For Security Bank Corporation, the starting point of an operational resilience program is to identify the business services whose disruption would cause unacceptable harm to customers, materially affect the bank’s safety and soundness, or undermine confidence in the wider financial system.
Security Bank is a Philippine universal bank serving retail, commercial, corporate, and institutional clients, with major businesses in retail, commercial, and corporate banking, as well as financial markets.
Its public channels and offerings also show strong dependence on branch/ATM access, retail digital banking, business cash management through DigiBanker, credit cards, loans, trade-related services, and investment-related services.
Using the BCM Institute definition, a Critical Business Service is a service provided to clients that, if disrupted, could cause intolerable harm to customers or pose a risk to the stability or orderly operation of the financial system.
The BSP’s Circular No. 1203 uses the term "critical operations," but in practice, this chapter uses CBS as the working equivalent for bank services that require the strongest resilience treatment.
BSP Circular No. 1203 requires banks and other BSP-supervised financial institutions to establish an operational resilience framework, overseen by the board and implemented by senior management.
The framework must identify critical operations, set tolerance for disruption, determine severe but plausible scenarios, map interconnections and interdependencies, integrate business continuity management and testing, and continuously review and refine the framework.
The board is expected to approve the framework, the criteria for identified critical operations, and the tolerance for disruption.
The Circular also makes clear that tolerance for disruption must include at least a time-based metric, and may also include customer count, transaction volume, and transaction value affected.
Those tolerances must be tested against severe but plausible scenarios.
The BSP further expects banks to map dependencies, including third parties and public infrastructure such as telecommunications and energy, and to integrate critical operations into BCM, incident response, recovery planning, communication plans, and periodic exercises.
The list below is a recommended public-domain view of Security Bank’s CBS for operational resilience planning.
It is not the bank’s official internal list; the final CBS set should be validated by Security Bank’s board, senior management, and business owners using internal volume, customer, regulatory, and market-impact data.
|
CBS Code |
Critical Business Services (Operations) |
Why it should be treated as critical |
Public-domain basis from Security Bank |
|
1 |
Retail Deposit and Account Services |
Failure would immediately affect customers’ ability to access funds, maintain accounts, receive salaries, and perform basic banking. |
Security Bank offers deposit accounts, debit cards, payroll-related accounts, time deposits, and branch/ATM services. |
|
2 |
Payments, confidence in the payment systems |
Disruption would affect day-to-day economic activity, customer liquidity, merchant payments, and potentially broader confidence in the payment system. |
Security Bank provides online banking, mobile app access, fund transfers, eGiveCash, ATM access, and business transfers via InstaPay and PESONet. |
|
3 |
Digital Banking and Customer Channel Access |
If digital channels fail, customers may lose their primary means of viewing balances, authenticating, initiating transactions, and receiving service updates. |
Security Bank promotes the all-new app, online banking, support channels, and digital self-service journeys. |
|
4 |
Corporate Cash Management and Business Payments |
Business customers depend on the continuous processing of payroll, collections, supplier payments, remittances, and e-government payments. |
DigiBanker supports receivables, vendor payments, liquidity management, fund transfers, payroll management, auto-debit/credit, remittance applications, and eGov payments. |
|
5 |
Trade Finance, Foreign Transfers, and Remittance Services |
Disruption can impair import/export activity, settlement commitments, and customer access to cross-border funds. |
Security Bank publicly highlights trade, remittances, foreign transfers, and cash management/trade finance application processes. |
|
6 |
Card Payment and Credit Card Servicing |
Card disruption affects consumer purchases, online commerce, cash access substitutes, and cardholder obligations. |
Security Bank offers Mastercard credit cards, instalment and payment services, card servicing, and application/status channels. |
|
7 |
Lending Servicing for Retail and Business Borrowers |
While loan origination may not always be critical, disruption to disbursement, repayment posting, or collections can materially harm customers and the bank. |
Security Bank offers home, auto, personal, and business loans. |
|
8 |
Treasury, FX, and Institutional/Financial Markets Services |
Disruption may affect large-value transactions, market counterparties, liquidity management, and confidence in the bank’s institutional services. |
Security Bank identifies financial markets as a major business and offers treasury, foreign exchange, fixed income, and related investment services. |
CBS-1 Retail Deposit and Account Services would typically include account opening, deposit-taking, account maintenance, balance availability, debit card linking, salary crediting, branch servicing, and ATM cash access.
For a Philippine bank, this service is typically critical because customers rely on it for everyday liquidity and safekeeping of funds.
A prolonged outage could rapidly create customer harm and reputational pressure.
CBS-2 Payments, Transfers, and Cash Access should cover internal transfers, interbank transfers, ATM withdrawals, eGiveCash, bill-related payment flows, and posting/settlement activity connected to customer accounts.
This aligns strongly with the BSP’s emphasis on customer impact, transaction volumes and values, and time-based restoration metrics when setting tolerance for disruption.
CBS-3 Digital Banking and Customer Channel Access deserves separate treatment, even if some banks embed it within deposits and payments.
In practice, for many customers, the app and online banking platform are the service gateway to balances, transfers, billers, credentials, and alerts.
That makes channel resilience a distinct operational priority, especially during branch outages or cyber incidents.
CBS-4 Corporate Cash Management and Business Payments is likely one of Security Bank’s most important institutional CBS because
DigiBanker supports receivables, vendor payments, payroll, centralised account management, remittance applications, and government remittances.
Failure here can affect corporate payroll releases, supplier payments, and client treasury operations, potentially causing significant harm beyond a single customer.
CBS-5 Trade Finance, Foreign Transfers, and Remittance Services should be treated as critical, as Security Bank’s customers depend on them for import/export support, documentary flows, cross-border transfers, and remittance processing.
For a commercial and corporate bank, these services can have outsized economic consequences if interrupted, especially when obligations are time-sensitive.
CBS-6 Card Payment and Credit Card Servicing is critical because it supports consumer spending, e-commerce, payment acceptance, and customer credit servicing. The public site shows extensive card usage, instalment, payment, and servicing capabilities, indicating that any disruption would likely quickly affect a large retail customer base.
CBS-7 Lending Servicing should focus less on sales origination and more on core servicing processes such as loan disbursement, repayment processing, account updates, and customer communication on obligations.
In operational resilience, the critical question is not whether lending is profitable, but whether a service interruption would cause customer harm, legal/regulatory issues, or material financial stress.
CBS-8 Treasury, FX, and Institutional/Financial Markets Services is especially relevant because Security Bank publicly identifies financial markets as a major business and offers treasury, foreign exchange, and fixed-income services.
For these services, the impact of disruption can extend to counterparties, settlement obligations, and market confidence, which fits the systemic-risk aspect of the CBS concept.
For each identified CBS, BSP Circular No. 1203 expects Security Bank to do at least five things.
First, the bank should ensure the board approves the identified critical operations and that the list is proportionate to the bank’s size, scale, and complexity. The identification process should be dynamic and periodically reassessed.
Second, the bank should set a tolerance for disruption for each CBS.
At a minimum, this should include a recovery time measure, and it should also consider metrics such as the number of affected customers, transaction volume, transaction value, and other service-specific indicators.
Third, the bank should map interconnections and interdependencies across people, processes, technology, facilities, third parties, and public infrastructure.
For Security Bank, examples would include app platforms, core banking, payment rails, telecom providers, utilities, branch operations, ATM networks, card schemes, and outsourced or partner services.
Fourth, the bank should test severe but plausible scenarios against each CBS.
Examples for a Philippine bank include ransomware affecting digital channels, a telecom outage affecting branches and ATMs, a third-party failure affecting payments or card processing, a power outage affecting operations centres, or simultaneous high transaction volumes during a crisis.
BSP requires periodic business continuity exercises covering identified critical operations, their dependencies, and realistic scenarios.
Fifth, the bank should integrate CBS into BCM, incident response, recovery, and communication plans.
The BSP specifically expects BCM to cover business impact analysis, recovery strategies, incident response and recovery plans, communication plans, and exercises that keep the service within tolerance levels during disruption.
A few examples show how this would work in practice.
For Retail Deposit and Account Services, Security Bank might set a very short time tolerance for ATM cash withdrawal, salary crediting, and balance inquiry because a large number of customers may be affected quickly.
Metrics could include the number of unavailable accounts, failed ATM transactions, and payroll customers impacted.
For Payments and Transfers, the bank might monitor the maximum tolerable delay for InstaPay/PESONet-linked transfers, the percentage of failed transactions, and the accumulated value of unprocessed payments.
This is consistent with BSP’s expectation that transaction volume and value can be part of tolerance setting.
For Corporate Cash Management, a severe but plausible scenario could be DigiBanker's unavailability during payroll cutoffs or supplier payment runs.
Mapping should therefore include client authorisation workflows, payment files, host-to-host connectivity, bank operations teams, telecom links, and fallback processing arrangements.
For Trade Finance and FX, the bank should assess dependency on specialist operations staff, external networks, correspondent or partner arrangements, and document-processing workflows.
The BSP’s guidance on third-party resilience and exit or substitution arrangements is directly relevant here.
In summary, the most defensible starting CBS set for Security Bank Corporation is: Retail Deposit and Account Services; Payments, Transfers, and Cash Access; Digital Banking and Customer Channel Access; Corporate Cash Management and Business Payments; Trade Finance, Foreign Transfers, and Remittance Services; Card Payment and Credit Card Servicing; Lending Servicing; and Treasury, FX, and Institutional/Financial Markets Services.
This proposed list is consistent with Security Bank’s public business model and with BSP Circular No. 1203, which requires a Philippine bank to identify critical operations, set disruption tolerances, map dependencies, test severe but plausible scenarios, integrate BCM and communications, and keep the framework under board oversight and periodic review.
Blogs marked [x] are under construction
| eBook 1: Understanding Your Organisation: Security Bank | |||
| C1 | C2 [x] | C3 [x] | C4 [x] |
| C5 | C6 [x] | C7 [x] | C8 [x] |
| |
|
|
|
To learn more about the course and schedule, click the buttons below for the OR-300 Operational Resilience Implementer course and the OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|