Skip to main content

Recording a criticality assessment for your third party outsourcer

Learn how to record details of criticality assessments performed on any third party performing outsourced activities for your firm.

J
Written by Jack Smurthwaite
Updated over 3 years ago

Performing and evidencing criticality assessments are an important part of remaining compliant with SM&CR while relying on the services of a third party to perform business functions for your firm. Corterum can easily help you record these assessments.

Here's how:

  1. Click WORKBENCH and then click DATASETS.

  2. Then click SM&CR.

  3. Then choose Senior Managers Regime.

  4. Then click on Outsourcing.

  5. Then select Outsourced functions.

  6. A list of all third party providers for which you have recorded outsourced functions will appear.

  7. If a functions record has not yet been created, you would need to create a new one - see here for more details. Create this record, and then follow steps 8 onwards below.

  8. To add a criticality assessment to an existing record - click on the supplier you'd like to amend.

  9. A new pop-up window will appear.

  10. Scroll down to the Criticality assessment section.

  11. If you are editing an existing assessment and this section has been used previously, the button will say VIEW TABLE (click it and skip to Step 15 of this section). If this is the first time this section has been used, the button will say LINK TABLE.

  12. Click the button and a new pop-up will appear.

  13. This pop-up asks if you want to create a new dataset, or link to an existing one. If you have recorded this information elsewhere - in another reference request, click the Existing button and choose which dataset you want to link from the the list under Linked Entity. Otherwise, you'll need to create a new table dataset. Select New.

  14. Once you have chosen New or Existing, click CONFIRM to proceed or CANCEL to go back to the regulatory reference request record.

  15. A new pop-up box will appear.

  16. You can give a descriptive name to this dataset under Dataset description, and then choose the name of the third party from the dropdown list next to Criticality assessment. NB - if the business which is providing the outsourced function doesn't appear in this list, you'll need to create it as a Business Entity first - here's how).

  17. If this is a blank table, with no information in it currently, skip to step 18. Otherwise if there is already information here you can update an existing row here by clicking the EDIT button, or add a new additional information request for the same person here by clicking ADD ROW, and following the steps below.

  18. In this table dataset (reading from left to right) you can:

    1. Choose the Function for which you are performing a criticality assessment by selecting from the drop down list.

    2. If you have selected 'Other' in point a above, use the text box under Function (if other) to record which function you're recording a criticality assessment for.

    3. Use the dropdown box under Critical or important function? to confirm if the function is critical or important.

    4. Use the dropdown box under Material outsourcing? to confirm if the function is of material importance to the ongoing compliance with the Principles of Business.

    5. If your firm is an authorised payment institution or an authorised electronic money institution, you can use the dropdown box under Outsourcing of important operational function? to confirm if the function is important.

    6. Use the dropdown box under Regulated activity? to confirm if the function being outsourced is regulated activity or not.

    7. Use the dropdown box under Function supports time-critical business operations? to record if this is true or not.

    8. Use the text box under Time-critical business operations to record the details of these operations (if you answered 'yes' in point g above).

    9. Use the dropdown under Financial impact to record the level of potential financial risk associated with outsourcing this function (from Very low to Very high).

    10. Use the dropdown under Reputational impact to record the level of potential reputation risk associated with outsourcing this function (from Very low to Very high).

    11. Use the dropdown under Regulatory impact to record the level of potential regulatory risk associated with outsourcing this function (from Very low to Very high).

    12. Use the dropdown under Impact on clients to record the levels of potential risk to clients associated with outsourcing this function (from Very low to Very high).

    13. Use the text box under Summary of conclusions to record the details of the conclusions that you as a firm have reached on the criticality of this outsourced function.

    14. Use the dropdown box under Assessment performed by to choose which person within your firm conducted this assessment.

    15. Use the date picker under Date of last assessment to record the date of this assessment.

    16. Finally, you can use the button under the Documents section to upload any necessary supporting documents.

  19. Once done, if you need to add another criticality assessment, click ADD ROW and repeat the steps under point 18 above.

  20. Finally, click SAVE and then CLOSE.

Did this answer your question?