Back

Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria.


CONTROL ID
12903
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk assessment program., CC ID: 00687

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the measures implemented by the institution or payment institution and by the service provider to manage and mitigate the risks. (4.12.2 66(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: (4.7 44, Final Report on EBA Guidelines on outsourcing arrangements)
  • the ability to oversee the service provider and to manage the risks; (4.7 44(b), Final Report on EBA Guidelines on outsourcing arrangements)
  • the performance of their business activities. (4.7 44(d), Final Report on EBA Guidelines on outsourcing arrangements)
  • the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); (4.6 40(c), Final Report on EBA Guidelines on outsourcing arrangements)
  • Design a portfolio of transfer and risk financing instruments and approaches consistent with the organization’s risk decision-making criteria (risk appetite, tolerance, thresholds, and capacity). (OCEG GRC Capability Model, v 3.0, A5.3 Design Transfer and Risk Financing Strategies, OCEG GRC Capability Model, v 3.0)
  • Large scale disruptive events that could affect the ability to service clients; (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Significant downtime that would threaten the financial institution's business resiliency. (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Cyber events that could impact the ability to service clients; and (TIER I OBJECTIVES AND PROCEDURES BCP - Third-Party Management and Outsourced Activities Objective 9:1 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)