Circular No. 1203: Guidelines on Operational Resilience

, * . , ' '..,:? BA N G 1< ' A",,.. ,,' OFFICE O '.*. ;,* OFFICE OF THE GOVERNOR Series of 2024 Subject: Guidelines on Operational Resilience The Monetary Board. in its Resolution No. 1170 dated 10 O approved the guidelines on operational resilience in line with th B ' ' thrust to foster continuous delivery of services to sup ort inclu ' d economic growth. The guidelines aim to promote and stren then th B k Supervised Financial Institutions' (BSFls) ability to inaria e and ITiit' t th disruptions. particularly on their critical operations. Section I. Section 146h46-Q of the Manual of Re Lilation f ' B (MopB)/Manual of Regulations for Non-Bank Financial Instjt t. ' "Operational Risk Management" are hereby ratit!ed' and ame d d t guidelines on operational resilience. and shall now read. as follow . 1461/46~Q OPERATIONAL RISK MANAGEMENT AND OPERA 710NAL RE I. Operational Risk Management CIRCULAR No. 1203 OFFICE OF THE GOVERNOR xxx Supervisory enforcement actibns. xxx. Sanctions in a like b a bank/QB and/orits directors, officers and/or employees' If Guidelines on Operational Resi7ience. Policy Statement. Consistent with the Bangko Sentral's mandate to promote fi ' I I ' ' the Bangko Sentrai aims to strengthen the operational resilience f 't financial institutions or their ability to manage and initi ate tl disruptions on their critical operations. to support the sriTooth fLi t' real economy. Scope of Application The guidelines on operational resilience shall apply to all BSFi 2 BS prepare their operational resilience framework on a solo and 1'0 'd b applicable. The group-wide operational I'esilience framework sh 11 parent bank/QB and all its material entities. including subsidiar banks/ B . I h design of its operational resilience framework, the BSFl shall c d elements and principles embodied in this Section. Forei n bank b ' h refer to the operational resilience frailtework of their res ective H d Off' adopt relevant policies and procedures that are consistent w'th th . All references to Section 146n46-Q where tile title of tlte Section was mentioned I Id amended title. P ace with the Including non-bank e-money issuers IEMlsj but excludiitg designaLed a in I infrastructures that are intercomtec. ed to designatecl paymenl s st d 15qyments systems who serve as critical service providers unless these , Page I of 8

, , , provisions of this Section and coinmensurate with the scale of the' t' the Philippines. Definition of Terms' Operat/o178/ res/716.17ce is the ability of a BSFl to deliver critical o er t' through significant operational disruptioim. This @11com asses the BSFl' ability to identify and mitigate threats and potential failure. Ian. I'es o d, restore. and learn from disruptive events to minimize jin act o1 d I' of critical operations through disruptions, Critical operations include critical functions and invoiv t' ' ' processes. services and their relevant supporting assets the disru tion of which could cause material harm to the customers or to the co t' d operation or viability of the BSFl and/or its role in the financial s stem. Supporting assets refer to people, tech nology. information, and faci!it' necessary for the delivery of critical operations. These may includeinte I process. IT systems. clearing and settlement facilities and outs d services necessary foi' the delivery of critical operations, am on oth Determining whether a particular opei'ation is "critical" de end th nature of operations of the BSFl and its role in the financial s stern. GIIt^^81 functibns refer to activities perfoi'med for third parties. includ' external customers, where failure would lead to the disru tion of that are vital for the BSFl's viabiiity, the functioning of the econon, f financial stability due to the BSFl's systemic inTPOitance, size or in k t share, external and internal in telconnectediiess. complexit . and border activities. Examples include servicing of withdrawals. t . settling. A custody, certain lending and deposit taking activities. clea ' d Operational d/:5.1uption is an event or occurrence that jin d I continuous delivery of critical operations. It can be due to inari- d causes, such as cyber attacks. social engineering schemes, tel'1'01'ist thre t or attacks, insider abuse or fraL!d. o1' natural causes, such as earth k , typhoon, or tsunami, Tolerance ford/$/upti0/7is the maximum level of disru tion on th BSFl' critical operations arising from any type of operational risk events hazards that the BSFl is willing to accept considering a ran e of sev I plausible scenarios. In determining this, it is important to consider the f t point at which disi'uption to critical operations would cause I t ' I harm to customers or risk to market integrity and financial stabi!it . A BSFl's tolerance for disruption is applied at the critical a erations I I. Mater7191e/7t/ties shall refer. at a minimum, to the bank'SIQB's subsidiai'ies and affiliates. as defined Linder Section 131A31-Q' (Definition of Term I. which represent a significant poition of the balance sheet or busi activities of the parent bank/QB. g. Serv/be prov/ders include third parties, intragroup entities (i. e. entities within a group such as parent, subsidiary or affiliate companies) and Iif a. b. c. d. e. f $ Resilience. pera 'iona Largely drawn from the March 2021 Basel CoinitTitlee on Bankiit Su ervi I P " " Financial Stability Board IFSBj Recovery and Resolutioit planning for s stenti 11 iitstitutioiTs. guidance o11 ideittificatioi, of critical functions and critical sha ed ., For pawnshops. please refer to Section 105-P IRegistered/Business Nan\e. ) Page 2 of 8

, , . applicable) other parties further along the supply chain' This includ providers of outsourced services. Operational Resiffence andits/riteraction wi'th Related P 0 7 Operat/bna/ res/I^^/?ce is an end state or outcome wherei th BS demonstrates that it can continue to I'ender its critical o ei'ati th ' h significant disruption. reducing the impact on its customers d th financial system. This contributes to reinforcing the BSFl's viabilit d significant disruptions. promoting the financial system's res'I' d stability and servicing the real economy, Critical to achievii th' h recognition that disruptions will occur, ITecessitatii, forward I k' assessments, including emerging risks, as well as careful Iannin d preparation to respond accordingly. as part of the BSFl's overall ' k management. Operational resilience. therefore, is not a stand -alo objective. Rather. it needs to be integrated with the BSFl's structures and other related risk management processes. such operational lisk. business continuity. information a rid coinmunic t' technology (ICT) including cybersecurity. third party I'isk. and recover I Operat/bna/ Ptsk Managen7e/7t'. The operational I'esilience frant I intricateIy linked to the operational risk management functi . Wl 'I operational risk pertains to the risk of loss resulting from in ade u t failed internal processes, people or systems. or from external operational resilience views the impact of these individual factoi's on th ability of a BSFl to continuously deliver its ci'itical operations. O t' I resilience goes beyond reducing the likelihood of occurrence of a eratio I risk events or the amount of operational loss that may be SLiffered b th BSFl. While operational risk management focuses on the losse th t b caused to the BSFl, operational resilience considei's the t f disruptions to critical operations or the harm tlmat failure to deli ' ' I operations may cause not only to the BSFl but to its customei's d th wider financial system. Business Gol7tihu/q1 Mar7agen7ent'(BCM/ is an essential coin orient f operational I'esi!ience. Both support the continuous business o erati when unexpected events occur. BCM focuses on individual oints of f 'I while operational resilience complements this by lookiit into th d- end delivery of critical operations. The crisis management fra k. part of BCM. is activated o1' triggered during disi'uptive events. M h'I . the operational resilience framework covers an expansive set of ca ab'It' including crisis management. to achieve resilience across a broad ran f disruptions. cybersecurity'. Cybersecurity refers to technologies, processes, and practices designed to protect the BSFl's information assets and cot including third parties, by preventing. detecting. res 90ndin t d recovering from cyber-attacks. BSFls 51.0uid continually assess c b related attacks and incidents relative to their coinputin environ t d understand the evolving cyber threat landscape to institute a ro xi t a. b. c. d. Basel Committee o1t BankiiTg Supervision. Core principles foi' effective bankii, s ' The Bangko Sentral's Operatioiial Resilience Guidelines complement Ihe exi t' I' ' Regulations on Operational Risk ManageiYient. Business Continui. Maria t. IT Cybersecurity. and Outsourcing Frameworl<. ' Section 146h46-Q. For other NBFls. please leier to Section 125-NII63-T. as a Ii bl . Section 1491/48-Q. For other NBFls. please refer to Section 146-Sri43-Ph27-NII64-T. as a I' b ' Section 1481/47-Q. For other NBFls. please refer to Section 145-SII42-PA26-N. as I' bl . Page 3 of 8

. . , cyber resilience capabilities. A strong cybersecui'ity program allow f detection of risks to operational resilience, influences c ber se t priorities, and enhances cyber resilience. An effective resilience I , which includes identifying critical operations and tolerance for disru tio and considering the threat landscape, is essential in su ortin d achieving the BSFl's operational resilience. Third Party Risk Mar7agei77ent". Over the years, BSFls have d use of third-party service providers in the delivery of financial s including those that are integral to critical operations. While the use oftl ' d- party service providers enables BSFls to benefit from available ex, erti d synergies. this has contributed to heightened complexity and in a red oversight over potentialvulnerabilities in the delivery of critical o e t' BSFls should ensure that third-party service providers for roces tl feed into their critical operations have at least the e u' I t I operational resilience as established by the BSFl durin "business scenarios" and in the event of disruption. The princi Ies on outs arrangements shall apply to third party risk management for o eratio I resilience purposes, KeyE/ements of Operational Resiffence Utilize existing governance structure to establish. overs , d implement an effective operational resilience ap roach. G structure covers the roles and responsibilities of the board of dii'ecto d senior management on the various stages of opei, at ional resiliei starting from development up to appi'oval. implementation. ai\d on oin review or enhancement of the operational I'esilience framework. Tl board of directors shall be primarily responsible for the oversi It d approval of the operational resilience framework as well as the 1'01es of tl three-lines of defense for operational resilience. It shall ensure tl t tl f' line or the business units and internal controls. the second line or th .' k management function and compliance. and the tltii. d-line o1' th ' t I audit, adhere to the principles of operational resilieiTce. Meanwh'I . I senior management shall take tlTe lead in implementing the o eratioi I resilience fi'amework. assessing the BSFl's operational resilience ca abil't . and communicating the necessary remedial actions to the bo d f directors, Determine critical operations, tolerance for disruption, and seve e b t plausible scenarios. TITe basic building blocks of o ei'at ional 'I' include the initial steps of identifying the BSFl's ci'itical operations, settin of tolerance for disruption and determining the range of severe b t plausible scenarios. of varying nature, seriousness. and duration relev t t its business and risk PI'ofile. These are essential in prioritizin crit' I operations and determining capabilities to withstand and abs b disruption within the tolerance level acceptable to the BSFi, cons'd " the range of adverse scenarios identified. Map interconnections and interdependencies. Understandin tl operations, interconnections and interdependencies allows BSFls t identify and resolve vulnerabilities that exist in the delivery of critical operations. BSFls should map the chain of activities in the deliv f critical operations, especially those arising from the network of e a. b. c. Section 112AIT-Q. For other NBFls, please refer to Section 113-SIIT2-PA02-NAT2-T. as a I' bl 1481/47. Q. For orher NBFls. please refer to Sec. 145-51142. PA26-N. as a 31icabl . Section Page 4 of 8

. . interconnections and interdependencies and those that are f service providers. This will enable the BSFls to holisticall sources of vulnerabilities and invest in appropriate resilience before disruption occurs so that BSFls can remain within the' t I for disruption. It also complements the develo merit of b plausible scenarios that point to vulnerabilities alon the involved. Plan and manage risks to critical operations. After identify in cr't' I operations and the related interconnection SIinterde endencies, t equally jinportant to plan for and manage the material and/or elmer risks or events that will hamper the continuous delive f ' ' operations to the customers and affect the BSFl and financial s t h' is riot a silo approaclT but rather rigcessitates levera in on ' t' working relevant risk management framewoi'ks of the BSFl, f integrated and enterprise-wide appi'oacit to inaria in risk with the delivery of critical operations. In this regard. BSFls are consider risk management components with nexus to resilience such as operational risk. business continuity, third ai, t ' k. information and technology risk. Test ability to deliver critical operations amidst disru t' but plausible scenarios. Operational resilience builds o th process of business continuity management and periodic testin to gauge the BSFl's ability to deliver critical operations throu I severe but plausible scenai'ios. Recognizing that disruptions will o ', th BSFl must make an exhaustive and informed identificat' f d' " events and incidents. of varying degrees. nature. duration. and I 'b'I' that may affect the delivery of its ci. itical operations. This h Id encompass the identified interconnections and interde end internal and external. The periodic testing exercise shouicl sh I personnel's operational resilience awareness and its results sh Id ' f refinements in the operational resilience framework. Respond and recover from disruption. When a disru tioit occurs ff t' the BSFl's ci'itical opei'at ions. the BSF! should ITave the abil't t manage and deliver critical operations consistent with its i t d operational resilience framework. This should include. am on ath I delineation of the roles and responsibilities and succession of auth t the event of disruption; and aiT incident response plan that c t ' k steps to handle the disruption and assess how it will affect the BSFl' appetite and tolerance for disruptioiTs. As part of its incident res I and to strengthen its response capabilities, the BSFl should in ' t ' catalogue that includes an inventory of incident response and actions. roles and responsibilities of key officers/personnel as well as internal and external resources. The incident response Ian should c t the life cycle of a n incident. classification of events o1' disi'u it ions b d severity, response and recovery procedures and coininunication Ia . A1 it should be periodically tested, reviewed and updated, Review, refine and update risk management and o eration I 'I' framework. Operational resilience should be integrated with th BS ' overall enterprise-wide risk management approach. Mai t ' operational resilience posture is a continuous activit . Accordii I , th operational resilieimce framework nTust be dynamic and eriod' 11 reviewed, refined and updated to I'emailT in line with the BSFl' ' k appetite, tolerance for disruption. business model and coin Iexit . d. e. f. g. Page 5 of 8

. . others' Reviews should be conducted regularly or when necessar (e. , when there are material changes in the operations or business activ't' f the BSFl). 7561, ,"Q-702. ,, More detailed guidelines on each of these elements are outlined ' A Reporting and Notification Requirements. BSFls shall disclos th ' . A Report the overarching a pproach to operational resilience. This includes r 'd ' an overview of the operational resilience approach and key information th operational resilience components. Moreover. the BSFl shall inf th appropriate supervising department of the Bangko Sentralwithin twent ~f0 (24 hours from activation of the incident I'esponse platT for critical t' notification shall indicate the following information, annon others, a I' bl : Nature, duration and root cause of the disruption; a. b. Affected critical operations and impact of the disruptioiT on the d I' of critical operations; Status if tolerance for disruption is bi. eached: and Actions that have been taken and/or intended to be taken by the Management to continue delivery of the a'itical operations. The report may contain initial infoi'matioit available as of tl I'eporting timeline. The Bangko Sentral may I'equest additional information it deems wariented c. d. If the incident also qualifies for event-driven I'e ortiit Lind S 148A47-Q". there is ITo need to file a separate repoi't as requii'ed in this S t' Meanwhile, operational risk events which are covered by the re ort I'e "I d ' this Section shall no longer require a separate I'eporting undei' SectioiT146/146- 13 However. submission of the incident 101.0rt required herein shall not I BSF! from complying with the existing regulations on I'e ortin f losses under Section 1731/72-Q14. Supervisory Review by t/Ie Bangko Sentral The Bangko Sentral shall ' the operational resilience framework of the BSFl as part of the overall su process, focusing on assessing the robustness. credibility. and feasib'I't f delivering critical operations through disruption and wit!Tin the BSFi's d f d tolerance for disruption. Supervisory enforcement act/o17s. Consistent with the rovisions f S t' 0021002-Q", the Bangko Sentral may deploy appropriate supervisory enfoi'cement actions to promote adherence with the requirements set forth in this Secti d bring about timely remedial actions. Section 2. Sections 142-SII25-NAGS-T of the MORNBFl shall be revised and Section 131-CC shall be added in the MORNBFl, as follows: 'Section 142-S RISK MANAGEMENT FUNCTION 12 For other NBFls, please refer to Sectioiis 145-SII42-PrtZ6-N IReporLing alld Notific I' SL d ' applicable applicable For other NBFls. please refer to SectioiTs 125-NAGS. T INotification/ ReportiiT to Ba k S t I . For other NBFis. please refer to Sections 162-Sri61-PI901-NAB3-T (Report o11 crimes/loss I. For other NBFls, please refer to Sections 002,51002-PIOOl-NIO02-T. as applicable 13 Page 6 of 8

. . . , . . XXx Chi^f Ptsk Officer ICPO/ xxx Operatrbna/ Resilience. 7/7e provi:;10/7s of Section 746-Q 81 d A d' o17 Operat/bna/ Res//^^/7ce guidefines SITa// gove/77 17017-sto k assoc/atIbns to the exte/7t app//table. " RESILIENCE NAL "Section 125-NII63~T OPERATIONAL RISK MANAGEMENT AND OP Xxx Supervts. 0^yEn, brcementActio, ,s. xxx Operational Resifience. 717e prov/:s^ions of Sect/'o17 746-Q d on Operational I;'esi/^^rice guide//hes SI7a// govern ot/ref -b I lbst/tut/bn$-'trust coll70rat/bns to t/7e extent applicable. " "Section 131-CC Operational Resilience The prov/31'017s of Sectib/7146. Q 817dAppe/7div Q-102 o17 0 e/' t' ' ' 9u/del^hes 5178/190vern nor7-ba/?k c/ed/I' card 1:5^suers to t/7e ext t . " Section 3. Transitory Provisions, The followii, tovisio implementation of the requirements of this Circular shall b Guidelines on Operational Resilience: footnote to Section 146 of the MORB and Section 146-Q of the MORNB , Phase I- Within one (1) year from the effectivity of the Circul ' - All shall submit to the appropriate supervising department of the B k Sentral an accon. PIished Self-Assessment Questionnaire (A A comprised of a gap analysis and action plans to coin 31 w'th th requirements of this Section. Phase 2 - Within two (2) years from the effectivity of the C' I universal, commercial and digital banks and complex non-b k BS specifically identified by the supeivising department based o tl ' ' systemic importance, shall have developed and/or inte rated t! operational I'esilience frameworl< within their existin risk in systems. with due consideration of the applicable re uirement tl ' Section, Disclosure of key eleittents of operational resilience in th A I Report shall commence after Phase 2. Phase 3 - Within three (3) years fi'om the effectivity of the Circul r - All tl 'it and rural/cooperative banks and other BSFls shall have develo, ed and/ integrated the operational resilience framework with their exist' ' k management systems, with due consideration of the I' bl requirements in this Section. Disclosure of key elements of t' I resilience in the Annual Report shall commence after Phase 3. Section 4. Section 175 of the MORB, as amended by Circular N . 1186 d December 2023. and 174-Q of the MORNBFl on disclosui'e re uii. en t report. are hereby amended to read. as follows: xXX a. b c. Page 7 of 8

, , 'T75 DISCLOSURES To THE PUBLIC xxx Disclosure requirementsin the annual report. xxx xxx All banks shall prepare an annual report which shall include a discussion and/or analysis of the following minimum information in no particular order: XXX g. Audited financial statements (AFS). xxx; h. information on sustainable finance as required under Sec. 153; and i. information on the operational resilience approach as required under Section 146. xxx 'in 74-q PUBLIC DISCLOSURES Disclosure requirementsin the annual report. xxx XXx All QBs shall prepare an annual report which shall include. in addition to the AFS and other usual information contained therein. a discussion and/or analysis of the following minimum information in no particular order XXX g. Corporate information; h. Audited financial state ritents (AFS): and I. information on the operational resilience approach as required under Section 146-Q￾Section 5. Effectivity. This Circular shall take effect fifteen (15) calendar days following its publication either in the Official Gazette or in a newspaper of general circulation. I^^,, to^er am^ FOR THE MONETARY BOARD: BERNADE Off rge O-PUYAT Page 8 of 8

, Appendix 1567Q-702 OPERATIONAL RESILIENCE GUIDELINES (Appendix to Section 146h46-Q) Governance Structure I. The board of directors shall be PI'jinari!y responsible for the ove ht and approval of the operational resilience framework that enables th BSFl to identify and prepare for, respond and adapt to, and recover and learn from operational disruptions. Operational resilience framework shall be aligned with the over 11 governance and risk management system of the BSFl. In this re ard, the existing governance frameworks and committees that exercise oversight on related areas shall consider operational resilience i their business objectives and strategies in the lens of crit'c I operations. For a holistic approach, the developmeiTt of operational resiiie c framework should leverage other related elements of ' k management. such as operational risk. bLisiness continuit , tl ' d party risk. and ICT and cybersecurity risk. as applicable. A cle mechanism for coordination and collaboration shall be establ' I d betweeiT and among these relevant functions to stren then tl BSFls operational resilience. The operational resilience framework shall clearly communicate d promote u ridersta riding of the relevant internal and external art' roles and responsibilities with respect to the overall o eration I resilience approach and objectives. The senior ntanagement shall in. PIenTent the operational resilience framework and ensure efficient and effective allocation of reso and capabilities for this purpose. The senior management shall be responsible for ensurin the cond at of an overall assessment of the BSF!'s operational resilience ca abil't and periodic repoi'ting to the boai'd of directois/board-committee. This will allow the board of dii. ectoi's to assess the BSFl's ca ab'I't' t I'emailt within its set tolerance and deliver critical operations thi'ou h disruptions. The board of dii'ectors shall periodical I review d continuously gain sufficient understanding of the BSFl's o ei'ati I resilience profile a rid capa bilities through senior inaria emeitt's information and reports. The senior management shall implement remedial actions necessar t ensure that resources and capabilities to remain operational! resilie t are timely communicated to the board of directors. This will aid in th decision-making by prioritizing activities or target investments that w'11 help improve operational resilience or focus on critical o ei'at' which will have the most significant impact when disrupted. The board of directors shall oversee the three lines of defe f operational resilience and ensure that these functions are o eratiiT intended: I. a. b. c. Z. 3. 4. 5.

. a. The first line is responsible for ensuring that all the resources needed in the end-to-end delivery of critical operations are identified. This should include those provided by a third-party and in certain cases. those that are sourced by the third-party from other service providers. The first line also ensures that risk exposures are aligned with the established tolerance for disruption for each critical operation. The first line shall ensui'e that material operational resilience-related information Ie. g. loss events. incidents. etal) are adequately and timely escalated to senior management/board of directors and communicated to the relevant independent control functions. The second line is expected to assess the end-to"end activities of critical operations and their extent of exposure to apei'ational disruptions. It should conduct periodic reviewto ensure that internal controls ale in place foi' ci'itical opei'ations and continue to adapt to the changing environment. It should also ensure that risk exposures of the resources for critical operations are well managed to allow critical operations to remain within the tolerance for disruption. c. The third line assesses the design and ongoing effectiveness of the BSFl's operational resilience efforts. It should challenge the first and second lines on the appi'opriateness of the resources for critical operations to opei. ate within the tolerance for disruption. Key Elements of Operational Resilience I. Determine critical operations, tolerance for disruptioii and severe but plausible scenarios a. Identifying critical operations i. Griter/19 1611'dent/77cat/b/7 ofc/7f^^81 operat/'o175. BSFls should have a board-approved criteria for identifying and prioritizing critical operations. The approach in detern, in ing ci'itICal operations ntay vary across the BSFls but shall coiTsider relevant factors, such as the impact of a disruption on the operations to the BSFl's viability. its customers. or its role in t!Ie financial systenT. The identification process should covei' the end-to-end activities Ilecessai'y in delivering critical operations, rather than the individual people. process, o1' systeit. The BSFl may take into account the business outcome appi'oach to prioritize activities or services that when disrupted will pose material risks to its viability. o1. systemic risl< to the financial system. as well as disadvantages to the customers and other stakeholders. Rather than focusing on a specific process or system of the BSFl, operational resilience entails protecting its critical operations to ensure continuous delivery titroL!ghout disruption, BSFls should also leverage or consider existing identification and classification of key functions or services in determining critical operations. such as those identified in the recovery plan". The number of identified critical operations should be coinn'lensurate with the BSFl's size, nature. and complexity of operations b. 11. 11. Guidelines o1t Recovery Plans of Banl<s under Section 156 ICircular No. 1158 dated 18 Octobei' 2022) Page 2 o18

, Ident/fled cr/t/^81 operations. The Board should a identified critical operations which should be pro ortionate t tl nature. scale. and complexity of the BSFl's business. Theidentifi d critical operations will drive the subsequent steps of sett' tolerance for disruption and mapping of interconnection d inter dependencies, among others' Operational risk management function shall be utilized to identify and assess vulnerabiiities, and manage. to the extent 30ssible. th operational risks affecting critical operations. BSFls in a al leverage other frameworks to establish linkage or distinctio f critical operations with respect to operational resilience vis-a￾others, business continuity management and recovery plannin . am on The identification process shoLild be dynamic and tak t changes in the elements of critical operations, lessons learned f disruptions and new threats or vulnerabilities. The ro " t d effectiveness of this process should be periodically assessed. Setting tile tolerance for disruption BSF!s shall set the tolerance for disi'uption on each idei, tifi d ' ' opei'at ion. In the context of operational resilience, a disru t' assuined to occur given various severe but plausible scenarios. F this reason. tolerance for disi'LIPtion shall be set as the in level of disruption that the BSFl is willing to acce t on it 't' I operations, In establishing clearly defined tolerance for disruption, BSFls h 11 consider either or both quantitative and qualitative in t ' . Th' shall include. at a minimum. a time-based Inetric which a . 11 sets the acceptsble timefiame o1'5chedule that BSFls will b bl restore the delivery of critical operations befoi'e it could material risk to the BSFl and identified external stakeholders. Oth metrics shall be considered. such as the maximunT nu b customers or volume and value of transactions affected b tl disruption. BSFls may also leverage other metrics utilized in e ' t' frameworks and expound or link, as necessary with the deliver f critical operations, Tolerance for disi'uption should be tested a t severe but plausible scenai. ios to detei. mine its relevance d propriety. Tolerance for disruption shall aid the BSFls in assessin its 11 resiliency capabilities and drive improvements to stren tl operational resilience, particularly when tolerance is breached u on testing. The critei'ia on the elements of operational resilience. Del'ticularl the tai identification of critical operations, and (b) setti f tolerance for disruption shall be reviewed. challenged, and a , Droved by the board of directors, A mechanism should be in I t k the criteria responsive to changes and significant develo merits in 1/1. IV. b I. 11. 1/1 . IV. Page 3 of 8

. the business environment. in line with existing change inaria eine t process17. c. Determining severe but plausible scenarios. A robust operational resilience framework entails identifying a broad array of severe but plausible scenarios. of varying nature. degree, and duration. relevant to the BSFl's idiosyncratic risk profile and operations, and their impact o1T the delivery of the BSFl's identified critical operations. The scenarios must be informed b realisti assumptions distinct to the BSFl. its business, and its internal and external operating environment. Examples of scenarios that BSF!s are strongly encouraged to consider include the "Big One" or the worst-case scenario should the West Valley Fault move and generate a magnitude of 7.2 uake. severe typhoon. failure of critical third-party service provider. disturbances In payment and settlement systems. and a simultaneous or coordinated cyber attack/ransomware on a ITLiitTber of ba n ks. Map interconnections and inter dependencies BSFls should have an adequate understanding of how each of its c 't' I operations is being delivered. The BSFl should perform an end-to-end mapping of the starting point from how the critical operation is activated up to the ultimate delivery of the service to its client, A ci'itical operation may also involve a continuing process or iteration. BSFls should be able to identify key resources to kee , each c .'t' I operation running even in times of disruptions. These n, ay include. but not limited to, people, processes. technology and information facilities. and other resources including those undei' third~part service arrangen, eiTts. Mapping should extensively identify interconnections and interdependencies of the resources Ileeded. Doing this would allow determination of possible sti. ess or friction points within the chain, including the impact on the use of common IQsouices within the BSFl or even those that are external to the BSFl under certain ai'I'an eiYieitts. An acceptable mapping should identify vulnerability points and support the established tolerance for disruption for each critical operation. When a third-party service provider is involved ill the deliver of c 't' I operations, the BSFl should ITave an adequate L!riderstandin of th extent of the role of the service provider, includiiT the interdependencies of other PI'ocesses to the PIOvider. The BSFl should be awai'e of arrangements where the service provider fLii'tilei' en a es other providers that may impact the provision of a critical o eration. I. 11. 2. a. b. c. d A bank's operational risk exposure evolves whein it initiates chan e. such a ' ' ' or developing new products or services: entering into unfaittiliar Inarket ; implementing new business processes or technology systeitts or 1.10difying exist in ones; d/ engaging in businesses titat are geographical Iy distant front the Ilead CMCe. Cltait e n should assess the evolution of associated risks across tinte throu 1.0ut the full I'f I f April2024 orservice. ; BaselCoi, MITILtee on Banking Supervision. Core principles for effective banki ' Page 4 of a

. Identification of these interconnections and interde endencies in th delivery of critical operations should inform. among othei's, the development of severe but plausible scenarios. Mapping exercise for operational resilience should be harmonized witl the related activities in other risk management functions such as th in operational risk. third party risk. business continuity and ICT risk. 3. Plan for and Inariage risks to delivery of critical operations Planning is critical to the BSFl's ability to manage all material and/or emerging risks or events that will affect the continuous deliver of critical operationsto mitigate impact on the customers, on the BSFla d the financial system. This is not a silo approach but rather nec 't t leveraging existing and working relevant risk management frameworks of the BSFl. for a holistic and integrated approach to inaria in Ii k associated with the delivery of critical operations. In this re ard, BSFl are expected to consider risk management components with nexus t operational resilience. BSFls should utilize their operational risk management rocess t continuously assess the external and internal threats. OSsibl breakdowns in controls. processes, and systems. as well vuinerabilities in critical operations and manage identified risks to critical operations. The operational risk management fLinction should work with relevant functioiTs to mitigate I'isks that will ham e th delivery of critical operations. There should be periodic assessment of the adequacy of controls and procedures, particularly those affectin critical operations, including in cases of changes to the uiTderl in components of the critical operations. to consider lessons Ieai'lied fronT disruptive events orto account for new threats and vulnerabilities. BSFls should utilize existing change ntanagement ca abilitie I' with the existing change management processes to assess 30te t' I effects on the delivery of critical operations and on th ' interconnections and interdependencies. The BSFl's chan e nTanagement process should be comprehensive. a Dro riatel resourced. and adequately divided up between the relevant lines of defense. When a third-party service provider is involved, the BSFl should conduct due diligence to ensure that the sei'vice provider aligns with tit operational resilience framework of the BSFl. In the same manner. th BSFl should be satisfied that the service provider conducts t mapping process and supports the established tolerance for disru tion. It should also consider the possible concenti'at ion of services to limited number of service providers. No arrangement should be entered into when the service provider cannot comply with the tolerance for disruption as assessed during the conduct of due diligence. Thii. d-party service arrangements which impact critical o erations must contain details of how critical operations should be maintained or serviced during disruptions or an exit strategy in case the sei'vice provider is not able to deliver the service. The BSFl should identify alternative arrangements including identifying substitutes or even performing the service back within the BSFl. e. a. b. c. d. e. Page 5 of 8

. , Dependencies on public infrastructure. such as telecommunic t' transportation, and energy, should be assessed in terms of its jin act the BSFls' critical operations and established tolerance for disru ti The BSFl's technology and security are critical in maintaining a safe and resilient operating environment. Therefore, BSFis should ado t risk- based strategies responsive to the evolving threat landsca e that employ an integrated and multi-layer approach. ensuring the critical operations' IT environment and information confidentiality. inte rit , and availability through disruptive events. The BSFl should ensure that these strategies have adequate authentication, authorization. and auditing controls to maintain the security of the critical o eratio! ' IT environment. The BSFl should also ensure that ICT rotect' , detection. response and I"ecovery processes are regularl tested following an increasing complexity. considering sevei'e but plausible scenarios. and relevant information are timely conveyed for ri k management and decision-making processes to support and facilitate the delivery of critical operations. Likewise. the BSFlshould evalu t th extent of its interconnection S" and implement appro I'iate risk mitigation measures to achieve its operational resilience goals and contribute towards improving the entire ecosystem. Test ability to deliver critical operations amidst disruption under b plausible scenarios, The BCM. including the business continuity plan (BCP). should be integrated into the operational resilience framewoi{<, in line with tile BSFl's overall risk appetite and tolerance for disruption. A forward- looking BCM that assesses the impact of potential disruptions on critical operations must be in place. In line with this. the BCM should cover the followiiTg: Business impact analyses and recovei'y strategies. as well as testing. awareness and training programmes: Be spoke and detailed guidance on the implementation of the incident recovery plan for critical operations. including definin the triggers foi' invoking the BCM. outlining the roles and responsibilities for managing operational disruptions. providin clear cut rules on succession of aLithority in case of disruptions iii. Communication and crisis management programs. affecting key personnel. and the internal decision-makin rocess; and Periodic business continuity exercises, encompassing the identified critical operations and their interconnections and key dependencies. must be in place. using a range of severe but plausible scenarios. The scenarios must be informed by realistic assumptions distinct to the BSFl and its operating environment. considering disruptive events a d incidents of varying degrees. nature. duration. and plausibility, that in a affect the delivery of its critical operations. This may include and natural calamities, failure of key service providers. and major c ber incidents. The BSFl may consider its own expel'iences or across the sector, or even cross-sectoral. as applicable, given the operatin landscape. The BSFl can also leverage the identified scenarios in its f. g. 4. a. I. 11. b. in Appendix 751Q-62 Page 6 of 8

. existing risk management framework and consider operational resilience aspects The BSF! shall employ a suitable mix of marinei' of testing exercises (e. , tabletop, simulations or live testing ) depending on their characteristics. objectives and benefits. It should also account for and maiTage the risks arising fi'Din the conduct of testing. The timing and frequency of testin should be informed by a range of relevant factors. such as the number of identified critical operations. significant changes in the BSFl's operating environment or nature and severity of identified disru tions. and impact of the disruption. Competent and relevant personnel should be involved in the testin . The manner of testing will also drive, in part, the personnel, OSition and function required to be part of the exei'cise. The BSFl should consider that the business continuity testiit should. among others, heighten the personnel's operational I'esilieiIce knowledge and readiness to effectiveIy adapt and respond to disruptions. The testing may disclose a vulnerability iiT one process or function related to the critical operations, which Ina re uire reinediation efforts, such as identifying alternative channel or substitute, process or system en hancement or staff training. The testin may also disclose a scenario where there is a breach of set level of tolerance, which warrants board and senior management action. The results of the testing exei'cise must be docuinented and repoi'ted to the board. It must include. among others, the observed gaps o1' weaknesses as well as the adjustments made or needed to achieve a aerational resilience. The results of the testing exei'cise should also inform refinements or enhancements in the operational I'esilience frameworl<. as appropriate. BSFls may leverage and/or enhance its existing BCM. disastei' recovery and/or recovery a rid resolution plans to capture operatioimai resilience principles aitd enable it to deliver critical operations throu h disruptions. 5. Respond to and recover from disruptive events BSFls should acknowledge that disruptions will occur underSCOrin the importance of planning and testing their ability to delivei. critical operations through disruption. This requires a change in pel's aective towards operational disruptions from a probabi!1stic approach to an expectation that it will happen. When a disruption occurs affecting the BSF!'s critical operations, the incident response plan should be activated. It should capture the life cycle of a disruption, contain key steps to handle the disi. uptioiT to ensure delivery of critical operations and assess how it will affect the BSFl's risk appetite and tolerance for disi'uptions. It should also cle I delineate the roles and responsibilities and succession of authorit during the disruption. Key officers and personnel should be identified and/or designated who will decide and implement actions to ensure delivery of critical operations throug h disruptions. BSFis should identify the full range of recovei. y options to enable critical operations to be maintained or restored within tolerance for disru tion. c. d. e. expand the same to f. a. b. C. Page ? of 8

, . As part of its incident response plan, the BSFl should maint ' catalogue to support its response capabilities, such as ke officers and personnel, internal and external resources that may be affected, response and recovery PI'ocedures, and coinmu nication plan. Communication plan is a critical part of the operational resi!ie framework and incident management. An incident coinmunicat' plan, with internal and external communication matrix. should b developed to ensure effective, timely and targeted communications during a disruption. This will ensui. e proper escalation and flow of information. decisions, and updates to stakeholders concei'ned. K resources and experts to serve as focal spokespei. son/s durin disruptions should be identified for effective communication strate Operational risk tools such as. but not limited to. loss events datab should capture incidents that have the potential to disru t the deliv of critical operations. For operational resilience. these incidents should be further exainined to cover its full life cycle, front classificati f incidents severity to response and recovery 1'0cedur , coiniTiunication plans and root cause analysis to reflect lessons learned. The incident response plan should be periodically reviewed, tested, and updated. including lessons learned fi'Qin previous disru tions. d. e. f. 6 Review. refine and update risk management and operational re 'I' framework. Achieving operational resilience is a dynamic process. As such. Iear from experiences are critical to the continuous reinforcement of the BSFl' operational resilience approach. After experiencing and I'ecoverin fro disruption. a stocktaking of lessons learned will enable the BSFl to refl t the key components of its operational resilience flamewoi'k. the acti d decisions made. as well as identifying what has worked and what failed. This will be useful inputs to refining the opei. ational resilience framework and its key elements, considering among othei's. leftections on the followiit : Root cause of the disi'uption and the vulnerability/ies exploited: a. b. Impact on the delivei'y of affected critical operations: Adequacy of conti'o1s. actions, and decisioiTs made; c. d. Duration of disruption Lintil resumption of critical operations and if t tolerance for disruption remains; and e. Necessary adjustments. if any. to reinediate the gaps identified. BSFls are required to periodically review. refine, and update the o Deratio I resilience framework to ensui'e that it is aligned with their risk a etite. tolerance for disi'up ticn, business n, odel and coiTiplexity. aiTion othe Other events that could trigger review and/or refineiTients in the fi'amework include material changes in its business and operating environment, criti I operations. and tolerance for disruptions. Page 8 of 8

iew of the BSP-supervised financial institutions (BSFlj's o eratio I 'I' ' ' ' o e -supervised financial institutions (BSFlj's operational resil' ' ' ' resilience ca ab'I. t. d aria9emeht and the bank supervisors' understanding of the BSFl's o eratio I Tm^ing Corn rised of a I S a SU init to the a ppropria Le supervising department a transition Ian us' th Part I. Cap Analysis I. Z SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK Requirements of the Circular is oes riot cover all the minimum considerations but suggestions of what in a b I k d ' ' P 'd P ce e g. . process or policy applicable to the req uirementl . e BSFl identified a board-level Committee in-charge of overseeing the integration of operational resilience principles with existing Its risk management framework? Has the BSFl articulated the roles and as Guide Questions' . responsibilities of the board and senior management for operational resilience? Annex A Fully compliant BSFl's Compliance Partially/Non-Compliant Page I of 12

Requirements of the Circular SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK . business units. compliance, risk management function. and internal audit for operational resilience? Has the BSFlidentified changes. if any, that will be made in the existing bank guidelines/processes (e. g. . operational risk management. business continuity. outsourcing/third-party risk management) in order to align or integrate with the operational resilience approach? Has the BSFl identified material entities for a group-wide operational resilience framework? For foreign bank branches - Has the head office adopted an operational resilience framework? Is it being implemented for the Philippine Branch? Has the board approved the BSFl's operational resilience framework? Has the board discussed how the BSFl would respond if operational disruptions occurred? Guide Questions' . . . Details of Compliance2 Fully compliant . . BSFl's Compliance Identified Gaps Annex A Partially/Non-Compliant Action Plan3 Page 2 on2

Requirements of the circular SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK operations. tolerance for disruption and severe but plausible scenarios a. Identifying critical operations . so H identified critical operations, tolerance for disruption and range of severe but plausible scenarios? perationa Resilience Guide Questions' . Has the BSFl identified operations? Did the Board identified critical operations? . How did the BSFl identify its critical I operations? please provide the criteria I used, assumptions. and justifications on Details of Compliance2 why said operations have been identified as critical. . Are there any changes in the business model. processes or activities after identifying critical opeiations (e. g. . resource allocation )? Fully compliant its critical approve the BSFl's Compliance Identified Gaps Annex A Partially/Non-Compliant Action Plans Page 3 of 12

Requirements of the Circular b. Settin the tolerance for disruption SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK . disruption and hasit been approved by the Board? Has the BSFl developed a methodology or criteria in setting tolerance for disruption? Has the BSFl assigned personnel/unit(SI that are responsible for monitoring that the BSFl is operating within its tolerance of disruption? Is there a reporting mechanism to notify the BSP in case the BSFl activated the incident response plan? Has the BSFl identified scenarios that would directly impact its critical operations? Are these considered as severe and plausible scenarios? Why? Has the BSFl documented the basis forthe severity of the scenarios? Has the BSFl considered among its scenarios the "Big One". severe typhoon. failure of critical third-party service provider. disturbances in payment and settlement s stems. and a simultaneous or Guide Questions' c. Determining but scenarios . , severe plausible . . Details of Compliance2 Fully compliant , . BSFl's Compliance Identified Gaps An nex A Partially/Nori-Compliant Action Plan3 Page 4 of 12

Requirements of the Circular p In erconnections and inter dependencies SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK a e cy erattac ransomware on a number of banks? . Guide Questions' Has the BSFl identified the personnel primarily responsible for overseeing and conducting the mapping of activities involving critical operations? Has the BSFl mapped/identified the interconnections and interdependencies involving critical operations? If no, when is the expected timeiine to complete mapping/identification process? What are the key sources and resources used to support the BSFl's mapping? Has the BSFl identified the key roles that . . . support the delivery of critical operations and established the plans in case of unavailability of the individuals fulfilljng I these key roles? I Details of Compliance2 Fully compliant . Are there third-party service providers involved In the operations? Does the BSFl set the requirements and coordinate with the service provider regarding its expectations for operational resilience to ensure delivery of critical o erations through disru tion? BSFi's Compliance the I Identified Gaps An nex A Partially/Non-Compliant delivery of critical ' Action Plan3 Page 5 of 12

Requirements of the Circular SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK 5. Plan for and manage risks to delivery of critical operations . Has the BSFl identified any vulnerabilities in its mapping exercise? What are the vulnerabilities identified? Are action plans adopted or implemented to resolve such ' Guide Questions' vulnerabilities? How will the mapping be kept up to date? Who is responsible for and what is the frequency of review/updating to ensure that it remains relevant and reflective of the BSFl's tolerance for disruption and critical operations? . . Has the BSI=I identified disruptions and vutnorabilities that may impact critical operations? the identified disruptions or Are vulnerabilities affecting only one or more than one critical operation? Based on the identified disruptions and vulnerabilities, are there sufficient plans. processes. and resources to ensure delivery of critical operations throughout the disruptive events? What are the changes made to ensure delivery of critical operations throughout the disruptions? . Details of Compliance2 Fully compliant . BSFl's Compliance Identified Gaps Annex A Partially/Nori"Compliant Action Plans Page 6 of 12

Requirements of the Circular SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK . yet been reinediated or where the Board has accepted a risk level? What vuinerabilities might arise from reliance on third-party services. if any? Are action plans adopted or implemented to address those vulnerabilities to support operational resilience? Is there a periodic assessment of adequacy of controls and procedures affecting critical operations. including in cases of changes to its underlying components? Is there a change management process? Are existing change management capabilities utilized to assess potential effects on delivery of critical operations and their interconnection SIInter￾dependencies? Is the change management process comprehensive. appropriate Iy resourced. and adequately divided up between the relevant lines of defense? Has the BSFl adopted strategies to ensure the critical operations' information technology environment and information confidentiality. integrity. and availa bility throu h disru tive events? Guide Questions' . . . Details of Compliancez Fully compliant . BSFl's Compliance Identified Gaps Annex A PartiallyNori-Compliant Action Plan3 Page 7 of 12

Requirements of the Circular 4. Business Continuity Management (BCMI and Testing SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK . Has the BSFl assessed the substitutability of critical third parties. including the option to revert to in-house units in cases of failure with third-party dependencies? Guide Questions' . Is the BCM integrated into the operational resilience framework? . Has the BSFl covered the identified critical operations and defined tolerance for disruptions in its BCM and testing? If yes. what are the key changes made. if any. If no. how does the BSFl plan to incorporate these in its BCM to achieve operational resilience? . Does the BCM consider the impact of potential disru ptions on critical operations given the set tolerance for disruption? Details of Compliance2 Fully compliant . Does the BCM cover the critical elements. such as business impact analyses. incident response and recovery plan and communication plan. to support delivery of critical operations through disruptions and to keep the same within the tolerance level? BSFl's Compliance . Is there a periodic business continuity exercise based on a ran e of severe but Identified Gaps Annex A Partially/Non-Compliant Action Plans Page 8 of 12

Requirements of the Circular SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK operations? . What are the identified scenarios and the assumptions used in identifying those events? . Has the BSFi leveraged scenarios identified under existing risk management framework? Iausib Guide Questions' from disruptive events . What is the manner. timing and frequency ' of the testing exercise? Who leads this ' activity? Has the BSFl tested the ICT protection. detection. response. and recovery processes following an increasing complexity considering severe but plausible scenarios? . cover Details of Compliance2 Fully compliant . ow will the response and recovery strategies enable the BSFl to reduce material harm to the customers, BSFl and the financial system. caused by operational disruption on critical operations? . Has the BSFl developed strategies and racedures to initi ate harm caused b BSFl's Compliance Identified Gaps An n ex A Partially/Nori-Compliant Action Plans Page 9 on2

Requirements of the Circular SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK operational disruptions to consumers a rid minimize risk to market integrity; . Has the BSFl developed an incident response plan to ensure delivery of critical operations throughout disruption? Does it cover the life cycle of the disruption. steps to ensure delivery of critical operations as well as the respective roles and responsibilities in its implementation? Guide Questionsl 6. Review. update management operational framework . Has the BSFl considered succession , planning for the key personnel in the incident response plan? refine and risk and resilience . Has the BSFl developed internal and external communications plans in case of disruptions to critical operations? . Whatis the policy forthe periodic review of the incident res onse Ian? Details of Compliance2 Fully compliant . is there a database containing all the incidents or disruptions that affect the critical operations? Does it capture the life cycle of the incident and assess its severity? Does it contain information on the actions taken on these incidents? BSFl's Compliance . Has the BSFl developed a mechanism to re ularl review these incidents and Identified Gaps Annex A Partially/Nori-Compliant Action Plans Page To of 12

Requirements of the Circular SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK . ae e ac Ions to en on the operational resilience framework and overall enterprise-wide risk management? . Has the BSFl identified who will initiate or lead the review or update of the operational resilience framework? What is the frequency of the review process? . What is the governance/approval process for the SAQ? Which personnel/unit(s) are responsible for preparing the SAQ? Guide Questions' Details of Compliance2 Fully compliant BSFl's Compliance BSFl's Response: Identified Gaps Annex A PartiallyNon-Compliant Action Plans Pagell of 12

. , . Part 11. Summary I. Overview of the BSFl's Operational Resilience Plan Given the Ident/7719dgaps and act/bn plat7s, w/7atI^ t/?e BSF/:s 1701' t' t ' ' ' adopt/hg an operational Ies//^^rice fi'an7ework? '11/7at ale t/ie Ite null7e/ab/It' I Identified and what ts' t/?e BSF/3 t/777e/^77e to rel77ed/ate t/71s to I ' resilience? 2. Strategies WITat are t/7e keystrate9/es to be con7e operatioi7a/Ivres/7119nt? 3, Challenges Encountered What are t/Ie c/7811enge. s, ,jib7/'tatib/Is e/7coLinte/ed in the ado t/bn 817cj, "o1 t/7e BSF/:s' ope/at/b/781 Ies/Werice ft'an7ewor/{? 1-1117at 81'e the lieJ/ 51181eg/195 of 1/1e BSI/ to 60/11es, flip5e 4'1)6/1c, /70e. < aid ac/were Operatibiia/ Jest7il;'/ice? 4. Board Approval Prov/tie details of Board approval o17 t/7e acc0/77p/ts/in Tel7t oft/7e SAQ 5. Remarks 7771:s po/'t/o17 1778y also be used to prov/de add/t/b/781 1771b/7778t/'o17. SELF-ASSESSMENT QUESTIONNAIRE ON THE OPERATIONAL RESILIENCE FRAMEWORK Annex A Page 12 of, 2