A Reflection on the Inaugural CBI Outsourcing Register Submission Process

In the wake of the inaugural outsourcing register submission to the CBI, Damien Carty of PwC shares lessons learned from the process and details key activities firms should be considering in preparation for the next outsourcing register submission.

The Central Bank of Ireland (CBI) is heavily focused on outsourcing due to its increasing prevalence across the financial services sector. If not effectively managed, outsourcing has the potential to threaten the operational resilience of financial service providers regulated by the CBI and the Irish financial system. The CBI’s focus is evidenced through their publication of the Cross Industry Guidance on Outsourcing (“the guidelines”) in December 2021.

Given this context, the maintenance of records in relation to a regulated firm’s outsourcing universe is essential in facilitating effective oversight and management of outsourcing arrangements and related risks. One of the key components of the guidelines is the establishment and maintenance of an outsourcing register. The inaugural outsourcing register submission was completed by all regulated firms whose Probability Risk and Impact SysteM (PRISM) rating is medium low or above (or its equivalent) during October 2022.This was a landmark component of the outsourcing process.

This article provides a reflection on the outsourcing register submission process, together with insights on key activities firms should consider for future submissions. Whilst each firm will no doubt have their own learnings, from discussions with the market as a whole, we have outlined six key reflection points, together with suggested go forward responses.

Assessment of criticality or importance of the outsourced activity

During the collation process for the inaugural CBI outsourcing register submission, many firms had yet to finalise their outsourcing determination and criticality assessment methodology. As a consequence, interpretation of the guidelines, determination and categorisation of outsourcing arrangements and criticality classification proved challenging for many firms.

In response, firms should consider the following actions:

• Design a methodology and related tool that supports practical interpretation and consistent application of the guidelines;

• Integrate the methodology with broader risk management and business continuity frameworks;

• Obtain Board approval of the methodology; and

• Deploy the methodology and reflect on results, considering if the nature and extent of ongoing management is sufficient.

Outsourcing Risk Assessment

The outsourcing risk assessment process requires extensive time investment from stakeholders across the business. Outsourcing relationship managers, business unit heads, risk domain subject matter experts (SMEs), risk management teams and executive and board committees all typically have a role in an outsourcing risk assessment process. Additional regulatory focus on complex areas such as cloud, cyber, concentration risk, sensitive data and sub-outsourcing have added to the complexity of risk assessments. Given the volume of preparation, review, oversight and approval points throughout the process, bottlenecks are commonplace. As a consequence, many firms found finalising all required periodic outsourcing risk assessments in advance of the register submission challenging.

In response, firms should consider the following actions:

• Confirm that your risk assessment methodology complies not only with the guidelines but also integrates with the broader enterprise risk management framework;

• Ensure roles and responsibilities are formally documented;

• Document a plan which allocates risk assessments evenly throughout the year;

• Devote sufficient and appropriately skilled resources to the process; and

• Keep your Board up to date on risks and associated actions.

Contractual Arrangements and Service Level Agreements

The guidelines focused on a series of prescriptive contractual requirements. In many cases, this has required firms to perform a contract renegotiation process across their outsourcing portfolio, particularly for critical and important third party outsourcing service providers (OSPs), together with formalisation of their intragroup contracts. Discussions with third party OSPs have in many cases been a sensitive and onerous process, with additional provisions in areas such as sub-outsourcing, business continuity and exit strategies amongst others, often meeting resistance. Whilst formal contracting and SLA requirements is nothing new for intragroup outsourcing arrangements, varying levels of formality across the sector has required significant focus for many firms to ensure alignment with regulatory requirements. All these factors had a significant impact in the completion of the recent outsourcing register submission process.

In response, firms should consider the following actions:

• Ensure appropriate engagement with all internal stakeholders as contractual updates will require support from Legal, Procurement, arrangement owners, relationship managers and risk domain SMEs;

• If you haven’t already done so, notify your OSPs that you will require their support in tailoring contracts; and

• Leverage senior stakeholder involvement as required to secure buy-in from your OSPs.

Business Continuity Management

Direct details of OSPs’ latest business continuity plans (BCP), was one of the key outsourcing register submission requirements. This is an area that continues to receive pointed regulatory focus, understandably, given the adverse impact to customers, clients and the market as a whole in the event of any operational disruption or failures. Many firms struggled to obtain the required level of information from OSPs, with some OSPs refusing to engage or provide any form of BCP information and others only offering verbal discussions to demonstrate results.

In response, firms should consider the following actions:

• Confirm that OSPs’ have their own business continuity plans, and for critical or important services, confirm that they complete testing of such plans at least annually;

• Check that your contractual documents support these requirements; and

• Document a process outlining how your firm will obtain and review the results of business continuity testing, and critically, how this will be evidenced.

Exit Strategies

The outsourcing guidelines advise that the resilience of any regulated firm to vulnerabilities presented by outsourcing arrangements will be largely dictated by the effectiveness of the contingency measures in place, including their exit strategies. Given this context, increased regulatory focus around exit strategies is gaining momentum. At the time of the inaugural outsourcing register submission, many firms had yet to finalise enhancements to their exit strategies, together with the underlying exit strategy testing methodology. As such, deployment of the associated testing was often not performed.

In response, firms should consider the following actions:

• Design an exit strategy template to support consistent documentation;

• Document an approach for the nature, timing and extent of exit strategy testing;

• In doing so, apply a risk based approach which is proportionate based on the materiality of arrangements; and

• Secure buy-in from those who will need to be involved in the process including business owners, relationship managers and SMEs.

Outsourcing arrangements within the group

The outsourcing register should include all outsourcing arrangements in place. Whilst entering into third party arrangements is generally an obvious and tangible process, the formal and complete identification and outsourcing risk management of intragroup arrangements remains a challenge. In the majority of cases, this is the result of organically developed relationships across intragroup entities in an unstructured way over time. As such, in the context of the outsourcing register submission process, many firms struggled to formally document and retrofit all the outsourcing requirements.

In response, firms should ensure the following is in place to support optimal future register submissions:

• Identify all intragroup arrangements;

• Develop a plan to identify all required data fields for these arrangements; and,

• While devising this plan, remain cognisant of the volume of work that is required to apply the outsourcing lifecycle to these arrangements.

In conclusion, the industry has been heavily focused on enhancing outsourcing risk management practices following the publication of the guidelines. Whilst a laborious exercise, the outsourcing register submission has supported firms in the identification of key outsourcing process gaps and risks. With this in mind, firms should continue to implement remediation actions identified, which in turn will support key operational, commercial, risk and resilience benefits to firms and indeed the Irish market as a whole.