DBP RA Guidelines

RISK ASSESSMENT
What are the GOALS of DBP's RISK ASSESSMENT (RA)?

l To (1) IDENTIFY,(2) ANALYZE and (3) EVALUATE the BUSINESS DISRUPTIVE RISKS inherent in the Bank's critical
l To DETERMINE the Bank’s OVERALL RISK PROFILE in relation to business continuity.
l To IDENTIFY PRIORITY RISK AREAS and ADDITIONAL CONTROLS that can be implemented to better manage thes

What is/are the RISK/s that I can identify as the RISK/s applicable to the function?

l The threat and vulnerability related to business continuity can be found in the
THREAT PROFILE TAB.
l Each FUNCTION CAN and DO have MULTIPLE INHERENT RISKS. ALL THREATS APPLICABLE SHOULD BE INCLUDED
Example:
FUNCTION THREAT
Deposit Servicing User errors

Physical & environmental threats - Natural

disasters (sandstorm, Flood, fire, Tsunami,
Earthquake, Hurrricane); Manmade acts (riot,
deliberate destruction, theft, Terrorist attacks,
War, Transport disturbances)

Unavailability of system

Power Supply failure

Ethical Integrity
 DBP RA Guidelines

Loss of information

Loss or absence of key assets

Raid/robbery, cash-in-transit ambush,
defective branch CCTV camera and monitor.
defective teller's foot alarm, out of order
money clip alarm
 DBP RA Guidelines

S DISRUPTIVE RISKS inherent in the Bank's critical functions.

to business continuity.
LS that can be implemented to better manage these risks.

e function?

n be found in the THREAT PROFILE TAB.

. ALL THREATS APPLICABLE SHOULD BE INCLUDED.

VULNERABILITY
Absence of correct classification, labelling, inadequate version
control/improper training, Social engg, lack of awareness, no
segregation of duties

Unauthorised physical access, seismic zone, proximity to sea, lack

of security awareness & accountability, lack of labelling, handling &
classification sytems (to identity critical assets), lack of contact with
authorities, no contact with special interest groups, lack of control
on asset movement, lack of monitoring mechanisms

lack of continuity planning, Hardware failure, back up tape failures,

lack of AMC's
No power backup, frequent power failure, no generator or
UPS,lack of approriate cabling, lack of AMC, lack of physical
controls, lack of appropriate monitoring, lack of capacity planning

Disgruntled Employees
 DBP RA Guidelines

improper access controls, improper physical controls, lack of

backup methods, lack of controls on restoration methods
Absence of personnels, decapacitation
Crime opportunity in branch banking operations, lack of adequate
security mechanisms or failure to maintain them properly
 Page 5

ORGANIZATION FUNCTION BUSINESS IMPACT ANALYSIS BUSINESS IMP

FUNCTION'S CHARACTERISTICS FUNCTION'S HARDWARE
DEPARTMENT UNIT BUSINESS FUNCTION (as peak volumes or reason for the Does this function If YES, how much is the Depends
found in the Desk critical times of peak time have a direct average transaction per on any
Manual) this function financial effect to day? hardware?
the Bank?

Please identify Please Please identify your

your department identify CRITICAL business functions daily, weekly, please put YES / NO In PhP Type of YES / NO
below your unit below monthly, etc reason/s below Thousands Transaction
below
 Page 6

BUSINESS IMPACT ANALYSIS BUSINESS IMPACT ANALYSIS BUSINESS IMPACT ANALY

FUNCTION'S HARDWARE/SOFTWARE DEPENDENCY TOLERANCE PERSONNEL DEPENDEN
Please identify Depends Please identify After a disaster, within which Identify the individuals, positions, or offices within the
the hardware on any the software time frame do you need to have Bank in which this function is dependent and briefly
software? access for the above describe the dependency
system/application?

Dependency ( eg. source of data /

please list down YES / NO please list down NO. OF HOURS / DAYS / Dept / Unit rules / transaction / policies, Contact Contact
WEEKS / MONTHS transaction approval, technical Name No.
support, etc)
 Page 7

BUSINESS IMPACT ANALYSIS BUSINESS IMPACT ANALYSIS

PERSONNEL DEPENDENCY BACKLOG PROBABILITY
Identify the individuals, positions, or offices outside the Bank in which this If hardware / software
If YES,
is estimate the If hardware / software is
function is dependent and briefly describe the dependency amount of backlog

Dependency ( eg. source of data /

Dept / Unit rules / transaction / policies, Contact Name Contact YES / NO No. of In PhP YES / NO
transaction approval, technical No. Transactions Thousands
support, etc)
 Page 8

BUSINESS IMPACT ANALYSIS

LITY RECOVERY
If YES, estimate the After a disaster, within Hardware Software How many Are they all Does this function ha
amount of backlog which time frame do you resources resources employees are trained to
need to resume normal needed for needed for needed for undertake down-
operations? recovery? recovery? functional time procedures?
recovery?

No. of In PhP NO. OF HOURS / DAYS / YES / NO YES / NO NO. (VALUE) YES / NO / NOT ALL YES / NO
Transactions Thousands WEEKS / MONTHS
 Page 9

BUSINESS IMPACT ANALYSIS BUSINESS IMPACT ANALYSIS

BACK-UP DETAILS POTENTIAL FINANCIAL CONSEQUENCE
Is this How often is the How often is the Are back-ups Are back-ups Are back- What other Is there a possibility of
documented? application backed- data backed-up? stored in vault stored in vault ups stored locations do incurring penalty / fine
up? on premises? on portable in vault on you keep if this function is not
storage? off-site? back-ups? done?

HOURS / DAYS HOURS / DAYS

YES / NO NO. OF / WEEKS / NO. OF / WEEKS / YES / NO YES / NO YES / NO YES / NO
MONTHS MONTHS
 Page 10

USINESS IMPACT ANALYSIS BUSINESS IMPACT ANALYSIS

TIAL FINANCIAL CONSEQUENCES OTHER NON-FINANCIAL CONSEQUENCES (INTERNAL)
If YES, how much is the Do other How many Do the other Does other Unit/s How many Unit/s Do the other
penalty / fine? Department/s Department/s Department/s in your depend on this Unit/s have
depend on this depend on this have alternative department function? alternative
function? function? sources? depend on this sources other
function? than your
process?

In PhP daily, weekly, YES / NO NO. OF YES / NO YES / NO NO. OF UNIT/S YES / NO
Thousands monthly, etc DEPARTMENT/S
 Page 11

BUSINESS IMPACT ANALYSIS

OTHER NON-FINANCIAL CONSEQUENCES (EXTERNAL)
Is this process Would external Would the non-
related to non-regulatory performance of
external non-DBP entities be this process
entities? knowledgeable of negatively affect
non-performance the image of the
of this process? Bank?

YES / REMOTE / NO YES / REMOTE / NO YES / REMOTE / NO

 DBP (Business Disruptive) Threat Profile

Threat Profile

# Threat Threat Classification Vulnerability

1 Organisational Security Internal lack of awareness, lack of organisational coordination
lack of adequate contract of third party, No RA, lack of access
control, lack of OS controls, lack of network access
Unauthorised data access, controls,lack of appln controls, lack of process for equipment
2 Internal & External repair, Mixing of test, development and operational
unauthorised changes
facilities/improper QA, Improper Change Mgt

Unauthorised access, lack of physical security controls, lack of access matrix, lack of
3 Internal & External awareness
unauthorised changes
Absence of correct classification, labelling, inadequate version
control/improper training, Social engg, lack of awareness, no
4 User errors Internal segregation of duties

Unauthorised physical access, seismic zone, proximity to sea,

lack of security awareness & accountability, lack of labelling,
Physical & environmental handling & classification sytems (to identity critical assets),
threats - Natural disasters lack of contact with authorities, no contact with special
(sandstorm, Flood, fire, interest groups, lack of control on asset movement, lack of
Tsunami, Earthquake, monitoring mechanisms
5 Internal & External
Hurrricane); Manmade acts
(riot, deliberate destruction,
theft, Terrorist attacks, War,
Transport disturbances)

Non compliance with Legal and Legislation requirements,

6 Legal obligations
7 Unavailability of system
8 Malicious Code, Viruses
Internal inability to provide evidence
lack of continuity planning, Hardware failure, back up tape
Internal & External failures, lack of AMC's
Improper control of softwares dev, no antivirus updates, no
co-ordination with special interest groups, no network
Internal & External controls, no email usage policies

Interception and Lack of cryptographic controls, no network controls, no

9 Internal & External controls on network monitoring/auditing tools
eavesdropping

10 System Failure
11 Power Supply failure
12 Hacking, System compromise Internal & External
13 Ethical Integrity
14 Contractual obligations
15 Loss of information
17 Loss or absence of key assets
18 Software Malfunctioning
Raid/robbery, cash-in-transit
ambush, defective branch
19 CCTV camera and monitor.
defective teller's foot alarm,
out of order money clip alarm
DBP (Business Disruptive) Threat Profile
System Failure due to lack of capacity planning and / or
Internal monitoring, lack of SOP's, lack of training
No power backup, frequent power failure, no generator or
UPS,lack of approriate cabling, lack of AMC, lack of physical
Internal & External controls, lack of appropriate monitoring, lack of capacity
planning
Mis-configuration, no OS / Applciation hardening, no
monitoring / screening of security logs / No Password Policy
Internal Disgruntled Employees
Contractual obligations not identified, Contract Risk
Internal & External Assessment not defined, failure of outsourced services.
improper access controls, improper physical controls, lack of
Internal & External backup methods, lack of controls on restoration methods
Internal & External Absence of personnels, decapacitation
Lack of data validations, lack of control on internal processing,
lack of change management, lack of separate test &
Internal production environments, lack of control to program source
code, lack of technial reviews, lack of vulnerability
management.
Crime opportunity in branch banking operations, lack of
adequate security mechanisms or failure to maintain them
properly
Internal & External
FREQ YESNO YESNOPLFREQ_DESC DEPENDENCY YESNOMAYYESREMOT
hourly yes yes hours source of transaction yes yes
daily no no days source of data no remote
weekly not all weeks source of regulations/policies maybe no
monthly months transaction approval
quarterly technical assistance/support
semi-annually
annually
RISK_UNIVERSE
Pre-settlement Risk (Credit Risk)
Settlement Risk (Credit Risk)
Borrower Risk (Credit Risk)
Issuer Underwriting Risk (Credit Risk)
Proprietary Trading Risk (Credit Risk)
Investment Risk (Credit Risk)
Credit Concentration Risk (Credit Risk)
Credit Assessment/Packaging Risk (Credit Risk)
Price Risk (Market Risk)
Foreign Exchange Risk (Market Risk)
Gap /Re-pricing Risk (Interest Rate Risk)
Funding Risk (Liquidity Risk)
Market Liquidity Risk (Liquidity Risk)
Internal Fraud (Operational Risk)
External Fraud (Operational Risk)
Recruiting and Retention Risk (Operational Risk)
Performance Management Risk (Operational Risk)
Succession Planning Risk (Operational Risk)
Labor Relations Risk (Operational Risk)
Organizational Development Risk (Operational Risk)
Health, Safety and Environment Risk (Operational Risk)
Compensation and Benefit Risk (Operational Risk)
Client Relationship Management Risk (Operational Risk)
Multilateral Development Programs (Operational Risk)
Product Development (Operational Risk)
Sales and Marketing (Operational Risk)
Natural Events (Operational Risk)
Other Events (Operational Risk)
IT Integrity (Operational Risk)
IT Infrastructure (Operational Risk)
IT Availability and Continuity (Operational Risk)
Delivery and Support (Operational Risk)
Accounting, Reporting and Disclosure (Operational Risk)
IT Management (Operational Risk)
Internal Control (Operational Risk)
Business Continuity Planning (Operational Risk)
Third Party Relationship Risk (Operational Risk)
Information Security Risk (Operational Risk)
Public Service Responsibility Risk (Reputation Risk)
Corporate Social Responsibility Risk (Reputation Risk)
Public Relations and Government Communications Risk (Reputation Risk)
Board Performance Risk (Strategic Risk)
Tone at the Top Risk (Strategic Risk)
Socio-political Climate Risk (Strategic Risk)
Vision and Direction Risk (Strategic Risk)
Planning and Execution Risk (Strategic Risk)
Annual Budgeting Risk (Strategic Risk)
Joint Ventures, Alliance and Partnerships Risk (Strategic Risk)
Measurement and Monitoring Risk (Strategic Risk)
Business Acceptance Risk (Strategic Risk)
Macro-economic Factors Risk (Strategic Risk)
Competition Risk (Strategic Risk)
Contract and Liability Risk (Compliance Risk)
Anti-corruption Risk (Compliance Risk)
Intellectual Property Risk (Compliance Risk)
BSP Regulations Risk (Compliance Risk)
Basel II Risk (Compliance Risk)
Anti-money Laundering Risk (Compliance Risk)
Tax Compliance and Tax Authority Examination Management Risk (Compliance Risk)
International Dealings Risk (Compliance Risk)
Ethics Risk (Compliance Risk)
 IDENTIFICATION OF

Organizational Function(s)

Identify important functions the organization performs.

To provide legal advice and opinion to the SDS, ASDS

and other officials of the Division in relation to the
performance of their functions

To evaluate complaints and conduct

investigation on cases filed against
non-teaching personnel

To draft actions/ endorsements on complaints and

letters for signature of the SDS in accordance with the
provisions of the law and DepEd rules and regulations

To interpret laws and rules affecting the

implementation of various Division programs

To prepare and review contracts, Memorandum of

Agreements (MOA) and instruments to which the
Division or any of its offices and schools is a party
and interprets the provisions therein.

To conduct investigations of complaints against

teaching personnel as may be delegated by the
Regional Office (RO).

To represent the SDO in court cases, when deputized

by the Office of the Solicitor General (OSG)

To continuously improve the services of the Legal unit

CATION OF MISSION ESSENTIAL FUNCTI

Functional Requirement(s) Mission or Non-Mission

Identify the requirements to perform each functions. Identify Mission versus Non-mission
criteria.

Computer systems, communication tools and equipment,

internet connection, letter requests, inquiry, informal and formal Non-Mission
complaints

Computer systems, communication tools and equipment,

internet connection, order to conduct investigation, Non-Mission
transportation, informal and formal complaints

Computer systems, communication tools and equipment,

internet connection, letter requests, inquiry, informal and formal Non-Mission
complaints

Computer systems, communication tools and equipment, Non-Mission

internet connection, issuances, laws, rules and regulations

Computer systems, communication tools and equipment,

internet connection, contracts,MOAs/MOUs, other legal Non-Mission
instruments

Computer systems, communication tools and equipment,

internet connection, letter requests, inquiry, informal and formal Non-Mission
complaints

Computer systems, communication tools and equipment,

internet connection, letter requests, inquiry, informal and formal Non-Mission
complaints

Computer systems, communication tools and equipment,

internet connection, letter requests, inquiry, informal and Non-Mission
formal complaints
MISSION ESSENTIAL FUNCTIONS

Essential or Non- Function Category

Essential

Identify Essential versus Non- [AUTOMATIC] Overall Category of Organizational

essential criteria (during a Function
disruption).
Mission Essential

Essential Q3: Essential Supporting Activity

Mission Non-Essential

Essential Q3: Essential Supporting Activity

Non-Mission Essential

Essential Q3: Essential Supporting Activity

Non-Mission Non-Essential

Essential Q3: Essential Supporting Activity

Essential Q3: Essential Supporting Activity

Essential Q3: Essential Supporting Activity

Non-Essential Q4: Deferrable Supporting Activity

Essential Q3: Essential Supporting Activity

Q1: Mission
Essential
Function

Q2: Deferrable
Mission

Q3: Essential
Supporting
Activity

Q4: Deferrable
Supporting
Activity
 FUNCTION CATEGORIZATION TABLE

ESSENTIAL NON-ESSENTIAL

MISSION

To provide legal advice and opinion to the SDS, ASDS and To represent the SDO in court cases, when deputized by the
other officials of the Division in relation to the performance of Office of the Solicitor General (OSG)
their functions

To evaluate complaints and conduct

investigation on cases filed against non-teaching personnel

To draft actions/ endorsements on complaints and

letters for signature of the SDS in accordance with the
provisions of the law and DepEd rules and regulations

NON-MISSION To interpret laws and rules affecting the implementation of

various Division programs
To prepare and review contracts, Memorandum of Agreements
(MOA) and instruments to which the Division or any of its
offices and schools is a party and interprets the provisions
therein.
To conduct investigations of complaints against teaching
personnel as may be delegated by the Regional Office (RO).

To continuously improve the services of the Legal unit.