A critical third party must manage effectively risks to its ability to deliver a systemic third party service including by:
- (1)
identifying and monitoring relevant external and internal risks;
- (2)
ensuring that it has in place risk management processes that are effective at managing those risks; and
- (3)
regularly updating its risk management processes to reflect issues arising and lessons learned from:
- (a)
- (b)
engagement with the regulators;
- (c)
new and emerging risks; and
- (d)
any associated testing and exercising, including but not limited to that carried out in accordance with CTPS 5 (Assurance, scenario testing and incident management playbook).