Regulatory Audit Checklist
BSP Circular 1203 (Operational Resilience)
This chapter contains a Regulatory Audit Checklist aligned to Bangko Sentral ng Pilipinas (BSP) Circular No. 1203 (Series of 2024) — Guidelines on Operational Resilience for BSP-Supervised Financial Institutions (BSFIs).
This checklist is structured to support internal audit, regulatory review, and supervisory readiness, aligned to BSP 1203’s emphasis on:
-
![[OR][BSP Guidelines] Key Implementation and Components](https://no-cache.hubspot.com/cta/default/3893111/cceda0e6-1ccc-48c6-8ecc-682910430f1a.png)
Critical Operations [Critical Business Services (CBS)] -
Tolerance for Disruption [Impact Tolerance]
-
End-to-End Mapping
-
Scenario Testing (Severe but Plausible Scenarios)
-
Governance and Accountability
-
Continuous Improvement
It follows your Plan → Implement → Test → Improve lifecycle and is compatible with BCM Institute's OR Planning methodology
Section 1. Governance, Oversight, and Accountability
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Board Oversight |
Has the Board approved the Operational Resilience framework? |
Governance |
Board minutes, OR policy |
|
|
Senior Management Accountability |
Is senior management accountable for the resilience of critical operations? |
Governance |
Job descriptions, governance papers |
|
|
Resilience Strategy |
Is there a documented OR strategy aligned to business objectives? |
Governance |
Strategy documents |
|
|
Three Lines of Defence |
Are roles clearly defined across 3LOD? |
Governance |
Org charts, RACI |
|
|
Integration |
Is OR integrated with ORM, BCM, IT, and TPRM? |
Governance |
Framework documents |
|
Section 2. Identification of Critical Operations
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Identification |
Has the institution identified its Critical Operations / CBS? |
Critical Operations |
CBS inventory |
|
|
Criteria |
Are the criteria defined (customer impact, systemic importance, regulatory obligations)? |
Critical Operations |
Methodology documents |
|
|
Customer Perspective |
Are services defined from an external (customer outcome) perspective? |
Critical Operations |
CBS definitions |
|
|
Approval |
Are CBS approved by senior management/Board? |
Governance |
Approval records |
|
|
Review |
Are CBS periodically reviewed and updated? |
Governance |
Review logs |
|
Section 3. Mapping of Interconnections and Dependencies
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
End-to-End Mapping |
Are CBS mapped end-to-end (processes, systems, people)? |
Mapping |
Process maps |
|
|
Dependency Identification |
Are dependencies (people, process, technology, third parties) identified? |
Mapping |
Dependency tables |
|
|
Interconnections |
Are internal and external interconnections clearly documented? |
Mapping |
Architecture diagrams |
|
|
Third-Party Mapping |
Are third parties mapped to specific CBS? |
Third-Party Risk |
Vendor mapping |
|
|
Concentration Risk |
Are concentration risks and single points of failure identified? |
Risk Management |
Risk assessments |
|
|
Updates |
Are mappings updated after changes (outsourcing, system changes)? |
Governance |
Change logs |
|
Section 4. Tolerance for Disruption [Impact Tolerance]
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Definition |
Has impact tolerance been defined for each CBS? |
Impact Tolerance |
Impact tolerance statements |
|
|
Metrics |
Are tolerances defined using measurable metrics (e.g., time, data loss)? |
Impact Tolerance |
BIA outputs |
|
|
Impact Dimensions |
Are tolerances based on customer harm, financial loss, or regulatory breach? |
Impact Tolerance |
Impact analysis |
|
|
Approval |
Are tolerances approved by senior management/Board? |
Governance |
Approval records |
|
|
Alignment |
Are tolerances aligned with risk appetite? |
Risk Management |
Risk appetite statements |
|
Section 5. Risk Identification, Assessment, and Control (ORM Integration)
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Risk Framework |
Is there an operational risk management framework supporting OR? |
Risk Management |
ORM policy |
|
|
Risk Identification |
Are risks identified across CBS and dependencies? |
Risk Management |
Risk registers |
|
|
Risk Assessment |
Are risks assessed for likelihood and impact? |
Risk Management |
Risk assessment reports |
|
|
Controls |
Are controls implemented to mitigate risks? |
Risk Management |
Control matrices |
|
|
Residual Risk |
Are residual risks monitored against risk appetite? |
Risk Management |
Risk dashboards |
|
Section 6. Scenario Testing – Severe but Plausible Scenarios
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Testing Programme |
Is there a structured scenario testing programme? |
Scenario Testing |
Testing plan/ calendar |
|
|
Scenario Design |
Are scenarios severe but plausible? |
Scenario Testing |
Scenario library |
|
|
Coverage |
Do scenarios cover cyber, third-party, and operational disruptions? |
Scenario Testing |
Scenario documentation |
|
|
End-to-End Testing |
Are CBS tested end-to-end against impact tolerances? |
Scenario Testing |
Test reports |
|
|
Third-Party Inclusion |
Are third parties included in tests? |
Third-Party Risk |
Participation records |
|
|
Outcome Analysis |
Are results analysed against impact tolerances? |
Scenario Testing |
Test evaluation reports |
|
|
Remediation |
Are gaps identified and remediation tracked? |
Improvement |
Action logs |
|
Section 7. Business Continuity and Recovery Capabilities
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
BCM Framework |
Is there a BCM framework aligned to OR? |
BCM |
BCM policy |
|
|
Recovery Strategies |
Are recovery strategies defined for CBS? |
BCM |
Strategy documents |
|
|
Recovery Plans |
Are plans documented and maintained? |
BCM |
BCPs, DRPs |
|
|
Resource Availability |
Are recovery resources (people, systems, sites) available? |
BCM |
Resource inventories |
|
|
Testing |
Are recovery plans regularly tested? |
BCM |
Test reports |
|
Section 8. Technology and Cyber Resilience
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
System Resilience |
Are systems designed for resilience (redundancy, failover)? |
Technology Risk |
Architecture diagrams |
|
|
Cyber Resilience |
Are cyber risks integrated into the OR framework? |
Technology Risk |
Cyber frameworks |
|
|
Incident Response |
Is there a cyber incident response capability? |
Technology Risk |
IR plans |
|
|
Monitoring |
Are systems monitored for disruptions and threats? |
Technology Risk |
Monitoring dashboards |
|
|
Data Protection |
Are data backup and recovery mechanisms implemented? |
Technology Risk |
Backup logs |
|
Section 9. Third-Party Risk Management
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Identification |
Are critical third parties identified? |
Third-Party Risk |
Vendor inventory |
|
|
Due Diligence |
Are risk assessments conducted before onboarding? |
Third-Party Risk |
DD reports |
|
|
Contractual Controls |
Are resilience clauses included in contracts? |
Third-Party Risk |
Contracts |
|
|
Monitoring |
Are third-party risks continuously monitored? |
Third-Party Risk |
Performance reports |
|
|
Exit Strategy |
Are exit/contingency plans defined? |
Third-Party Risk |
Exit plans |
|
|
Subcontracting Risk |
Are subcontractor risks assessed? |
Third-Party Risk |
Vendor disclosures |
|
Section 10. Incident and Crisis Management
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Incident Framework |
Is there a formal incident management framework? |
Incident Management |
Incident procedures |
|
|
Escalation |
Are escalation thresholds defined? |
Incident Management |
Escalation matrix |
|
|
Crisis Structure |
Is there a crisis management team and structure? |
Crisis Management |
Org charts |
|
|
Communication |
Are communication protocols defined (internal/external)? |
Crisis Management |
Communication plans |
|
|
Regulatory Reporting |
Are BSP notification requirements defined? |
Governance |
Reporting procedures |
|
|
Lessons Learned |
Are post-incident reviews conducted? |
Improvement |
Review reports |
|
Section 11. Continuous Improvement and Assurance
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Improvement Framework |
Is there a structured improvement process? |
Continuous Improvement |
Improvement logs |
|
|
Audit and Assurance |
Is OR subject to an independent audit? |
Assurance |
Audit reports |
|
|
Metrics |
Are resilience metrics (KPIs/KRIs) tracked? |
Monitoring |
Dashboards |
|
|
Issue Tracking |
Are issues tracked to closure? |
Monitoring |
Issue logs |
|
|
Regulatory Alignment |
Are frameworks reviewed against BSP updates? |
Governance |
Gap analysis |
|
Section 12. Change Management and Forward-Looking Resilience
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Change Management |
Is there a formal change management process? |
Governance |
Change policies |
|
|
Risk Assessment |
Are changes assessed for resilience impact? |
Risk Management |
Change risk assessments |
|
|
New Initiatives |
Are resilience considerations embedded in new products/services? |
Governance |
Product approval docs |
|
|
Emerging Risks |
Are emerging risks (cyber, fintech, geopolitical) assessed? |
Risk Management |
Risk reports |
|
|
Resilience Roadmap |
Is there a forward-looking OR roadmap? |
Strategy |
Roadmap documents |
|
Scoring and Audit Interpretation
Rating Scale
For each question, assign:
Level 0: Ad-hoc: Reactive, unstructured processes. Non-Compliant - Level 1: Reactive: Basic frameworks with sporadic execution. (Documented but inconsistent)
- Level 2: Proactive: Formal policies and dedicated teams. (Documented)
- Level 3: Mature: Anticipatory risk management. (Consistent execution)
- Level 4: Advanced: Integrated, data-driven strategies. (Measured and monitored)
- Level 5: Leading: Predictive analytics and automation. (Continuous improvement and leading practice)
- Level 6: Excellence: Industry leadership through innovation.
Audit Outcome Categories
- Regulatory Gap (L0–L2): Immediate remediation required
- Compliant (L3-L4): Meets MAS minimum expectations
- Mature (L5–L6): Demonstrates strong resilience capability
Key Takeaways (Aligned to BSP Direction)
This BSP 1203-aligned checklist enables BSFIs to:
- Demonstrate compliance with BSP operational resilience expectations
- Validate end-to-end resilience of Critical Operations
- Strengthen scenario testing and tolerance for disruption alignment
- Transition from traditional BCM → integrated operational resilience capability
More Information About Blended Learning OR-5000 [BL-OR-5] or OR-300 [BL-OR-3]
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
![[BL-OR] [3-4-5] View Schedule](https://no-cache.hubspot.com/cta/default/3893111/d0d733a1-16c0-4b68-a26d-adbfd4fc6069.png)
![[BL-OR] [3] FAQ OR-300](https://no-cache.hubspot.com/cta/default/3893111/f20c71b4-f5e8-4aa5-8056-c374ca33a091.png)
![Email to Sales Team [BCM Institute]](https://no-cache.hubspot.com/cta/default/3893111/3c53daeb-2836-4843-b0e0-645baee2ab9e.png)
