• Audit and Independent Review

    • OM-4.8.9

      The internal audit function of a licensee or its external auditor must conduct periodic reviews of the BCP to determine whether the plan remains realistic and relevant, and whether it adheres to the policies and standards of the licensee. This review must include assessing:

      (a) The adequacy of business process identification;
      (b) Threat scenario development;
      (c) Business impact analysis and risk assessments;
      (d) The written plan;
      (e) Testing scenarios and schedules; and
      (f) Communication of test results and recommendations to the Board.
      January 2014

    • OM-4.8.10

      Significant findings must be brought to the attention of the Board and senior management within three months of the completion of the review. Furthermore, senior management and the Board must ensure that any gaps or shortcomings reported to them are addressed in an appropriate and timely manner.

      January 2014