This chapter contains a regulatory audit checklist mapped to MAS BCM, TRM, and ORM guidelines
MAS Business Continuity Management (BCM) Guidelines (2022)
MAS Technology Risk Management (TRM) Guidelines
MAS Operational Risk Management (ORM) Guidelines
Achieving Operational Resilience for Financial Institutions in Singapore
The checklist is structured for audit, compliance validation, and supervisory readiness, aligned to your Plan → Implement → Test → Improve lifecycle and MAS’s service-centric resilience model.
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Board Oversight |
Has the Board approved the BCM/Operational Resilience framework? |
BCM |
Board minutes, policy documents |
|
|
Governance Structure |
Are roles defined across 3 Lines of Defence? |
ORM |
Org structure, RACI matrix |
|
|
Risk Appetite |
Is operational risk appetite defined and approved? |
ORM |
Risk appetite statement |
|
|
Reporting |
Are resilience metrics regularly reported to senior management? |
BCM / ORM |
MI reports, dashboards |
|
|
Accountability |
Is senior management accountable for resilience outcomes? |
BCM |
Job descriptions, governance papers |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
CBS Definition |
Are Critical Business Services formally identified? |
OR Framework |
CBS inventory |
|
|
Service-Centric Approach |
Are CBS defined based on customer outcomes? |
OR Framework |
Service definitions |
|
|
Approval |
Are CBS approved by senior management/Board? |
BCM |
Approval records |
|
|
Review |
Are CBS reviewed periodically? |
BCM |
Review logs |
|
|
Coverage |
Are all critical operations mapped to CBS? |
BCM / ORM |
Mapping documents |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
End-to-End Mapping |
Are CBS mapped end-to-end across processes and systems? |
BCM |
Process maps |
|
|
Dependency Identification |
Are dependencies (people, process, technology, third-party) identified? |
BCM / TRM |
Dependency mapping tables |
|
|
Single Points of Failure |
Are SPOFs identified and mitigated? |
TRM |
Risk assessments, mitigation plans |
|
|
Third-Party Mapping |
Are third-party dependencies linked to CBS? |
TRM / Outsourcing |
Vendor mapping |
|
|
Update Process |
Is the mapping updated after changes? |
ORM |
Change management logs |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Recovery Objectives |
Are SRTO/RTO defined for all CBS? |
BCM |
BIA reports |
|
|
Data Recovery |
Are RPO/data loss tolerances defined? |
TRM |
DR plans |
|
|
Impact Criteria |
Are tolerances based on customer, regulatory, and financial impact? |
BCM |
Impact analysis |
|
|
Approval |
Are tolerances approved by senior management? |
BCM |
Approval records |
|
|
Realism |
Are tolerances tested and validated? |
BCM |
Test results |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Risk Framework |
Is there a formal ORM framework? |
ORM |
ORM policy |
|
|
Risk Identification |
Are risks identified across all business units? |
ORM |
Risk registers |
|
|
RCSA |
Are Risk & Control Self-Assessments conducted? |
ORM |
RCSA outputs |
|
|
KRIs |
Are Key Risk Indicators defined and monitored? |
ORM |
KRI dashboards |
|
|
Risk Treatment |
Are mitigation plans implemented and tracked? |
ORM |
Action plans |
|
|
Incident Integration |
Are incidents fed into risk assessments? |
ORM |
Incident logs |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
System Resilience |
Are systems designed with redundancy and failover? |
TRM |
Architecture diagrams |
|
|
Cyber Resilience |
Are cyber resilience measures integrated? |
TRM |
Security frameworks |
|
|
Monitoring |
Are systems monitored for availability and threats? |
TRM |
Monitoring dashboards |
|
|
Incident Response |
Is there a cyber incident response plan? |
TRM |
IR plans, playbooks |
|
|
Cloud Risk |
Are cloud services assessed for resilience risks? |
TRM |
Cloud risk assessments |
|
|
Access Controls |
Are controls implemented for system access? |
TRM |
Access logs, IAM policies |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Vendor Identification |
Are critical third parties identified? |
TRM / Outsourcing |
Vendor inventory |
|
|
Due Diligence |
Is due diligence conducted before onboarding? |
TRM |
DD reports |
|
|
Contractual Controls |
Are resilience requirements included in SLAs? |
TRM |
Contracts |
|
|
Monitoring |
Are third-party risks continuously monitored? |
TRM |
Performance reports |
|
|
Exit Strategy |
Are exit/contingency plans defined? |
TRM |
Exit plans |
|
|
Concentration Risk |
Is vendor concentration risk assessed? |
ORM |
Risk analysis |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Testing Programme |
Is there a structured testing programme? |
BCM |
Testing calendar |
|
|
Scenario Design |
Are scenarios severe but plausible? |
BCM / TRM |
Scenario library |
|
|
End-to-End Testing |
Are CBS tests end-to-end? |
OR Framework |
Test reports |
|
|
Third-Party Inclusion |
Are vendors included in tests? |
TRM |
Test participation records |
|
|
Results Tracking |
Are results documented and tracked? |
BCM |
Test reports |
|
|
Improvement Actions |
Are lessons learned implemented? |
BCM |
Action logs |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Incident Framework |
Is there a formal incident management framework? |
ORM |
Incident procedures |
|
|
Escalation |
Are escalation thresholds defined? |
BCM |
Escalation matrix |
|
|
Crisis Structure |
Is there a crisis management team? |
BCM |
Crisis org chart |
|
|
Communication |
Are communication protocols defined? |
BCM |
Communication plans |
|
|
Regulatory Reporting |
Are MAS notification requirements defined? |
BCM |
Reporting procedures |
|
|
Post-Incident Review |
Are lessons learned captured? |
ORM |
Review reports |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Training Programme |
Is there a formal BCM/training programme? |
BCM |
Training records |
|
|
Role-Based Training |
Are staff trained according to roles? |
BCM |
Training matrix |
|
|
Awareness |
Are awareness campaigns conducted? |
BCM |
Campaign materials |
|
|
Leadership Engagement |
Is leadership actively promoting resilience? |
BCM |
Leadership communications |
|
|
Exercise Participation |
Do staff participate in exercises? |
BCM |
Attendance records |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Continuous Improvement |
Is there a structured improvement process? |
BCM |
Improvement logs |
|
|
Audit Function |
Is there an independent audit/assurance? |
ORM |
Audit reports |
|
|
KPI/KRI Monitoring |
Are resilience metrics tracked? |
ORM |
Dashboards |
|
|
Regulatory Alignment |
Are frameworks reviewed against MAS updates? |
BCM / ORM |
Gap analysis reports |
|
|
Issue Tracking |
Are issues tracked to closure? |
ORM |
Issue logs |
|
|
Audit Area |
Audit Checklist Questions |
MAS Reference |
Evidence Required |
Rating |
|
Change Framework |
Is there a formal change management process? |
ORM |
Change policies |
|
|
Risk Assessment |
Are changes assessed for operational risk impact? |
ORM |
Change risk assessments |
|
|
New Initiatives |
Are resilience requirements embedded in new products? |
BCM |
Product approval documents |
|
|
Emerging Risks |
Are emerging risks considered (AI, cyber, geopolitical)? |
ORM |
Risk reports |
|
|
Roadmap |
Is there a forward-looking resilience roadmap? |
BCM |
Strategy documents |
|
For each question, assign:
This MAS-aligned audit checklist enables banks to:
To learn more about the course and schedule, click the buttons below for the OR-3 Blended Learning OR-300 Operational Resilience Implementer course and the OR-5 Blended Learning OR-5000 Operational Resilience Expert Implementer course.
|
If you have any questions, click to contact us. |
||
|
|