In the fourth and penultimate article of our mini-series ‘A Practitioners Guide to IT Outsourcing’, Rhiannon Monahan, an Associate Director within our Governance and Consulting Services Group and former Head of Outsourcing Oversight to a number of financial entities, outlines some practical suggestions when it comes to identifying and managing outsourcing risk, with a particular focus on the sub-categories of concentration, country and data risk.

Risk of Reliance  

As highlighted by the ECB’s recent outsourcing trend analysis:

“The share of critical functions outsourced to external service providers that are difficult or impossible to substitute increased from 80% to 82%, of which 95% are difficult or impossible to reintegrate.”

In some cases, the difficulties of substituting or reintegrating services can be reduced by implementing the lessons learned from periodic exit plan reviews and testing. However, this is not always the case, for example:

• It is not always practical to engage multiple IT Service Providers to provide the same service i.e. this is particularly the case for technologies designed to support standardised, firm-wide processes or functions.
• To ensure their technology stacks are scalable, high-performing and inter-connected across all applications, firms may choose to engage a single IT Service Provider.
• Certain IT Service Providers continue to dominate the market for particular IT Services, meaning there are few alternative providers to choose from.

For any IT Outsourcing arrangement which is difficult or impossible to exit, a situation referred to as ‘vendor lock-in’, firms should proportionately increase the frequency and intensity of their oversight engagements, and where necessary invoke their access and audit rights of material sub-contractors. Firms will also need to carefully calibrate and test their ability to remain within the set impact tolerance for each critical or important business service supported by an IT Service Provider who presents a significant third-party concentration risk.

Note: The considerations when conducting a substitution and reintegration assessment were dealt with in our previous article, When Things go Wrong.

Diverging Regulatory Regimes

While Europe is home to a growing number of technology companies, most technology giants such as Microsoft, Apple, Amazon and Google are still primarily based in the US. The continued dominance of the US Big Tech players is also reflected in the ECB’s horizontal analysis which showed that the percentage of critical IT contracts outsourced to external providers located in non-EU countries increased from 22% to 27% between 2022 to 2023, .

When assessing the level of country risk arising from IT Outsourcing arrangements, it is important to recognise just how quickly the European regulatory environment is evolving to keep pace with new and emerging technologies, and in turn, how quickly we are diverging from our non-European counterparts.

While there is some comfort to be taken from the fact that non-European IT Service Providers are required to comply with certain regulations if they intend to market and operate their services in Europe, it is inevitable that different approaches to regulation will cause friction, particularly when cultural differences are considered.

To mitigate the impact of regulatory divergence, firms should carefully review and frequently update their contractual arrangements with critical IT Service Providers to ensure there is a documented agreement and understanding of what is expected of both parties under each IT Outsourcing arrangement.

Data Use and Protection

The accessibility, availability, integrity, confidentiality, privacy and safety of data has long been a key area of focus when outsourcing to an IT Service Provider to ensure the firm’s continued compliance with the GDPR, amongst other data protection requirements.

As the ChatGPT effect continues to take hold, the need for large amounts of clean and unbiased data is becoming more pronounced to allow IT Service Providers to train the AI-models they intend to use. Firms should be actively engaging with their IT Service Providers at this point to discuss their intended use of AI, including detailed discussions of at least the following:

• Training Data Sets: What data sets are being used to train the AI-model to reduce the risk of unethical or biased outcomes? Is the firm’s data is being used to train the AI-model?
• Performance and Accuracy: How accurate is the output from the AI-model and how will performance be tracked?
• Employee Usage: What is being done to ensure that employees are not uploading the firm’s data into publicly available AI-models without their knowledge and/or consent?

How can we help? 

Our experts are uniquely placed to provide legal advice, regulatory insights and operational know-how within the same engagement to support you in the design and implementation of your IT Outsourcing governance and oversight arrangements.

If you would like to discuss any points raised in this article further, please do not hesitate to contact your usual Arthur Cox contact(s), or any member of the Governance and Consulting Services or Technology and Innovation groups to discuss how we can help you.