2025 Operational Resilience Self-Assessment
2025 cycle · executive approval records board approval for demonstration purposes (PRA SS1/21 §7 self-assessment expectation).
Meridian Commercial Bank maintains an operational resilience programme anchored on eight Tier 1 important business services identified through the 2025 criticality cycle, each carrying board-approved impact tolerances expressed in time, transaction-volume, and value terms. Dependency mapping covers all Tier 1 services end-to-end across applications, third parties, premises, data centers, teams, and utilities, with criticality assessed at the individual dependency link. The programme operates on the three-lines model: first-line service owners author and maintain records, the Operational Risk function exercises independent review and challenge on every material record, and executive approval renders records authoritative. All changes are versioned and carried on an append-only audit trail.
Scenario testing in 2025 exercised the library's severe-but-plausible scenarios against Tier 1 services using both deterministic tabletop analysis and 10,000-iteration Monte Carlo simulation with elicited recovery distributions. Results demonstrated that most Tier 1 services remain within tolerance under single-asset disruption with documented workarounds. Material exceptions were identified: wire payments cannot demonstrably remain within the 4-hour restoration tolerance under a gateway or network-provider failure (no substitute path exists), and debit card authorization breaches its 30-minute tolerance under any scenario disabling the authorization switch or card network. Peak-day stress testing showed materially higher breach probabilities on payroll-concentration days, confirming the need for volume-sensitive recovery prioritization.
Four material points of failure were confirmed in 2025 and carry open remediation plans with accountable owners and target dates: the single wire gateway (active-active deployment under evaluation), sole wire-network connectivity (direct Fedwire contingency re-establishment approved for 2026), the single card network with capped stand-in processing (dual-network issuance under assessment), and the unreplicated batch-orchestration tier (DR-scope extension funded and in flight). Additional vulnerabilities concerning contact-center surge capacity and armored-carrier concentration are tracked with second-line concurrence, the latter risk-accepted for 2026 with strengthened ATM cash buffers.
The Board has reviewed this self-assessment, including the important-business-service inventory, the impact tolerances and the reasoning that sets them at the first point of intolerable harm, the outcomes of scenario testing, and the register of vulnerabilities and remediation plans. On the recommendation of the Chief Operating Officer and the Operational Risk function, the Board approves this self-assessment and confirms that the identified remediation programme and its funding reflect the Board's prioritization of resilience investment. Approved at the meeting of 20 November 2025.
- Submitted (1st line)Daniel Okafor (2nd Line)
Oct 15, 2025, 03:00 PM - 2nd-line reviewDaniel Okafor (2nd Line)
Oct 28, 2025, 03:00 PM - Executive decisionElena Vasquez (Executive)
Nov 20, 2025, 03:00 PM
Approved — authoritative — no action available to your current role. Use the role switcher to act as the next participant in the three-lines workflow.
No challenge commentary yet.