Outsourcing risk practice benchmark
- 29 October 2018
Comparing outsourcing practice in financial institutions
In this study, we worked with more than 50 banks and insurers from across the globe to further the understanding of outsourcing risk (also known as third party risk) in financial services.
By collating qualitative data based on surveys, interviews and group discussions with the participants, this research examined areas of potential improvement and overall industry maturity. It identified standard practice and common challenges when managing the risks associated with outsourcing, while identifying key risks throughout.
Benchmark your outsourcing practices to focus time and effort
The outsourcing study is part of our practice benchmarks programme. The programme assesses practice in a specific operational risk area across the industry. They also allow firms to see how they're doing on an institutional level through indivudual benchmarks and a maturity matrix.
Even if you're not a member of ORX, you can still request an outsourcing practice benchmark. This will help you understand your strengths and weaknesses compared to the wider industry, improve your understanding of best current practice and let you know how you compare to your peers. This means that you'll know where you should focus effort, saving time and money.
What is outsourcing?
The term ‘outsourcing’ typically refers to an arrangement between an institution and an external party to provide a service, product or activity, on a continuing basis, that would have otherwise been performed internally. There are many economic, organisational and technical motivations to outsource. However, outsourcing may significantly alter an institution’s risk profile.
Elements of the outsourcing process
High-level research findings
The second line needs a seat at the table from the very beginning
Operational risk and oversight functions must take a proactive approach by becoming involved in the process before the decision to outsource has been finalised, otherwise it is only reactive risk management. This may seem onerous at first, but will save effort in the long run.
Communication breakdowns cannot be business as usual
The second line involvement in creating governance and oversight structures is strong, but to be effective they need to be combined with good communication.
Clearly identified roles and regular interaction with cross functions will serve to strengthen communication and help to more actively manage risks.
Typical controls are less effective
The tools which have proven most useful in managing internal risks lose some level of effectiveness when applied to operations performed externally. Real-time monitoring and testing, as well as early warning systems can help to bridge this gap.
Internal contingency plans need more clarity
Requirements for business continuity plan (BCP) testing are standard in most agreements, with vendors consistently providing results of their testing to institutions. However, poor results are not always well-circulated and contingency plans are not well tested.
Although most institutions stated that they have created and tested internal procedures in the event of a prolonged vendor failure, there remains a percentage who do not. Second line risk functions should be easily able to step in to assist in ensuring that contingencies are well communicated to the relevant areas of the institution.
Perfection is an ever-moving goal
Evolution of technologies, keeping up with regulation and remaining relevant means that institutions must be more agile than they have typically been in the past. Financial institutions must develop practices that strike a balance between the need to bring products to market quickly, with regulation and data protection. In order to facilitate this, second line risk oversight functions are now looking to evolve at the same pace as the environment.