[OR] [BSP] Self-Assessment Questionnaire on Operational Resilience Part 1 & 2

Self-Assessment Questionnaire on Operational Resilience Framework

The evolving regulatory landscape requires financial institutions to continually strengthen their operational resilience (OR) frameworks.

This is the content of Appendix II of the SAQ provided in the BSP OR Framework. It is a list of questions provided for the BSFIs to complete in compliance with BSP requirements.

The Self-Assessment Questionnaire (SAQ) is a structured tool for BSP-supervised financial institutions (BSFIs) to evaluate their preparedness for operational disruptions.

This content explains the SAQ's key objectives, structure, and timeline and is a practical example for professionals navigating their institution's OR journey.

Timeline

One year after the Circular becomes effective, All BSFIs shall submit a transition plan to the appropriate supervising department using the Self Assessment Questionnaire. The plan should comprise a gap analysis and action plans to achieve operational resilience.

Objectives of the Self-Assessment Questionnaire

To provide an overview of the BSP-supervised financial institutions' (BSFI) operational resilience (OR) capabilities and highlight priority areas for development and
To support the Board Senior Management and the bank supervisors’ understanding of the BSFI’s OR capabilities and readiness and capture the BSFI’s journey to achieving operational resilience.

Part I. Gap Analysis

Requirements of the Circular 2

A. Governance Structure

Has the BSFI identified a board-level committee overseeing the integration
of operational resilience principles into its existing risk management framework?
Has the BSFI articulated the roles and responsibilities of the Board and Senior Management for operational resilience?
Has the BSFI defined the roles of the business units, compliance and risk management functions, and internal audit functions regarding operational resilience?
What changes have been made in the existing bank guidelines/processes (operational risk management, business continuity, outsourcing, etc.) to align with the operational resilience approach?
Has the BSFI identified material entities for a group-wide operational resilience framework?
Has the Head Office adopted an operational resilience framework for foreign bank branches? Is it being implemented for the Philippine Branch?
Has the Board approved the BSFI’s operational resilience framework?

Requirements of the Circular

B. Key Elements of OR

1. Determine critical operations, tolerance for disruption and severe but plausible scenarios

a. Identifying critical operations

Has the BSFI identified its critical operations? Did the Board approve the identified critical operations?
How did the BSFI identify its critical operations? Please provide the criteria used, assumptions, and justifications on why said operations have been identified as essential.
Are there any changes in the business model, processes or activities after identifying critical

b. Setting the tolerance for disruption or impact tolerance

What is/are the BSFI’s tolerance for disruption? Has the Board approved the set tolerance for disruption?
What is the BSFI’s methodology or criteria for setting tolerance for disruption?
Which personnel/unit(s) are responsible for monitoring the BSFI to ensure it operates within its tolerance for disruption?
Is there a reporting mechanism in place to notify the BSP in case the BSFI breaches its
tolerance for disruptions?

c. Determining severe but plausible scenarios.

Has the BSFI identified scenarios that would directly impact its critical operations? Are these considered severe and plausible scenarios? Why?
What is the basis for the severity of the scenarios?
Has the BSFI considered the “Big One” among its scenarios and the simultaneous and coordinated cyber attack attacks?

2. Map interconnections and interdependencies

Who is primarily responsible for overseeing and conducting the mapping activities involving critical operations?
Has the BSFI completed mapping the interconnections and interdependencies involving critical operations? If not, when is the expected timeline for completion?
What are the key sources and resources used to support the BSFI’s mapping?
What are the key roles that support the delivery of critical operations and the plans in place for individuals fulfilling these key roles being unavailable?
Are there outsourcing arrangements, if any, involved in delivering critical operations? Does the BSFI set requirements and coordinate with the service provider regarding operational resilience expectations to ensure the delivery of essential operations through disruption?
Has the BSFI identified any vulnerabilities in its mapping exercise? What are the vulnerabilities identified? Are action plans adopted or implemented to resolve such vulnerabilities?
How will the mapping be kept up to date? Who is responsible for and what is the frequency of review/updating to ensure that it remains relevant and reflective of
the BSFI’s impact tolerances and critical operations?

3. Plan for and manage risks to the delivery of critical operations.

What are the identified disruptions and vulnerabilities that may impact critical operations?
Are the identified disruptions or vulnerabilities affecting only one or more critical operations?
Based on the identified disruptions and vulnerabilities, are there sufficient plans, processes and resources to ensure the delivery of essential operations throughout the
disruptive events? What changes are made to ensure the delivery of critical
operations throughout the disruptions?
What vulnerabilities still exist that have not yet been remediated or where the Board
has accepted a risk level?
What vulnerabilities might arise from reliance on outsourced services, if any? Are action plans adopted or implemented to address those vulnerabilities to support
operational resilience.
Is there a periodic assessment of the adequacy of controls and procedures affecting critical operations, including in cases of changes to its underlying components?
Is there a change management process? Are existing change management capabilities utilized to assess potential effects on the delivery of critical operations and
their interconnections/interdependencies?
Did the BSFI adopt strategies to ensure the critical operations’ IT environment, information confidentiality, integrity and availability through disruptive events?

4. Business Continuity Management (BCM) and Testing

Is the BCM integrated into the operational resilience framework?
Has the BSFI covered the identified critical operations and defined disruption tolerance in its BCM and testing? If yes, what fundamental changes have been made? If not, how does the BSFI plan to incorporate these in its BCM to achieve operational resilience?
Did the BCM consider the impact of potential disruptions on critical operations
given the set tolerance for disruption?
Does the BCM cover the critical elements, such as business impact analyses, incident
response and recovery plan and communication plan to support the delivery of
critical operations through disruptions and to keep the same within the tolerance
level?
Is there a periodic business continuity exercise based on a range of severe and plausible scenarios of disruptive events about critical operations?
What are the identified scenarios and the assumptions used in identifying those
events?
Did the BSFI leverage on scenarios under the existing risk management framework
What is the manner, timing and frequency of the testing exercise? Who leads this
activity?

5. Respond to and recover from disruptive events

How will the response and recovery strategies enable the BSFI to reduce material harm to customers, BSFI, and the financial system caused by operational disruptions in critical operations?
Has the BSFI developed strategies and procedures to mitigate the harm caused by
operational disruptions to consumers in particular, and minimize risk to the market
integrity?
Has the BSFI developed an incident response plan to ensure the delivery of critical
operations throughout the disruption? Does it cover the life cycle of the interruption, the steps
to ensure the delivery of essential operations and the respective roles and responsibilities involved in its implementation?
Has the BSFI developed internal and external communications plans in case of
disruptions to the critical operations?
What is the policy for periodic review of the incident response plan?

6. Review, refine and update risk management and operational resilience framework.

Is there a database containing all incidents or disruptions that affect critical operations? Does it capture information on actions taken on these incidents?
Has the BSFI developed a mechanism to review these incidents regularly and integrate the actions taken on the operational resilience framework with the overall enterprise-wide risk management?
Who will initiate or lead the review or update of the operational resilience framework? How frequent is the review process?

Additional Question on the Self-assessment Questionnaire (SAQ)

What is the governance/approval process for the SAQ?
Which personnel/unit(s) are responsible for preparing the SAQ?

Part II. Summary

1. Overview of the BSFI’s OR plan

Given the identified gaps and action plans, what is the BSFI’s holistic transition plan in
adopting an OR framework? What are the critical vulnerabilities/gaps identified, and
what is the BSFI’s timeline to remediate this to achieve operational resilience?

2. Strategies

What are the critical strategies in becoming operationally resilient?

3. Challenges Encountered

What are the challenges/limitations encountered in the adoption and execution of
the BSFI’s OR Framework?
What are the key strategies of the BSFI to address these challenges and achieve operation resilience?

4. Board Approval

Provide details of Board approval on the accomplishment of the SAQ.

5. Remarks

This portion may also be used to provide additional information.

Summing Up...

The Self-Assessment Questionnaire (SAQ) on Operational Resilience Framework is a vital tool designed for BSP-supervised financial institutions (BSFIs) to evaluate their readiness against operational disruptions. With the evolving regulatory environment, the SAQ aims to help institutions assess their operational resilience (OR) capabilities while identifying critical areas for improvement. It encompasses a structured approach with a gap analysis, enabling BSFIs to align their frameworks with regulatory requirements and best practices.

The SAQ is organized into two main parts: the first focuses on a detailed gap analysis across various governance structures and key operational resilience elements. Institutions are required to assess their identification of critical operations, their tolerance for disruptions, and their mapping of interdependencies. It also prompts them to evaluate their business continuity management (BCM), incident response plans, and ongoing reviews of their operational resilience strategies. This comprehensive analysis not only supports the senior management and boards in understanding the BSFIs’ capabilities but also lays out the groundwork for a robust operational resilience framework.

As part of the implementation timeline, BSFIs must submit their transition plans within one year of the Circular's effectiveness, outlining their identified gaps, action plans, and timelines for remediation. The second part of the SAQ summarizes the institution’s OR strategy, highlights challenges encountered during the adoption process, and emphasizes the importance of board approval and ongoing updates to the resilience framework. This structured self-assessment ensures that BSFIs can effectively navigate the complexities of operational resilience while complying with regulatory expectations.

BSP Operational Resilience Guidelines

More Information About Blended Learning OR-5000 [OR-5] or OR-300 [OR-3]

To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.