3.1. Identification of critical services and assessment of criticality
Financial institutions are primarily responsible for and usually best placed to assess the criticality of services they receive or plan to receive [As noted in Chapter 4, financial authorities may review financial institutions' risk management of critical services as part of their supervisory and regulatory responsibilities, including review of the identification of critical services.]. Critical services provided to one financial institution may not necessarily be critical to another. An effective risk-based framework for monitoring and mitigation of risks associated with third-party service relationships benefits from identifying the criticality of services at inception and periodically throughout the service lifecycle. Section 3.1 sets out a range of tools that could help financial institutions identify critical services in a way that balances consistency and flexibility, and can be incorporated into financial institutions' existing policies and practices, as appropriate.
Promoting a common framework for the identification of critical services can promote consistency and comparability and be beneficial to both financial institutions' and financial authorities' objectives of proportionate and effective risk management. It can also facilitate the identification of systemic third-party dependencies by financial authorities. Consistency and comparability can also be beneficial to service providers, providing more predictability in their engagements with different financial institutions.