking resilience, infrastructure redundancy

1.4

Initial Funding and Deposit Booking

Payment gateway or clearing system outage

Delayed or failed deposit postings

Enable alternative channels and deferred posting mechanisms

Payment system resilience, network redundancy

1.5

Product Terms Setup and Account Parameter Maintenance

System misconfiguration or deployment failure

Incorrect fees or interest applied

Strengthen change management and automated validation controls

IT change management, configuration control

1.6

Deposit Transactions Processing

Cyberattack (e.g., ransomware) on transaction systems

Inability to process deposits, financial disruption

Implement real-time monitoring, backup systems, and cyber incident response plans

Cybersecurity, data recovery, system isolation

1.7

Withdrawal and Funds Access Processing

ATM network outage or telecom failure

Customers are unable to access funds

Provide branch fallback, increase cash availability, and diversify network providers

Telecom resilience, ATM network redundancy

1.8

Account Servicing and Customer Maintenance

CRM system outage or data corruption

Inability to process service requests

Implement backup CRM systems and data recovery procedures

Data integrity, system backup

1.9

Interest, Fees, and Charges Processing

Batch processing failure due to a system error

Incorrect financial postings

Introduce reconciliation checks and automated rerun capabilities

Batch processing resilience, system monitoring

1.10

Statement, Passbook, and Balance Reporting

Reporting system failure or data inconsistency

Delayed or inaccurate customer statements

Implement parallel reporting systems and data validation checks

Data consistency, reporting system resilience

1.11

Digital Account Access Enablement

Distributed Denial-of-Service (DDoS) attack on digital banking platforms

Customers are unable to access their accounts

Deploy DDoS protection, traffic filtering, and scalable infrastructure

Cyber defense, network resilience

1.12

ATM and Card-Based Access Management

Card network (e.g., Visa/Mastercard) outage

Transaction failures at ATMs and POS

Establish fallback routing and multi-network support

Third-party network resilience

1.13

Account Reconciliation and Exception Handling

Data mismatch due to system integration failure

Financial discrepancies and reporting issues

Automate reconciliation and implement exception management tools

Data reconciliation systems, integration controls

1.14

Dormancy, Holds, Restrictions, and Account Control Administration

Failure to enforce account restrictions due to a system error

Regulatory breach, fraud risk

Implement automated controls and audit trails

Compliance systems, control monitoring

1.15

Fraud Monitoring and Transaction Surveillance

Failure of the fraud detection system during a cyber incident

Increased fraud losses and undetected suspicious activity

Deploy real-time analytics, AI-based monitoring, and backup systems

Cybersecurity analytics, fraud systems resilience
1.16

Complaints, Disputes, and Service Recovery

Call centre or case management system outage

Inability to resolve customer issues

Implement alternate communication channels and manual processes

Communication systems resilience

 

Regulatory Alignment and Practical Considerations

Under BSP Circular No. 1203 Series of 2024, RCBC must:
  • Identify severe but plausible scenarios that reflect real-world threats, including cyber incidents, natural disasters, and third-party failures
  • Ensure that these scenarios are used in scenario testing exercises to validate the Bank’s ability to remain within impact tolerances
  • Integrate cyber and ICT risks into all resilience assessments, particularly for digital banking, payment systems, and core infrastructure
  • Demonstrate proactive risk management, including preventive controls, monitoring, and recovery capabilities
For Example
  • Cyberattacks such as ransomware or DDoS directly affect Sub-CBS processes like deposit transactions (1.6) and digital access (1.11).
  • Telecom and infrastructure failures impact ATM and digital services (1.7, 1.11, 1.12), highlighting reliance on external providers.
  • Third-party failures (e.g., payment networks, AML providers) demonstrate the importance of vendor resilience and fallback arrangements.

 

The identification of severe but plausible scenarios for CBS-1 Deposit and Account Services provides Rizal Commercial Banking Corporation (RCBC) with a forward-looking view of potential disruptions that could threaten its most critical services.

By linking each Sub-CBS to realistic high-impact scenarios, the Bank can better understand vulnerabilities and prepare targeted mitigation strategies.

Aligned with BSP Circular No. 1203 Series of 2024, this structured approach ensures that RCBC is not only reactive but proactive—anticipating risks, strengthening controls, and validating resilience through rigorous testing.

Ultimately, this enables the Bank to maintain continuity of essential deposit services and uphold customer trust even in the face of severe disruptions.

 

eBook 3: Starting Your OR Implementation
CBS-1 Retail Deposit & Account Services
CBS-1 DP CBS-1 MD CBS-1 MPR CBS-1 ITo CBS-1 SuPS CBS-1 ST

  Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.

 

More Information About OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.

If you have any questions, click to contact us.

 
View full post