4 Steps To Managing Third Party Outsourcing Requirements
September 16, 2020
Outsourcing has become big business as it is now estimated that the global outsourcing market is estimated to be worth almost €76 billion. Organisations are now placing business with external providers who can provide a service more cheaply and efficiently.
Outsourcing opens up a wide variety of opportunities and benefits for organisations such as reduced costs, enhanced customer experiences due to around the clock services across different time zones and access to key skills and technology that may not be available in house.
It is no surprise that global regulators are now turning their attention to outsourcing with regulators such as the European Banking Authority (EBA) and the Central Bank of Ireland (CBI) both publishing guidelines and discussion papers in recent months.
It is now more important than ever for financial services organisations to understand their outsourcing arrangements and to set up and evaluate the risks and controls each outsourced requirement can bring to their organisation. Failure to do so could lead to a regulatory fine such as the €1.6 million fine imposed on JP Morgan for breaching the CBI’s outsourcing requirements.
Four Steps To Managing Third-Party Outsourcing Requirements
Start at the Board Level
One of the main weaknesses found by the Central Bank of Ireland is the lack of awareness of the scale of outsourcing arrangements and the consequent level of third-party dependencies with many firms including by the Boards of those firms. During inspections, the CBI found a lack of challenge or input from the Board when considering the potential impact of outsourcing a service or when it comes to choosing a third-party provider.
To successfully involve the Board in these decisions it is important for organisations to have processes in place to ensure that the Board has oversight into outsourcing decisions. To use a working example, we have seen a lot of organisations set up internal onboarding questionnaires on our Regtech platform to see if a service should be outsourced. When working through the questionnaire the relevant Board members can view information and input their feedback, thoughts and challenges as to whether or not an outsourcing agreement should be put in place.
Know Your Risks
Outsourcing brings with it a whole series of risk which must be monitored and assessed over time. A supervisory thematic review undertaken by the CBI in 2017 revealed significant gaps in the awareness and understanding of outsourcing risk and monitoring capabilities. Depending on the level of criticality of the outsourcing requirement it is important that a full risk assessment is performed for each outsourced requirement.
It is critical to ensure that all risks inherent to outsourcing are appropriately identified, assessed and managed over time. Risk assessments must be continuous and carried out systematically to ensure that all current, potential and new risks are considered, identified and mitigating controls created to manage them now and in the future.
Evaluate Your Due Diligence Process
Carrying out effective and in-depth due diligence on potential service providers is vital when it comes to selecting an appropriate provider for outsourcing. This is where the organisation should be able to identify whether the service provider has the ability, capacity and the required regulatory documents to perform the outsourced activity.
Due diligence documents can be an extremely laborious task for both the organisation and the potential service provider. The process often consists of multiple spreadsheets being sent by email and important and sensitive files being sent over and back during the process. It can be difficult and time-consuming for the service provider to respond to the due diligence document and it can be even more difficult for the organisation to read through the responses and find any areas of risk or non-compliance with internal policies or requirements.
Forward-thinking organisations are now looking at automating the due diligence process using Regtech providers. The due diligence workflow can be taken from spreadsheets and built into Regtech platforms where the questions can be sent out to the relevant personnel within the potential outsourced service provider (OSP). The OSP can then respond with their answers and upload documentation within the platform for the organisation to review. Automating this process ensures any areas of risk are flagged by the system and removes the chances of manual or human error.
After the outsourcing agreement has been put in place it is important for organisations to engage in ongoing monitoring of the OSP. If service level agreements are in place, key performance indicators must be set out and monitored to ensure they are being achieved. The key risks identified during earlier onboarding risk assessments must now be managed and monitored on an ongoing basis to ensure they are within tolerance. A change in circumstances in either of the businesses, the business environment or anywhere else could have significant implications to the risks associated with OSP’s.
This is why it is critical to create ongoing risk assessments, carry out performance reviews and ensure that any documentation such as third party assurance reports are kept up to date at all times for all OSP’s.
ViClarity’s Vendor Management Platform
ViClarity have successfully helped hundreds of organisations to manage their third-party outsourcing requirements. Our Vendor Management platform allows organisations to automate the whole vendor process including onboarding, due diligence, risk assessments/reviews and more. ViClarity has best practice templates available but can also take your current processes and ingest them into the system providing a customised solution for each organisations.