Outsourcing DRP BCP

Download as xls, pdf, or txt
Download as xls, pdf, or txt
You are on page 1of 4

E.

OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN


Assessment
Area of Assessment Reference # Criteria Information Request
Rating
1. Outsourcing activities SP (39) 1.1 The bank has established policies for (a) Identify all outsourcing policies.
managing the risks associated with
outsourcing activities.
1.2 The board of directors and senior (a) Describe the Board and senior
management have ensured that third-party management oversight of third-party activity.
activity is conducted in a safe and sound
manner and in compliance with applicable
laws.
1.3 Outsourcing arrangements have been based None
on robust contracts and/or service level
agreements that ensure a clear allocation of
responsibilities between external service
providers and the outsourcing banks.

1.4 The bank is managing residual risks (a) Describe the bank's process for
associated with outsourcing arrangements, determining the materiality of outsourcing
including disruption of services. arrangements.
SP (40) 1.5 The Board and management have ensured None
that the expectations and obligations of each
party are clearly defined, understood and
enforceable.
1.6 The bank carries out initial due diligence test (a) Describe the initial due diligence test and
and monitor third-party activities on a regular indicate how third-party activities are
basis. regularly monitored.
(b) Describe the bank's program for
managing and monitoring risks of the
outsourcing arrangements.
1.7 For critical activities, the bank has None
considered contingency plans, including
availability of alternative external parties and
costs and resources required to switch
external parties.
2.1 The bank's decision to retain or self-insure None
the risk is transparent within the organization
and consistent with the bank's overall
business strategy and risk appetite.

2. Self-insure or retain SP (41) 3.1 The bank is required to establish disaster None
operational risk recovery and business continuity plans that
take into account different types of plausible
scenarios to which the bank may be
vulnerable, commensurate with the size and
complexity of the bank's operations.

Outsourcing, Disaster Recovery Plan and Business Continuity Plan Page 1 of 4


E. OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN
Assessment
Area of Assessment Reference # Criteria Information Request
Rating
4. Disaster recovery and SP (42) 3.2 The bank has identified critical business (a) Describe the bank's process for
business continuity plans processes, including dependence on identifying critical business processes.
external vendors or third parties, for which
rapid resumption of service would be most
essential.

SP (43) 3.3 The bank has identified alternative None


mechanisms for resuming service in the
event of an outage.
3.4 The off-site facilities where back-ups of (a) Identify the location of off-site facilities.
records are stored are an adequate distance
away from the impacted operations.

3.5 There is a periodic review of DRP/BCP to (a) Describe the bank's process for
ensure consistency with the bank's current reviewing DRP/BCP.
operations and business strategies.

SP (44) 3.6 Plans are tested periodically to ensure that (a) Identify the frequency for testing plans.
the bank would be able to execute the plans
in the unlikely event of a severe business
disruption.
Note: In addition to the BIS Sound Practices, institutions are required to comply with the "OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes"

Outsourcing, Disaster Recovery Plan and Business Continuity Plan Page 2 of 4


PROTECTED B WHEN COMPLETED

Rating Rationale

Outsourcing, Disaster Recovery Plan and Business Continuity Plan Page 3 of 4


PROTECTED B WHEN COMPLETED

Rating Rationale

Outsourcing, Disaster Recovery Plan and Business Continuity Plan Page 4 of 4

You might also like