Outsourcing: Governance and Monitoring – Key points from the Central Bank’s draft cross-industry guidance
Outsourcing remains very high on the Central Bank’s supervisory agenda, with the recent launch of a consultation on draft cross-industry guidance for all regulated firms (the CBI Guidance). Following on from our recent overview of the CBI Guidance, this briefing focuses on the aspects of the CBI Guidance relating to effective governance and ongoing monitoring.
Click here to view this briefing in PDF format.
Focus on Outsourcing
In February 2021, the Central Bank (CBI) published CP138 – Consultation on Cross-Industry Guidance on Outsourcing (CP138) together with its draft CBI Guidance.
Outsourcing is a key focus of the CBI’s supervisory agenda and, as drafted, the CBI Guidance is applicable to all regulated firms that outsource services and/or functions (see our recent overview: Outsourcing: Central Bank consults on draft cross-industry guidance for regulated firms for further information).
Two of the key issues that the CBI Guidance focuses on are:
- the CBI’s expectations regarding appropriate and effective governance; and
- the importance of comprehensive (and ongoing) monitoring of outsourced services/ functions.
We explore these issues in more detail in this briefing.
Governance Requirements
Part B, Section 4 of the CBI Guidance sets out the CBI’s expectations surrounding effective governance of outsourcing, including the responsibilities of the board, senior management or management body (Board), record-keeping and outsourcing policy requirements.
The CBI reiterates the point that ultimate accountability for any outsourcing rests with the Board of the regulated firm, and summarises steps the Board should take in the context of an outsourcing.
Role of the Board
In summary, the CBI Guidance requires the Board to:
- take actions to ensure the regulated firm’s outsourcing framework is appropriate from a governance and risk perspective (based on an assessment carried out by the Board);
- assign responsibility for oversight to an appropriately designated individual, function or committee (that is directly accountable to the Board);
- ensure that appropriate skills and knowledge are retained within the regulated firm to effectively oversee outsourcing arrangements from inception to conclusion;
- ensure there are appropriate structures and mechanisms in place to provide a comprehensive view of the regulated firm’s outsourcing universe to the Board; and
- at all times ensure that sufficient substance is maintained so the regulated firm does not become an “empty shell”.
The CBI also expects the Board to be fully responsible for the setting of the regulated firm’s strategies and policy. The CBI Guidance sets out an expectation that a regulated firm will be able to:
- demonstrate to the CBI that it has carefully considered the outsourcing risks and that the Board has no significant concerns;
- maintain adequate oversight; and
- apply due care when outsourcing “pre-approval controlled functions” and “controlled functions” under the CBI’s Fitness and Probity Regime.
Strategy and Policy for Outsourcing
The CBI Guidance highlights the importance of regulated firms evaluating their overall approach in relation to outsourcing and how any outsourcing aligns with their business model, strategy and risk appetite.
The CBI’s expectations on strategy and policy include requirements on a regulated firm to:
- have a documented outsourcing strategy in place which considers the extent of the intended outsourcing, the types of activities it will consider outsourcing, the risks to the regulated firm and the extent to which the regulated firm can effectively monitor the outsourcing arrangement;
- consider information communication technology (ICT) risks, particularly for cloud-based offerings; and
- ensure that the arrangements for the management and mitigation of any related risks are evidenced.
Outsourcing Policies and Procedures
The CBI Guidance emphasises that is crucial for a regulated firm to have a documented, firm-wide outsourcing policy that is reviewed and approved by the Board at least annually.
Outsourcing policies will be the subject of a further detailed briefing as part of this series of briefings on the draft CBI Guidance.
Disaster Recovery and Business Continuity Management
Regulated firms must also ensure continuity of services through strong disaster recovery and business continuity management as a means of effective governance of any outsourcing arrangement. Critical to a regulated firm’s resilience in this regard is the continuous assessment of its business processes and its business continuity plans.
Regulated firms also need to ensure that their outsourced service providers (OSPs) have their own robust business continuity plans and that these plans are subject to appropriate review and testing. Part B, Section 9 of the CBI Guidance sets out separate requirements regarding measures to ensure continuity of outsourced functions, appropriate exit strategies and business continuity plans.
Monitoring Requirements
Part B, Section 8 of the CBI Guidance sets out the CBI’s expectations in relation to the monitoring of outsourced services/functions.
A key element of this is the expectation that a regulated firm includes outsourcing assurance in its “three lines of defence” (i.e. risk owners, risk management and compliance functions, and internal audit).
To meet these expectations, regulated firms will need to:
- implement mechanisms to oversee, monitor, and assess the appropriateness and performance of their outsourced arrangements;
- have appropriately skilled staff within the regulated firm to interrogate the effectiveness of the outsourced arrangement and monitor the OSP’s performance using a risk-based approach.
Regulated firms should also consider whether they have existing mechanisms in place to oversee, monitor and assess other functions or activities that could be utilised or adapted in order to ensure effective oversight and monitoring of outsourced services/functions.
Internal Audit & Independent Third Party Review
Regulated firms must also ensure that the assessment of the effective performance of its outsourcing arrangements and controls to mitigate risks forms part of its third line of defence assurance programme through its internal audit plan. Regulated firms will also need to consider the circumstances in which an independent external third party review may be necessary.
The CBI expects that an internal audit function’s audit programme will assess, using a risk-based approach, whether:
- the outsourcing framework is operating effectively and the outsourcing policies have been reviewed and updated to take account of any new legislation, business functions or risks;
- the correct classification is being used for outsourcing arrangements in line with the regulated firm’s methodology for assessing “criticality and importance”;
- the regulated firm’s outsourcing register is being appropriately maintained (the requirement to have an outsourcing register is new and set out in Part B Section 10.2 of the CBI Guidance); and
- the oversight of the Board and the monitoring and management of its outsourcing arrangement is effective.
Detailed Follow-Up Briefings
The next three briefings in our series of detailed follow-up briefings on the CBI Guidance will focus on the following areas and set out practical steps that regulated firms can take in advance of the expected publication of the final CBI Guidance later this year:
- contractual requirements
- risk assessment and due diligence
- registers and outsourcing policies