[OR] [SBC] [E2] [P1 to P3] [C1] OR Planning Methodology

Operational Resilience Planning Methodology for Security Bank Corporation

Introduction

This chapter introduces the three-phase Operational Resilience Planning Methodology adopted by Security Bank Corporation to strengthen its ability to anticipate, withstand, respond to, and recover from disruptive events.

As a leading financial institution operating in an increasingly complex regulatory and risk landscape, Security Bank must ensure that its critical business services remain resilient under a wide range of operational stresses, including cyber threats, technology failures, third-party disruptions, and external crises.

The methodology presented in this chapter provides a structured, practical approach to embedding resilience into the bank’s operations, aligned with regulatory expectations, including the Bangko Sentral ng Pilipinas (BSP) guidelines on operational resilience.

The methodology is organised into three interrelated phases—Plan, Implement, and Sustain—each consisting of five structured stages.

  The Plan phase focuses on establishing a strong foundation by assessing current capabilities, identifying gaps, defining strategic direction, aligning with risk appetite, and embedding governance.

The Implement phase translates strategy into actionable outcomes by identifying critical business services, mapping dependencies, setting impact tolerances, conducting scenario testing, and incorporating lessons learned.

Finally, the Sustain phase ensures that operational resilience becomes an integral and enduring capability through cultural transformation, communication, continuous training, self-assessment, and independent review.

Together, these phases form a continuous lifecycle that enables Security Bank to maintain resilience in a dynamic operating environment.

Purpose of the Chapter

The purpose of this chapter is to provide readers with a clear and structured overview of Security Bank’s Operational Resilience Planning Methodology, enabling them to understand how resilience can be systematically designed, implemented, and sustained within a financial institution.

It sets the foundation for subsequent chapters by presenting a cohesive framework that integrates governance, risk management, business continuity, and operational resilience into a unified approach.

By the end of this chapter, readers are expected to gain a comprehensive understanding of the three-phase methodology and its fifteen stages, and how each stage contributes to building a resilient organisation.

This includes recognising the importance of aligning resilience initiatives with regulatory expectations, identifying critical services and their dependencies, establishing measurable impact tolerances, and embedding resilience into organisational culture and continuous improvement practices.

Ultimately, the chapter prepares readers to apply this methodology at Security Bank or similar institutions to achieve robust, sustainable operational resilience.

Overview of the Three Phases of Operational Resilience Planning Methodology

Phase 1: Plan

The Plan phase establishes the strategic and governance foundation required to build operational resilience.

It ensures that Security Bank clearly understands its current maturity, identifies areas for improvement, and aligns its resilience objectives with its overall business strategy and risk appetite.

The five stages are:

• Assess Capability and Maturity [Stage 1]
  Evaluate existing resilience capabilities across business continuity, IT disaster recovery, risk management, and crisis management.
• Analyse Gap [Stage 2]
  Identify gaps between current capabilities and regulatory expectations or industry best practices.
• Develop Strategy and Roadmap [Stage 3]
  Define a structured roadmap outlining initiatives, priorities, timelines, and resource requirements.
• Confirm Risk Appetite [Stage 4]
  Align resilience objectives with the bank’s tolerance for disruption, including acceptable levels of operational impact.
• Develop and Embed Governance [Stage 5]
  Establish governance structures, roles, responsibilities, and oversight mechanisms to support the implementation of resilience.

Phase 2: Implement

The Implement phase operationalises the strategy by focusing on identifying, analysing, and testing critical business services. It ensures that Security Bank can maintain service continuity within defined impact tolerances during disruptions.

The five stages are:

• Identify Critical Business Services [Stage 1]
  Determine the services that are essential to customers and the financial system.
• Map Processes and Resources [Stage 2]
  Identify the end-to-end processes, people, technology, facilities, and third parties supporting each critical service.
• Set Impact Tolerance [Stage 3]
  Define the maximum acceptable level of disruption (e.g., downtime, data loss, customer impact).
• Conduct Scenario Testing [Stage 4]
  Test resilience capabilities against severe but plausible scenarios to validate preparedness.
• Improve Lessons Learned [Stage 5]
  Analyse test outcomes and real incidents to strengthen controls and response capabilities.

Phase 3: Sustain

The Sustain phase ensures that operational resilience is continuously maintained, enhanced, and embedded into the organisational culture of Security Bank.

It transforms resilience from a one-time initiative into an ongoing discipline.

The five stages are:

• Introduce Cultural Change [Stage 1]
  Promote a resilience mindset across all levels of the organisation.
• Develop Communication Strategy [Stage 2]
  Ensure clear and consistent communication of resilience objectives, roles, and expectations.
• Implement Training and Awareness [Stage 3]
  Build staff competency through structured training and awareness programmes.
• Provide Self-assessment [Stage 4]
  Enable business units to regularly assess their own resilience capabilities and compliance.
• Conduct Independent Quality Review [Stage 5]
  Perform independent reviews and audits to validate effectiveness and identify areas for improvement.

The three-phase Operational Resilience Planning Methodology provides Security Bank with a comprehensive and structured approach to building, implementing, and sustaining resilience across its operations.

By integrating strategic planning, operational execution, and continuous improvement, the bank is better positioned to safeguard its critical business services against disruption while meeting regulatory expectations and maintaining customer trust.

This methodology is not a linear process but a continuous cycle of enhancement, where insights from implementation and sustainment feed back into planning.

As such, it equips Security Bank with the agility and discipline required to navigate an evolving risk landscape and ensures that operational resilience remains a core organisational capability rather than a standalone initiative.

Blogs marked [x] are under construction

For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.