# OSFI B-10 — Third-Party Monitoring > Draft ongoing monitoring and incident management for third-party arrangements under OSFI B-10 (metrics, escalation, OSFI incident reporting). Tags: Canada, OSFI, B-10, Third-party risk, Monitoring, FRFI ## Example Prompts - Draft our third-party monitoring and incident management procedures for B-10 - Document metrics and escalation for third-party risk - Create incident management process aligned with OSFI incident reporting URL: https://rakenne.app/skills/osfi-b10-third-party-monitoring/index.md Try this skill: https://rakenne.app/a/?skill=osfi-b10-third-party-monitoring ## Overview Draft ongoing monitoring and incident management for third-party arrangements under OSFI B-10 (metrics, escalation, OSFI incident reporting). ## Getting Started Add your source materials to the project workspace, then activate the *OSFI B-10 — Third-Party Monitoring* skill. The agent will guide you through the process step by step. ## Example conversation **You:** We need to document our ongoing monitoring and incident management for third parties—metrics, escalation, and how we align with OSFI's incident reporting. **Agent:** I'll draft the monitoring and incident management procedures using the skill reference. I'll document oversight of third-party providers (at arrangement and aggregate level, proportionate to risk and criticality); processes to confirm residual risk remains within risk appetite, with metrics and escalation triggers; third-party incident processes (identify, investigate, escalate, remediate, notify); contract provisions to support FRFI compliance with OSFI Technology and Cyber Security Incident Reporting Advisory; internal FRFI incident processes (accountabilities, escalation, tracking remediation); and root cause analysis and monitoring of remediation. I'll align with B-10 Principles 10 and 11. ## Output excerpt **Oversight of third-party provider** — The FRFI monitors third-party arrangement(s) to ensure service is delivered in accordance with the agreement and the third party remains financially sound. Monitoring covers current and emerging risks, risk acceptances, and compliance with the FRFI's risk policies and OSFI expectations. It is conducted at the arrangement level and at aggregate (business unit, segment, platform, enterprise) level; extent and frequency are proportionate to risk and criticality. **Metrics and risk appetite** — The FRFI establishes processes to confirm regularly that the residual risk of third-party arrangements (individually and in aggregate) remains within risk appetite. Metrics and thresholds are established and reported to alert Senior Management when a threshold is approached; triggers for the escalation process are defined. **Incident management** — Third parties have clearly defined, documented processes for identifying, investigating, escalating, remediating, and notifying the FRFI in a timely manner of incidents (including subcontractor incidents). Written agreements contain adequate provisions so the FRFI can comply with OSFI's Technology and Cyber Security Incident Reporting Advisory. The FRFI has defined internal processes for managing, escalating, and tracking remediation of third-party incidents, with clear accountabilities and escalation triggers. Root cause analysis is performed and remediation is monitored. ## Extension and validation **validate_third_party_monitoring** — Validates the monitoring and incident management document for metrics and risk appetite, incident identification/escalation/remediation processes, and OSFI incident reporting (e.g. Technology and Cyber Security Incident Reporting Advisory). Flags missing content or placeholders. Run after drafting or updating monitoring procedures. --- Back to [Skill Library](https://rakenne.app/skills/index.md)