The buck stops with you: Why it’s time to get a firmer grip on outsourcing
07 September, 2020
With outsourcing coming under ever closer regulatory scrutiny, and more and more business critical functions being taken on by third parties, the need for tighter service provider oversight and effective contingency planning is increasing.
The first rule of outsourcing is that you can contract out operations to a third party, but you can’t outsource responsibility. The buck will always stop with you.
The importance of exercising this responsibility has been heightened by the ‘get tough’ attitude we’re seeing from regulators, both here in the Channel Islands and worldwide. Take your eye off the ball and you don’t just run the risk of fines and remedial action, but the reputational damage these can cause.
Regulatory expectations
What then do regulators expect? Regulators want assurance that your business knows and controls what’s being done in its name. This isn’t just about ensuring that operations run smoothly, but also making sure that your outsourcer complies with relevant legislation and regulation in areas such as data protection.
Regulators are also looking at how dependent you are on a single provider and the contingency ‘Plan B’ if the service is compromised or breaks down. Instances of cyberattack and the cutting off of some offshore services during lockdown have brought such concerns to the fore. The importance of continuity planning is growing as outsourced services move up the value chain. In addition to IT, the list of business critical functions being routinely outsourced includes finance, risk and compliance.
Getting up to speed
So, how can your business make sure it’s living up to its responsibilities on outsourcing? In our work with clients, three key priorities come to the fore:
1. Set a clear risk appetite
Outsourcing is a strategic matter, which should be governed by the board. The starting point is a clear understanding of regulatory expectations and the continuity and concentration risks surrounding outsourcing. Key questions include what can be outsourced, to whom and how, and what levels of monitoring and control should be applied.
The resulting risk appetite should get down to the nuts and bolts rather being simply a high level statement of principles. What specific data protection safeguards need to be in place, for example? How quickly do you need to be able to switch providers if something goes wrong?
2. Translate strategy and risk appetite into actionable policies
Ensure contract terms reflect the risk appetite. This includes how the outsourcer manages the operations and what oversight you/they need to apply.
The specifications should seek to identify and manage key risks. For example, to safeguard data security and integrity, we’ve seen financial institutions stipulating vetting, hiring and oversight procedures for outsourced IT personnel that match their in-house standards.
3. Put in place rigorous monitoring and governance
Just as with in-house operations, governance structures should include timely information, clear accountability and defined triggers for intervention and escalation. And to assure regulators and the board, it’s important to maintain appropriate documentation.
For many of you, this is likely to require a more systematic and structured approach than at present. It may also require additional personnel, both to monitor outsourced performance and manage the relationships with service providers.
In control
Putting these governance policies and procedures in place takes time, so it’s important to get moving now. Yes, this might all sound like more work just when you’ve got plenty enough on your plate already. The problem is that you could end up having to do more to fix your outsourced operations if they unravel than if you apply a firm grip from the start. Moreover, robust direction and oversight can help to ensure that your outsourced services are delivering full value for you and your clients.
