‘Discussion Paper 8- Outsourcing Findings and Issues for Discussion’
The Central Bank’s publication ‘Discussion Paper 8 - Outsourcing Findings and Issues for Discussion’ issued on the 19 November 2018, follows on from an extensive review of outsourcing arrangements across the Irish financial sector in which 185 regulated firms were surveyed. The review identified significant weaknesses in how outsourcing arrangements are being managed, with the results of the survey being described as “disappointing”.
The paper reflects the Central Bank’s increased focus on how risks posed by outsourcing arrangements are managed by regulated firms, a focus prompted by firm’s increasing reliance on outsourcing service providers (“OSPs”). The paper builds on the CEBS 2006 Guidelines on Outsourcing and reflects approaches by other international regulators such as the US OCC Guidelines, FCA’s SYSC 8 requirements and the EBA’s draft 2018 Guidelines on Outsourcing.
The paper is split into two parts, the first half focuses on the Central Bank’s findings and observations from the survey and supervisor’s interactions with regulated firms. There are three thematic areas of focus which draw attention to common weaknesses across the industry; Governance, Risk Management and Business Continuity Management, with minimum supervisory expectations set out at the end of each section including the overall expectation that any action required to address the weaknesses are addressed by regulated firms. The second half of the paper sets out a number of evolving risks and trends for firms to consider and provide feedback on.
The paper highlights the scale and scope of outsourcing activity taking place and notes that while there is evidence of good practice, the quality of risk management and governance arrangements to effectively manage and challenge this expansion in activity requires significant improvement across the financial services sector.
The Central Bank are particularly concerned with the lack of awareness and control of outsourcing risk at board level. Deficiencies in, and even the absence of, outsourcing strategy, risk appetite and risk frameworks undermine the regulators confidence that responsibility and oversight of outsourcing arrangements is effective in regulated firms. Compounding this problem is the inconsistent use of SLA’s to govern outsourcing relationships. In the Central Bank’s’s view this it makes it difficult for the board and senior management to have a full picture of services outsourced and performance required.
Unsurprisingly the absence of adequate governance arrangements and SLA’s has resulted in deficiencies being identified in firm’s oversight and monitoring of outsourced arrangements. Effective risk management should address all areas of the outsourcing lifecycle; identification, selection, agreement, monitoring, transition and exit and provide an assessment of the risks identified and controls to manage them.
Concerns were also raised about the overreliance on the first line to manage outsourcing risk and the lack of independent reviews performed on outsourced providers. Underpinning this point is the need for firms to retain a level of expertise around outsourced functions to ensure providers can be held to account and, if necessary, activities can be brought back in house or transitioned to another party. Two particular areas firms need to review are their approach to intragroup arrangements and the identification of critical outsourced services.
The risk OSP service disruption may have on the continued provision of services is the final key finding of the paper. The Central Bank expects firms to implement measures which improve resilience of service provision but notes that the impact of outsourcing arrangements on BCP, inclusion of OSP’s in testing plans, or review of the OSP’s continuity planning was conducted inconsistently across the industry.
As a minimum standard firms need to prepare for disruption, consider exit strategies and ensure contingency plans for outsourced activities are kept up to date.
The second part of the paper sets out a number of emerging issues; Sensitive Data, Concentration Risk, Offshoring Risk, Chain Outsourcing/ Sub Contracting and Substitutability Risk. Firms should consider their approach to addressing these emerging topics and submit their views to the Central Bank. Feedback received on the key risks and evolving trends associated with outsourcing will inform the Central Bank’s ongoing supervision of outsourcing, planning for a 2019 industry event and engagement in domestic, EU and international fora.
In relation to the key findings, while the Central Bank have stated that the paper is not a definitive guide or exhaustive list of requirements around outsourcing it expects all regulated firms to take appropriate action to address the concerns raised, meet the stated minimum requirements and evidence that this is the case.
Given the high number of RMP’s issued by the Central Bank and the recurring nature of its concerns, firm’s should consider all aspects of their outsourcing risk framework; from determining outsourcing strategies, aligning these to risk appetite, developing comprehensive risk assessments, implementing management controls/actions, strengthening resilience in the face of service disruption and implementing a governance framework to effectively control the process.
With the breadth and sophistication of outsourcing relationships continuing to increase, an integrated outsourcing risk framework that incorporates all three lines of defence needs to be implemented if firms are to ensure operational risk levels do not breach their risk appetite, interrupt service provision and cause reputational risk.
The increasing supervisory focus on outsourcing risk impacts other developing areas of the regulatory landscape; particularly operational continuity in resolution, operational resilience, Basel 4 changes to the operational risk capital calculation and the focus on individual accountability of senior managers. KPMG’s regulatory and risk specialists have a deep understanding of these evolving areas and have worked with financial service firms both domestically and internationally to develop effective outsourcing risk management frameworks. The benefit to firms of having a framework which reflects regulatory requirements and improves the ability to identify, monitor and manage outsourcing risk ensures firms can maximise the benefits and efficiencies outsourcing can bring, while ensuring risks associated with these activities are managed to the same degree as if they were performed ‘in-house’.