The CBI, in its role as regulator, wants to ensure that the boards of these firms are fully aware of the extent to which their firm is reliant on outsourcing and that firms have suitable risk management and business continuity arrangements in place. It has published a detailed discussion paper on the topic, and is seeking feedback from firms ahead of an industry conference which it intends to arrange for early next year. The discussion paper has emerged from supervisory engagements combined with results of a previous survey on a number of regulated firms.
"As the management of outsourcing risk remains the responsibility of the board of directors for individual firms, the Central Bank fully expects that firms will analyse this paper and take appropriate steps to address issues relevant to their outsourcing practices," said Gerry Cross, the CBI's director of policy and risk. "Furthermore, firms can expect that supervisors will seek evidence of updates to risk management frameworks to ensure that the paper was considered and an examination of outsourcing was conducted."
"The findings in this important report are disappointing. Significant action is required by boards and senior management to meet our minimum supervisory expectations on outsourcing governance arrangements, risk management controls and business continuity practices. This is necessary to ensure these activities do not compromise firms' operational resilience," he said.
The CBI surveyed 185 banks, asset management firms, insurers and payment institutions as part of its research for the report. Those firms reported that they had around 7,700 outsourcing arrangements in place, with a median average of about 15 such arrangements per firm. Of the 7,700 arrangements, 3,600 involved services deemed "critical" or "important" by respondents. In addition, 40% of the surveyed firms said that they planned to outsource more services in the next 12 to 18 months.
Commonly outsourced functions include information systems management and maintenance, outsourced by 75% of respondents in some capacity; risk management and internal control functions, by 63% of respondents; and middle and back office functions, by 62% of respondents. Around 40% of respondents outsourced some functions to cloud service providers. The CBI said that it expected to see particular increases in the use of cloud service providers and partnerships with 'fintech' and 'regtech' firms in the coming years.
Outsourcing arrangements are increasing in both number and complexity, increasing the risks to firms, according to the CBI. It is also concerned about the lack of awareness of the scale of outsourcing arrangements within firms and the extent to which they are reliant on third parties, particularly at board level.
"In order to inform board awareness and control, the Central Bank expects that regulated firms have given due consideration to their outsourcing strategy and can evidence that this is the case," the CBI said in its report.
"In formulating their strategy, regulated firms should give consideration to areas such as, the extent of outsourcing that they intend to undertake and the types of activities and functions they... will consider outsourcing, bearing in mind the risks to which that outsourcing might expose the regulated firm. They must also be able to clearly evidence how any such risks will be managed and mitigated. This strategy should inform a comprehensive outsourcing policy," it said.
"Outsourcing has always been a major focus on the Central Bank and this is even more so the case now in the context of Brexit," said investment funds expert Aongus McCarthy of Pinsent Masons, the law firm behind Out-Law.com. "Impacted firms should consider the content of the Central Bank's discussion paper, conduct a documented review of its risk framework, including outsourcing arrangements and make appropriate changes to their framework, as required.
"Regulated firms should include risk management, including outsourcing arrangements, as a regular board agenda item to ensure that the matter is given appropriate consideration by the Board, in particular, in light of the evolving financial services landscape," he said.
From a regulatory perspective, the CBI said that it had already issued "mitigation actions" to several firms, "specifically targeting improving the management of outsourcing risk".
"However, as the survey results reflect, further work and improvement to the standards of outsourcing governance and risk management processes is needed on an industry-wide basis across all sectors," it said.
The CBI refers to draft outsourcing guidelines by the European Banking Authority (EBA) at several points in the paper. The EBA recently confirmed that it would publish the final guidelines in the first quarter of the year. Once finalised, these guidelines will update the existing Committee of European Banking Supervisors (CEBS) outsourcing guidelines which have been in place since 2006, as well as incorporating the EBA's more recent recommendations on cloud outsourcing.