Are you a regulated financial service provider? Do you outsource? If so, you will need to pay close attention to the Central Bank of Ireland’s recently published paper on outsourcing (here) and take appropriate action to address the issues outlined in it. When doing so, you may also find it helpful to take a step back and look at the overall picture of your outsourcing arrangements, framed in terms of the five W's and the How of outsourcing.
1. Who is responsible for your outsourcing arrangements?
The board and senior management is responsible for your outsourcing arrangements, as well as all other activities that you undertake. This means that your board and senior management must be aware of the scale of your outsourcing arrangements and associated risks and the Central Bank will expect to see board members questioning and challenging key outsourcing proposals or decisions.
In order to inform board awareness, you will need to give due consideration to your outsourcing strategy including the extent of outsourcing that the firm intends to undertake and the types of activities and functions it will consider outsourcing, being in mind the associated risks. You must also ensure that you have a process in place for escalating outsourcing issues to the board, where this is merited.
2. What are you outsourcing?
You must know what you are outsourcing. You should classify your arrangements with your service providers to identify those which constitute outsourcing and those which do not. In addition, you should maintain a complete and up-to-date database or register of all outsourcing service providers (“OSPs”) and your arrangements with them.
It is also important to understand the characteristics of the functions that you are outsourcing. This includes identifying which of your outsourced functions are critical or important functions According to the Central Bank, firms tend to underestimate the number of critical or important services being outsourced and this is likely to be an area of focus for the Central Bank.
3. Why are you outsourcing?
Outsourcing has clear attractions. However, it may not always be the best, or even the most cost-effective approach. You should have a clear understanding as to why you are outsourcing a particular function, including the risks involved in doing so. Among other things, this involves conducting a cost-benefit analysis of the proposed outsourcing arrangement.
It is important to remember that it is not possible to outsource risk and you retain overall responsibility for the outsourced function. This means that outsourcing a function will impose a number of additional obligations on your firm, as well as creating new sources of risk, including, for example, brand and reputation damage, cyber security and data protection risks and concentration risks. For example, you will need to ensure that your firm’s risk management framework appropriately captures outsourcing risks and that you identify, manage and assess all relevant risks.
Moreover, you will need to put in place appropriate supervisory arrangements and ensure that you have sufficient staff in place with the requisite skills and knowledge to manage the outsourcing arrangements and the repatriation or substitution of services, if required. This may include upskilling your existing employees to ensure a continued understanding of the outsourced function and the work of the OSP.
4. Where are you outsourcing?
Identifying an appropriate OSP is a key factor in building a successful outsourcing arrangement and one that requires careful thought. In particular, you must ensure that you fully understand the OSP’s capabilities to effectively deliver the outsourced activity/service. This is particularly the case when outsourcing critical or important functions. Moreover, outsourcing to a group member does not obviate the need for carrying out due diligence on the OSP.
Your firm’s outsourcing policy should set out the due diligence to be conducted on potential OSPs as well as decision points and escalation routes for the provision of management information to the board. Among other things, your due diligence should consider whether the OSP can meet its requirements in relation to service quality and reliability, security and business continuity, in both normal and stressed conditions. Moreover, in conducting due diligence on potential OSPs, you must ensure that the OSP’s risk controls are at least as strong as the controls utilised by your firm.
In addition to doing due diligence on the relevant OSP, there are a number of other factors that you may need to consider, including, for example, whether the OSP intends to perform the relevant outsourced activity/service itself or to further subcontract it (referred to as chain outsourcing). Where the OSP has sub-contracting arrangements in place you will need to ensure that you can exercise appropriate visibility over any product/service being outsourced.
Concentration risk is also an important issue to consider when choosing an OSP. Concentration risk is the probability of loss arising from a lack of diversification of OSPs. It can arise when a firm has outsourced several activities/services to the same OSP, where several firms outsource an activity to the same OSP and/or through chain outsourcing arrangements. According to the Central Bank, firms should ideally choose multiple OSPs in order to avoid being overly reliant on one provider. Options to encourage more regular review of the outsourced service and to reduce concentration include using dual outsourcing arrangements, shorter duration contracts and bidding for contracts.
5. When there’s a problem, what are you going to do?
Problems may arise in the context of outsourcing arrangements and you will need to put in place robust business continuity plans for dealing with any scenario where the OSP, for whatever reason, gets into difficulty, or abruptly loses the capability to continue to provide or support critical business processes or systems.
This includes putting in place clear and viable contingency plans and exit strategies for your firm as well as ensuring that you are aware of the contingency plans that your OSP has in place. The Central Bank expects the board and senior management to consider the impact of any outsourcing arrangement on existing business continuity plans and to ensure those plans are updated to reflect any revisions to service arrangements. Business continuity plans must be tested at regular intervals and relevant OSPs must be included in any such testing.
The Central Bank also expects firms to put in place a robust data management strategy at the outset of any outsourcing arrangement, setting out the standards and requirements to be applied in respect of the regulated firm’s data including back-up and recovery, security protocols and encryption standards, access management and legal requirements. This strategy should mitigate difficulties arising from a data perspective should a problem occur.
6. How are you going to supervise your outsourcing arrangements?
One of the biggest risks related to outsourcing is loss of visibility and control over the outsourced functions. Firms outsourcing any part of their risk management or internal control functions must ensure that they maintain adequate oversight of these functions. In particular, they must be able to effectively challenge the quality and performance of outsourced processes, services and activities and carry out their own risk assessment and ongoing monitoring.
One part of effective supervision is to ensure that you know who is responsible and for what. In this respect, your firm should have in place a firm-wide outsourcing policy outlining clear lines of responsibility for initial due diligence and ongoing management and review of outsourced arrangements. The policy should clearly designate/assign the ownership of outsourcing risk.
Another key part of effective supervision involves ensuring that arrangements between the firm and its OSP are explicitly set out and include appropriate service level agreements (SLA) that, at a minimum:
- clearly state the nature, quality and scope of the service to be delivered as well as the roles and responsibilities of the contracting parties;
- include requirements for service levels, availability and reliability, including measurable performance metrics and remedies for performance shortfalls; and
- are reviewed at least annually and particularly where there are material changes to the firm’s business model.
Contractual arrangements with an OSP should also cover the protection of confidential information, banking secrecy and other specific provisions relating to handling confidential information. In addition, they should include an obligation for the OSP to inform the regulated firm of any planned sub-outsourcing or material changes thereto, in particular where that might affect the OSP’s ability to meet its responsibilities under the outsourced agreement.
Where the firm outsources to an OSP that has sub-contracting arrangements in place, it should ensure that the OSP oversees and manages the activities of its sub-contractors to ensure that all services are carried out in compliance with the original outsourcing contract and SLAs.
According to the Central Bank, its Paper should be viewed, “as a summary of the key outsourcing issues and risks considered by the Central Bank as those requiring closest attention at this time.”. The Central Bank expects that all regulated firms take appropriate action to address the issues outlined in the Paper and can evidence same to the Central Bank if requested. Taking such actions will require firms to comprehensively review their outsourcing arrangements. As such, it presents an ideal opportunity for you to update your existing outsourcing arrangements, which, if approached sensibly, could bring a number of benefits to your firm.