Managing the Risks Associated with Outsourcing

Antonia Mahoney from Carne Group looks at the Outsourcing Guidance one year on from the first submission of the outsourcing registers, and provides insights on key elements of the guidance.

The Central Bank of Ireland (CBI) issued its guidance paper titled “Cross Industry Guidance on Outsourcing” (the Guidance) in December 2021. This marked the beginning of a journey to ensure regulated firms (Firms) managed the risks associated with outsourcing. The CBI stated that Guidance is relevant to all Firms that use outsourcing and clarified that they did not consider “delegation” and “outsourcing” to be different concepts. 

The Guidance requires Firms to establish an outsourcing framework (Framework) with ownership by the Firm’s Board. The Framework should include an outsourcing policy and an outsourcing risk framework that are aligned with the overall risk management framework of the Firm.

Finally, the Guidance required the creation of an outsourcing register on a contract-by-contract basis.  A template was issued by the CBI and the first submission of a register was required in October 2022 for Firms with a PRISM rating of Low-Medium or higher.

Submission experience

The creation of the outsourcing register can create certain challenges for Firms:

• The collection of the data requires service providers to collaborate with the Firm;

• The data selections and categorisations must be made from pre-defined lists provided by the CBI;

• The Firm must adhere to the strict data file naming and validation rules.

If these rules are not adhered to, the submission will not upload to the CBI portal. However, helpfully the CBI portal will provide a narrative on the data validation failures, allowing The Firm to systematically resolve each validation fail.

There are also a number of attestations required when making a submission. These can be found on the “Additional General Information”.  If a firm is prioritising certain aspects of the Guidance, the topics of these attestations is a good place to start.

New Templates issued by the Central Bank of Ireland

As we progress into Q4 2023, firms are awaiting a date from the CBI for submission of the Outsourcing Register, which will be in respect of the position as at 31 December 2022.  A revised template was issued by the CBI in July 2023. The revised template for a “Market Firm” (the template applicable to a Management Company) does not appear to provide a significant challenge in terms of additional data points. However, the presentation of the data in the new template has changed and is grouped differently. The most notable difference being the requirement for Legal Entity Identifiers (“LEI’s”) for critical sub-outsourcing service providers (or a unique reference starting with “SP” for those with no LEI).

The template is protected and the function to copy and paste data is limited. This may complicate the transposition of registers from the previous template to the new template. The CBI has updated its guidance on populating the register accordingly and continues to note strict validation requirements for each field. It is expected that similar to the previous submission process, diligence will be required by each Firm to successfully pass those validation checks.

Outsourcing framework – what next?

Looking at the Guidance more holistically, it is expected that Outsourcing Frameworks and other associated documents will shortly be refreshed. This is a good opportunity for each Firm to look back and ensure that they are adhering to all elements of its Outsourcing Framework and revisit any new processes implemented in 2022 to see if they are working as expected, or if clarifications and updates are needed. Furthermore, as Operational Risk teams are well progressed in the Operational Resilience implementation plans, there are a number of areas where the two frameworks interact with each other. The Framework Documents should be updated accordingly to accommodate the Operational Resilience provisions.

Digitisation as an enabler

It has been difficult to fully automate or digitise the Outsourcing Framework in its entirety. However, there are opportunities to systematise due diligence and ongoing attestations. This can help facilitate data collection, which can in turn populate the Outsourcing Register. Further progress in this area will depend on any further updates to be made to the outsourcing templates. We await to see if the CBI templates will be updated on a regular basis, which could hinder full automation and generation of the Register.

Looking towards 2024 and beyond

As 2024 approaches, I expect firms to consolidate and mature both the Outsourcing and Operational Resilience Frameworks. This will help ensure that delegate touch points are well co-ordinated, minimising interruptions on delegates and service providers.  Such touchpoints will be required for the continued refresh of data points and a periodic review of any mapping of critical processes to ensure that information held in the frameworks continues to be current.

As noted previously, there are significant areas of crossover and the opportunity for efficiency should not be missed. An obvious opportunity to create such efficiencies is whilst carrying out due diligence on service providers, where it will be possible to address both outsourcing and operational resilience. This will remove the need to reach out separately, as may have been the case during 2022 and 2023, as the two sets of guidance were being implemented.

Finally, there should be sufficient safeguards built into business-as-usual processes to ensure that where there are material changes to outsourcing service providers, especially those that are deemed “Critical”, there are clear mechanisms for those changes to be communicated to regulated Firms. This should be done through regular touchpoints with roles and responsibilities clearly communicated and documented through agreements, service level agreements or similar.

If you would like to find out more, please contact Patrick O’Brien (patrick.obrien@carnegroup.com).