[OR] [MM] [BSP] Operational Resilience Maturity-level Assessment Aligned to Bangko Sentral ng Pilipinas (BSP)

Operational Resilience Maturity Assessment (BSP Circular 1203 - Aligned)

This chapter is a comprehensive Operational Resilience Maturity Assessment Questionnaire aligned to the requirements of Bangko Sentral ng Pilipinas Circular No. 1203 (2024).

The structure reflects the key regulatory expectations: governance integration, identification of critical operations, impact tolerance, scenario testing, dependency mapping, and response/recovery capabilities.

Section 1: Governance and Oversight

Objective: Ensure operational resilience is embedded within governance structures.

1. Has the Board approved an enterprise-wide Operational Resilience Framework (ORF)?
2. Does the Board regularly review resilience posture, including critical operations and tolerance levels?
3. Are roles and responsibilities for operational resilience clearly defined across the Board, senior management, and business units?
4. Is operational resilience integrated into existing frameworks (ERM, BCM, IT risk, cyber resilience)?
5. Does senior management regularly assess resilience capability and report gaps to the Board?
6. Are escalation and decision-making protocols defined for disruption scenarios?
7. Is there a dedicated committee or function overseeing operational resilience?

Section 2:  Identification of Critical Operations (COs)

Objective: Identify services whose disruption would cause material harm.

1. Has the bank identified and documented its critical operations (COs)?
2. What criteria are used to determine “criticality” (e.g., customer impact, systemic risk)?
3. Are COs mapped to products, services, and business lines?
4. Are CO owners formally assigned and accountable?
5. Is there a periodic review and validation of COs?
6. Are regulatory and customer obligations considered in defining COs?

Section 3: Mapping of Interconnections and Dependencies

Objective: Understand vulnerabilities across the ecosystem.

1. Has the bank mapped dependencies for each critical operation (People, Process, Technology, Third Parties)?
2. Are upstream and downstream interdependencies documented?
3. Are critical third-party providers identified and risk-assessed?
4. Are single points of failure identified and mitigated?
5. Is there visibility of data flows and system interconnectivity?
6. Are concentration risks (e.g., single vendor, location) assessed?

Section 4: Impact Tolerance (Tolerance for Disruption)

Objective: Define acceptable levels of disruption.

1. Has the bank established impact tolerances for each critical operation?
2. Are tolerances defined in measurable terms (e.g., time, data loss, transaction volume)?
3. Do tolerances align with customer expectations and regulatory requirements?
4. Are tolerances linked to RTO/RPO and service level agreements?
5. Are tolerance breaches monitored and reported?
6. Are tolerances reviewed and updated periodically?

Section 5: Risk Identification and Scenario Design

Objective: Prepare for severe but plausible disruptions.

1. Has the bank identified a range of severe but plausible scenarios?
2. Do scenarios cover:
   • Cyberattacks
   • System outages
   • Third-party failure
   • Natural disasters (relevant to the Philippines)
   • Pandemic or workforce disruption
3. Are scenarios tailored to the bank’s risk profile and business model?
4. Are scenario assumptions documented and validated?
5. Are emerging risks (e.g., AI/model risks, climate risks) considered?

Section 6: Scenario Testing and Resilience Validation

Objective: Test the ability to remain within tolerance.

1. Are scenario tests conducted regularly (e.g., annual, semi-annual)?
2. Do tests assess whether critical operations remain within defined tolerances?
3. Are different types of tests conducted (tabletop, simulation, live)?
4. Are interdependencies and third-party failures included in tests?
5. Are test results documented and reported to senior management/Board?
6. Are remediation actions tracked to closure?
7. Are lessons learned incorporated into policies and controls?

Section 7: Response and Recovery Capabilities

Objective: Ensure continuity and recovery during disruptions.

1. Does the bank maintain an integrated incident response and recovery framework?
2. Are incident classification and severity levels defined?
3. Are recovery strategies aligned with impact tolerances?
4. Is there a documented inventory of response and recovery actions?
5. Are communication plans defined for internal and external stakeholders?
6. Are crisis management teams trained and regularly exercised?
7. Can the bank demonstrate the ability to continue delivering critical operations during a disruption?

Section 8: Business Continuity and ICT Resilience Integration

Objective: Align resilience with BCM and technology.

1. Is operational resilience integrated with Business Continuity Plans?
2. Are IT Disaster Recovery (DR) capabilities aligned with impact tolerances?
3. Are cyber resilience controls embedded into operational resilience?
4. Are backup systems, redundancy, and failover mechanisms tested?
5. Is there alignment between operational resilience and ICT risk management?

Section 9: Third-Party Risk and Outsourcing Resilience

Objective: Manage external dependencies.

1. Are third-party service providers included in resilience planning?
2. Are service providers assessed for their resilience capabilities?
3. Are contractual agreements aligned with impact tolerances?
4. Are contingency plans in place for third-party failure?
5. Are critical vendors subject to resilience testing or assurance reviews?

Section 10: Monitoring, Reporting, and Continuous Improvement

Objective: Sustain resilience capability.

1. Are key resilience metrics and KRIs defined and monitored?
2. Is there regular reporting of resilience posture to the Board?
3. Are incidents analysed for root causes and systemic weaknesses?
4. Is there a structured remediation and improvement program?
5. Are internal audits and independent reviews conducted on ORF?
6. Is the framework continuously improved based on testing and incidents?

Section 11: Self-Assessment and Regulatory Compliance

Objective: Meet BSP supervisory expectations.

1. Has the bank completed the BSP-required self-assessment questionnaire (SAQ)?
2. Are gaps identified through the SAQ formally tracked and remediated?
3. Is there a documented roadmap to achieve full compliance?
4. Are regulatory submissions and disclosures prepared and reviewed?
5. Can the bank demonstrate alignment with the requirements of BSP Circular 1203? 

Summing Up ...

Maturity Rating Framework (Recommended)

Use a 7-level maturity scale:

Maturity Rating Guide (Optional Scoring Model)

For each question, assign:

1. Level 0: Ad-hoc: Reactive, unstructured processes.
2. Level 1: Reactive: Basic frameworks with sporadic execution.
3. Level 2: Proactive: Formal policies and dedicated teams.
4. Level 3: Mature: Anticipatory risk management.
5. Level 4: Advanced: Integrated, data-driven strategies.
6. Level 5: Leading: Predictive analytics and automation.
7. Level 6: Excellence: Industry leadership through innovation.

Key Alignment with BSP Circular 1203

This questionnaire directly reflects BSP expectations that banks must:

• Identify critical operations
• Define tolerance for disruption
• Conduct scenario testing
• Map interdependencies
• Integrate resilience into governance and risk management