The undertaking should have a risk management policy which outlines how the risk management system is integrated into the organisational structure and decision-making processes of the undertaking.
An onboarding process is in place to ensure third parties are effectively integrated, understand the organization’s requirements, and have the necessary access and information to perform their services.
A robust due diligence process for sourcing and selecting third parties is in place with a documented and approved business case or other relevant document describing and justifying the need for and nature of the relationship with the third party.
The undertaking should have processes to identify, analyse and report on operational risk events.
Capital assessment and capital setting processes are robust, transparent, efficient and proportionate to the nature, scale and complexity of the risk profile.
A cybersecurity risk assessment is performed and documented periodically to identify, analyze, and evaluate cybersecurity risks, including emerging threats.
Processes are established for granting, modifying, and revoking access to information assets, ensuring access is authorized and based on the principle of least privilege.
Business continuity and disaster recovery plans addressing cybersecurity scenarios are established, maintained, and tested to ensure the recovery of critical business processes and systems.
Performance and risks are monitored continuously throughout the third-party lifecycle to ensure compliance with contractual agreements and service level agreements (SLAs).