Managing Outsourcing Risk: A New Framework for Banking and Beyond
- Banking, Insurance and Financial Services
- Procure to Pay
In recent years there has been an increase in the outsourcing of services by banks in order to reduce costs and improve their efficiency and flexibility. Outsourcing makes it possible to take advantage of economies of scale and is a form of easy access to new technologies and to tools and services not available in the institution itself. However, it can also have serious drawbacks. Managing outsourcing risk has become a major priority for many businesses.
Outsourcing – What are the risks?
Consumer banking has a long history of serious financial and reputational crises that were the result of mistakes made by third parties. One of the ten largest reinsurers in the world, XL Catlin, tells how several years ago, millions of retail bank customers were unable to withdraw funds or consult their balances due to a computer failure. Another entity had to compensate thousands of customers whose personal data was stolen and illegally sold. How did this happen? A provider had stored this data on a lost USB stick.
Outsourcing services can leave banks vulnerable to new sources of risk and new threats. Some of these threats include loss of control over the activity itself and over essential information for the management of the bank, dependence on the supplier, and loss of know-how. A lack of transparency in the procurement of outsourced services can also lead to a number of other challenges, putting banks at risk for corruption and fraud.
To combat this risk, the European Banking Authority (EBA) published draft guidelines for the management of outsourcing practices in June, 2018 to establish a common framework for risk management in outsourcing activities. Once the consultation phase is over, these guidelines will enter into force on September 30th, giving banking institutions less than six months to adapt their processes to European requirements.
What do the new EBA Guidelines for managing outsourcing risk look like?
In order to prevent the failure of a critical service provider from impacting the financial activity of the European single market, the EBA has established a global framework for outsourcing activities to ensure that all risks associated with third parties are identified, assessed and mitigated. While these guidelines were established for the banking sector in Europe, the framework provides helpful guidelines for risk assessment and mitigation that could be applied in any company that works with third party service providers.
The framework covers the key steps for managing outsourcing risk in banks:
Banks must have a robust and properly implemented policy, processes and control elements surrounding outsourcing. The objective is to ensure that the management committee and board of directors has continuous oversight and supervision of the entities involved, and that their responsibilities are not delegated.
The first step to assessing risks associated with outsourcing is to conduct a thorough analysis of the activity to be outsourced. Depending on the results, certain requirements will be applied in the selection phase. In this phase, banks will need to evaluate the capacity of suppliers and analyze various potential risks.
Defining obligations and monitoring performance
After selection, in the contractual phase, the obligations of each of the parties will need to be properly established and banks will need to collect information relating to subcontracting, information security and the rights of audit and resolution.
Once the contract is in force, banks will need to monitor supplier’s performance, and strategies should be established for the possible early termination of contracts and/or supplier development plans will be needed to ensure business continuity. Where appropriate, the risk assessments carried out in the first instance shall be updated.
Supervision of hiring
Finally, the guidelines state that the hiring process for outsourced services will need to be supervised by competent authorities, and a reporting process will need to be put in place. To ensure that this is done effectively, the guidelines recommend having a structured record of all outsourcing arrangements, including the suppliers involved and all the information associated with the outsourcing process. Transparency is key!
What Other Industries Can Learn from The EBA Outsourcing Guidelines
The model proposed by the EBA is already being implemented by some banks. Other companies could also benefit from implementing similar processes for managing outsourcing risk. No matter the sector, companies that work with third-party service providers are vulnerable to similar risks. The EBA guidelines provide a solid framework with key steps companies must take to protect their business from risk and to ensure the supply chain sustainability.
How Integrated Procurement Software Solutions Can Help Banks Get Compliant
Procurement has a central role to play in helping banks get compliant with the new regulations. Data transparency in procurement is a key prerequisite for ensuring compliant auditing, contract management, risk assessment and supplier performance monitoring processes. Integrated procurement software solutions like JAGGAER ONE make it easy to track and monitor data across the entire Procure-to-Pay process, ensuring transparency and consistency. Not only does a Procure-to-Pay solution reduce costs by automating many key aspects of the procurement process, it also helps businesses stay compliant with external regulations by providing a clear record of purchases, contracts, and supplier information for auditing purposes.
In banking and, by extension, in every company of the 21st century, new technologies applied to procurement can be used to configure this new model of excellence that is essential for improving risk management processes.