The Central Bank’s programme of work in relation to outsourcing is illustrated below and includes its latest publication in December 2021: “Cross-Industry Guidance on Outsourcing” (Guidance), following its February 2021 Consultation (CP138).
The Guidance recognises that outsourced service providers (OSPs), including both intragroup entities and third party OSPs, both regulated and unregulated, support the provision of activities and services considered central to the successful delivery of the RFSP’s strategic objectives. The Guidance also notes that the changing landscape for the provision of financial services is leading to new service delivery models such as strategic partnering, cross-industry shared service centres, staff sharing and extensive sub-outsourcing. The development and use of these new models to deliver critical and important services or functions by RFSPs will be regarded as outsourcing and as such, RFSPs will be expected to apply the Guidance.
The Guidance is being introduced to supplement existing sectoral legislation, regulations and guidelines on Outsourcing, by setting out the Bank’s expectations of good practice for effective management of outsourcing risk. The Guidance expects firms to take a firm-wide approach to analysing and managing their outsourcing risks through to the implementation of a robust strategy, framework, policies and procedures. Some of the key expectations on firms include:
-
Risk Assessment –
the expectation on firms to risk assess the criticality or importance of the activity or service to be outsourced either to a third party, intragroup or delegated arrangement. In assessing the risks, firms are expected to consider a number of factors including taking a holistic approach to outsourcing and the concentration risk across the entire firm and/or industry where several firms outsource to the same outsourced providers, for example, cloud service providers.
-
Governance -
the Board, as ultimate accountable owners, must ensure they have demonstrable due diligence, oversight and monitoring frameworks in place to provide the appropriate assurance that outsourcing risk is effectively managed and the right controls are in place to mitigate the risk.
-
Policy –
regulated firms are expected to have a documented outsourcing strategy that takes account of outsourcing risk appetite and clearly articulates:
-
the types of activities and functions they will consider outsourcing;
-
the associated risks;
-
the ability, skills and competencies required to appropriately monitor and oversee outsourcing arrangements.
-
Record Keeping –
maintenance of a register of the firm’s outsourcing universe is required to facilitate centralised management.
-
Outsourcing Risk Management Framework
– the Central Bank’s expectation is that firms develop and implement a robust and strong outsourcing risk management framework that incorporates comprehensive risk assessments to enable adequate oversight out outsourced activities.
An approach we have found to be beneficial when supporting our clients’ Boards and Senior Executives is to benchmark existing outsourcing risk management frameworks to the guidance to enable the effective identification, oversight and management of outsourcing risks.
In supporting our clients, we have explored the entire lifecycle of the risk of their outsourcing arrangements and underpinned the framework with existing legislation, regulations and guidelines relevant to the firms’ sector.