This chapter contains a Regulatory Audit Checklist aligned to Bangko Sentral ng Pilipinas (BSP) Circular No. 1203 (Series of 2024) — Guidelines on Operational Resilience for BSP-Supervised Financial Institutions (BSFIs).
This checklist is structured to support internal audit, regulatory review, and supervisory readiness, aligned to BSP 1203’s emphasis on:
Tolerance for Disruption [Impact Tolerance]
End-to-End Mapping
Scenario Testing (Severe but Plausible Scenarios)
Governance and Accountability
Continuous Improvement
It follows your Plan → Implement → Test → Improve lifecycle and is compatible with BCM Institute's OR Planning methodology
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Board Oversight |
Has the Board approved the Operational Resilience framework? |
Governance |
Board minutes, OR policy |
|
|
Senior Management Accountability |
Is senior management accountable for the resilience of critical operations? |
Governance |
Job descriptions, governance papers |
|
|
Resilience Strategy |
Is there a documented OR strategy aligned to business objectives? |
Governance |
Strategy documents |
|
|
Three Lines of Defence |
Are roles clearly defined across 3LOD? |
Governance |
Org charts, RACI |
|
|
Integration |
Is OR integrated with ORM, BCM, IT, and TPRM? |
Governance |
Framework documents |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Identification |
Has the institution identified its Critical Operations / CBS? |
Critical Operations |
CBS inventory |
|
|
Criteria |
Are the criteria defined (customer impact, systemic importance, regulatory obligations)? |
Critical Operations |
Methodology documents |
|
|
Customer Perspective |
Are services defined from an external (customer outcome) perspective? |
Critical Operations |
CBS definitions |
|
|
Approval |
Are CBS approved by senior management/Board? |
Governance |
Approval records |
|
|
Review |
Are CBS periodically reviewed and updated? |
Governance |
Review logs |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
End-to-End Mapping |
Are CBS mapped end-to-end (processes, systems, people)? |
Mapping |
Process maps |
|
|
Dependency Identification |
Are dependencies (people, process, technology, third parties) identified? |
Mapping |
Dependency tables |
|
|
Interconnections |
Are internal and external interconnections clearly documented? |
Mapping |
Architecture diagrams |
|
|
Third-Party Mapping |
Are third parties mapped to specific CBS? |
Third-Party Risk |
Vendor mapping |
|
|
Concentration Risk |
Are concentration risks and single points of failure identified? |
Risk Management |
Risk assessments |
|
|
Updates |
Are mappings updated after changes (outsourcing, system changes)? |
Governance |
Change logs |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Definition |
Has impact tolerance been defined for each CBS? |
Impact Tolerance |
Impact tolerance statements |
|
|
Metrics |
Are tolerances defined using measurable metrics (e.g., time, data loss)? |
Impact Tolerance |
BIA outputs |
|
|
Impact Dimensions |
Are tolerances based on customer harm, financial loss, or regulatory breach? |
Impact Tolerance |
Impact analysis |
|
|
Approval |
Are tolerances approved by senior management/Board? |
Governance |
Approval records |
|
|
Alignment |
Are tolerances aligned with risk appetite? |
Risk Management |
Risk appetite statements |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Risk Framework |
Is there an operational risk management framework supporting OR? |
Risk Management |
ORM policy |
|
|
Risk Identification |
Are risks identified across CBS and dependencies? |
Risk Management |
Risk registers |
|
|
Risk Assessment |
Are risks assessed for likelihood and impact? |
Risk Management |
Risk assessment reports |
|
|
Controls |
Are controls implemented to mitigate risks? |
Risk Management |
Control matrices |
|
|
Residual Risk |
Are residual risks monitored against risk appetite? |
Risk Management |
Risk dashboards |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Testing Programme |
Is there a structured scenario testing programme? |
Scenario Testing |
Testing plan/ calendar |
|
|
Scenario Design |
Are scenarios severe but plausible? |
Scenario Testing |
Scenario library |
|
|
Coverage |
Do scenarios cover cyber, third-party, and operational disruptions? |
Scenario Testing |
Scenario documentation |
|
|
End-to-End Testing |
Are CBS tested end-to-end against impact tolerances? |
Scenario Testing |
Test reports |
|
|
Third-Party Inclusion |
Are third parties included in tests? |
Third-Party Risk |
Participation records |
|
|
Outcome Analysis |
Are results analysed against impact tolerances? |
Scenario Testing |
Test evaluation reports |
|
|
Remediation |
Are gaps identified and remediation tracked? |
Improvement |
Action logs |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
BCM Framework |
Is there a BCM framework aligned to OR? |
BCM |
BCM policy |
|
|
Recovery Strategies |
Are recovery strategies defined for CBS? |
BCM |
Strategy documents |
|
|
Recovery Plans |
Are plans documented and maintained? |
BCM |
BCPs, DRPs |
|
|
Resource Availability |
Are recovery resources (people, systems, sites) available? |
BCM |
Resource inventories |
|
|
Testing |
Are recovery plans regularly tested? |
BCM |
Test reports |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
System Resilience |
Are systems designed for resilience (redundancy, failover)? |
Technology Risk |
Architecture diagrams |
|
|
Cyber Resilience |
Are cyber risks integrated into the OR framework? |
Technology Risk |
Cyber frameworks |
|
|
Incident Response |
Is there a cyber incident response capability? |
Technology Risk |
IR plans |
|
|
Monitoring |
Are systems monitored for disruptions and threats? |
Technology Risk |
Monitoring dashboards |
|
|
Data Protection |
Are data backup and recovery mechanisms implemented? |
Technology Risk |
Backup logs |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Identification |
Are critical third parties identified? |
Third-Party Risk |
Vendor inventory |
|
|
Due Diligence |
Are risk assessments conducted before onboarding? |
Third-Party Risk |
DD reports |
|
|
Contractual Controls |
Are resilience clauses included in contracts? |
Third-Party Risk |
Contracts |
|
|
Monitoring |
Are third-party risks continuously monitored? |
Third-Party Risk |
Performance reports |
|
|
Exit Strategy |
Are exit/contingency plans defined? |
Third-Party Risk |
Exit plans |
|
|
Subcontracting Risk |
Are subcontractor risks assessed? |
Third-Party Risk |
Vendor disclosures |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Incident Framework |
Is there a formal incident management framework? |
Incident Management |
Incident procedures |
|
|
Escalation |
Are escalation thresholds defined? |
Incident Management |
Escalation matrix |
|
|
Crisis Structure |
Is there a crisis management team and structure? |
Crisis Management |
Org charts |
|
|
Communication |
Are communication protocols defined (internal/external)? |
Crisis Management |
Communication plans |
|
|
Regulatory Reporting |
Are BSP notification requirements defined? |
Governance |
Reporting procedures |
|
|
Lessons Learned |
Are post-incident reviews conducted? |
Improvement |
Review reports |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Improvement Framework |
Is there a structured improvement process? |
Continuous Improvement |
Improvement logs |
|
|
Audit and Assurance |
Is OR subject to an independent audit? |
Assurance |
Audit reports |
|
|
Metrics |
Are resilience metrics (KPIs/KRIs) tracked? |
Monitoring |
Dashboards |
|
|
Issue Tracking |
Are issues tracked to closure? |
Monitoring |
Issue logs |
|
|
Regulatory Alignment |
Are frameworks reviewed against BSP updates? |
Governance |
Gap analysis |
|
|
Audit Area |
Audit Checklist Questions |
BSP 1203 Focus |
Evidence Required |
Rating |
|
Change Management |
Is there a formal change management process? |
Governance |
Change policies |
|
|
Risk Assessment |
Are changes assessed for resilience impact? |
Risk Management |
Change risk assessments |
|
|
New Initiatives |
Are resilience considerations embedded in new products/services? |
Governance |
Product approval docs |
|
|
Emerging Risks |
Are emerging risks (cyber, fintech, geopolitical) assessed? |
Risk Management |
Risk reports |
|
|
Resilience Roadmap |
Is there a forward-looking OR roadmap? |
Strategy |
Roadmap documents |
|
For each question, assign:
This BSP 1203-aligned checklist enables BSFIs to:
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|