Browse Skills

OSFI B-10 — Third-Party Monitoring

    Canada OSFI B-10 Third-party risk Monitoring FRFI
    Get Started with This Skill

    Overview

    Draft ongoing monitoring and incident management for third-party arrangements under OSFI B-10 (metrics, escalation, OSFI incident reporting).

    Getting Started

    Add your source materials to the project workspace, then activate the OSFI B-10 — Third-Party Monitoring skill. The agent will guide you through the process step by step.

    Example conversation

    You: We need to document our ongoing monitoring and incident management for third parties—metrics, escalation, and how we align with OSFI’s incident reporting.

    Agent: I’ll draft the monitoring and incident management procedures using the skill reference. I’ll document oversight of third-party providers (at arrangement and aggregate level, proportionate to risk and criticality); processes to confirm residual risk remains within risk appetite, with metrics and escalation triggers; third-party incident processes (identify, investigate, escalate, remediate, notify); contract provisions to support FRFI compliance with OSFI Technology and Cyber Security Incident Reporting Advisory; internal FRFI incident processes (accountabilities, escalation, tracking remediation); and root cause analysis and monitoring of remediation. I’ll align with B-10 Principles 10 and 11.

    Output excerpt

    Oversight of third-party provider — The FRFI monitors third-party arrangement(s) to ensure service is delivered in accordance with the agreement and the third party remains financially sound. Monitoring covers current and emerging risks, risk acceptances, and compliance with the FRFI’s risk policies and OSFI expectations. It is conducted at the arrangement level and at aggregate (business unit, segment, platform, enterprise) level; extent and frequency are proportionate to risk and criticality.

    Metrics and risk appetite — The FRFI establishes processes to confirm regularly that the residual risk of third-party arrangements (individually and in aggregate) remains within risk appetite. Metrics and thresholds are established and reported to alert Senior Management when a threshold is approached; triggers for the escalation process are defined.

    Incident management — Third parties have clearly defined, documented processes for identifying, investigating, escalating, remediating, and notifying the FRFI in a timely manner of incidents (including subcontractor incidents). Written agreements contain adequate provisions so the FRFI can comply with OSFI’s Technology and Cyber Security Incident Reporting Advisory. The FRFI has defined internal processes for managing, escalating, and tracking remediation of third-party incidents, with clear accountabilities and escalation triggers. Root cause analysis is performed and remediation is monitored.

    Extension and validation

    validate_third_party_monitoring — Validates the monitoring and incident management document for metrics and risk appetite, incident identification/escalation/remediation processes, and OSFI incident reporting (e.g. Technology and Cyber Security Incident Reporting Advisory). Flags missing content or placeholders. Run after drafting or updating monitoring procedures.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started