As part of the supervisory priorities for 2017, the European Central Bank (ECB) will initiate a thematic review of banks’ outsourced activities to assess how they are managing the associated risks. IT outsourcing activities will be a large and important part of this review.
This supervisory priority echoes the outcomes of the KPMG benchmark analysis on IT risks carried out in June 2016. The KPMG ECB Office analysis covers ten different European countries. The aim is to find out the main IT risk. IT outsourcing risks were the third most prevalent IT risks in the banking sector right behind cyber risks and data risks (quality, privacy, etc.).
IT outsourcing comes in many forms. Some of the most common types of IT outsourcing are in systems development and maintenance, support to data centers operations, network administration, disaster recovery services, application hosting, and cloud computing. Outsourcing can involve the provision of IT capabilities and facilities by a single third party or multiple vendors located in the home country or abroad.
IT outsourcing can involve many types of risks. First of all, the bank runs the risk of receiving poor quality work due to the lack of skills on the vendor side or to the vendors’ high employee turnover rates. Thus, high-quality service could be compromised. Moreover, if the vendor does not document their work well, it would be difficult for the bank to ensure adequate and timely insourcing again. The bank also runs the risk of downtime during critical system failures, leading to potential loss of productivity. It may take days before a busy IT contractor can devote attention on the business problem and resolve the issues. Another important risk that a bank could run is the risk of the outsourcing company not implementing security measures therefore causing leaks of intellectual property or other private data.
The ECB already carried out a thematic review on IT outsourcing risks in 2015 based on self-assessment questionnaires along with specific documents to be provided by supervised institutions.
The ECB requested information about the IT budget and forecast of which outsourced IT and of which cloud-outsourced IT for both, “build-the-bank” as well as “run-the-bank”.
They also collected specific details on IT outsourcing contracts. If a bank had less than 50 contracts, it had to provide detailed information about all of them. If it had more than 50 contracts, the bank had to provide detailed information on the top 10-15 contracts with regards to criticality for business, the top 10-15 contracts with regards to highest sensitivity of data and the top 25-30 contracts according to size per year or above 5 million EUR.
On top of all this collected information, supervised institutions had to answer around 60 detailed questions on the governance and policies regarding IT outsourcing, selection of providers, prior risk assessment, monitoring and cloud computing.
IT outsourcing risks in the banking sector are covered by different frameworks and standards, national and/or global requirements. The ITIL Framework (Information Technology Infrastructure Library) includes best practices for managing IT outsourcing. The Bank for International Settlement (BIS) released outsourcing guidance for financial services. Last but not least, the European Banking Authority (EBA), in its recently released ICT Guidelines, provides guidance to identify material IT outsourcing risks and controls to mitigate them.
Supervisors tend to focus more on the level of control of the outsourced activities, whereas banks are more concerned about losing core banking competencies and knowledge but also about increased IT risks as a result of digitization, tailored client services or process optimization which require outsourcing and cloud computing). Nevertheless, CIOs continue to outsource IT activities in line with the target operational model to generate significant financial and operational advantages.
Leading practice in this field should encompass the internal control organization of major outsourcing projects with a focus on regulatory compliance, appropriate governance, risk management and the general organization of outsourcing process including internal control and pre/post implementation activities.
The main objective is to improve and streamline the internal control organization of banks’ major outsourcing projects. To this end, compliance with the principles and best practices defined in the previously mentioned frameworks and guidelines is recommended. Furthermore, industry best practice includes:
In light of the ECB’s thematic review, banks should be making every effort to implement the guidance and leading practices that are becoming the industry norm.