For all the clear tangible benefits it has brought, outsourcing has also added significant risks to the firm. Foremost of these are operational risks associated with underperformance, theft of intellectual property, violations of laws and unethical conduct, data breaches, and the inability to provide services when faced with an infrastructural breakdown or disaster. This is further accentuated by the fact that vendors themselves frequently subcontract work to additional vendors, often outside the visibility of their clients, adding additional scope for back-door vulnerability.
Organisations are realising that managing third parties appropriately throughout the whole outsourcing lifecycle is crucial for their own well-being and sustainability. A recent poll on the top ten operational risks for 2018, conducted by Risk.net, found that 28% of respondents selected outsourcing as one of their top concerns, the largest percentage alongside IT disruption and regulatory risk.
Regulatory authorities have also latched onto this growing suite of risks. Recent legislation like MiFID II, PSD II and the GDPR have all included specific rules on the management and monitoring of outsourcing arrangements by banks, investment firms and payment institutions and, in the case of GDPR, by the wider business community.
The financial services industry has been particularly hard hit by these new rules. Just a few weeks ago, spurred by the widening scope of outsourcing and the increasing reliance on cloud technology, the European Banking Authority published its own set of new guidelines on outsourcing arrangements, seeking to manage outsourcing and sub-outsourcing more closely.
The new EBA guidelines attempt to put flesh on the bones of the management of outsourcing risks. Among others, they mandate stronger centralisation of outsourcing arrangements through the appointment of an outsourcing officer, the maintenance of an outsourcing register and clear formalisation and alignment of roles and responsibilities. They also define outsourcing of functions determined to be critical or important, and add further requirements around these arrangements, including pre-notification and closer coordination with the regulator.
Under the new guidelines, prospective outsourcing arrangements will need to undergo a more rigorous process of scrutiny, including an assessment of criticality or importance, a risk assessment and a due diligence exercise of the vendor itself. All outsourcing arrangements will need to be supported by written agreements incorporating a minimum set of contractual arrangements around the right to inspect, audit and access premises and systems, both for the client and regulatory authorities. More robust termination rights are also envisaged, to allow businesses to adopt clearer exit strategies and termination processes.
This increase in regulatory oversight is undoubtedly serving to elevate the importance of third party governance and risk management, even at boardroom level, across all industries. In its global survey on extended enterprise risk management for 2018, Deloitte found that 53% of businesses reported “some” or “significant” increase in their level of dependence on third parties. The largest cohort of respondents (49%) viewed the impact of changing regulation to be the greatest contributory factor to the increased perception of inherent risks, followed by heightened levels of regulatory scrutiny (45% of respondents).
So what steps should businesses take to manage outsourcing arrangements more comprehensively? To begin with, a strong argument has been made for managing outsourcing arrangements centrally or, as a minimum, introducing centralised oversight components through roles, structures and enabling technologies and processes.
There is no clear direction on which functions should ultimately be vested with this responsibility. Some businesses argue that the finance function, bearing responsibility for procurement, should manage the process whereas others prefer viewing outsourcing through the lens of the risk management function. What is certain is that sound management of outsourcing arrangements will necessitate internal coordination, particularly between risk domain owners, business unit leaders, and legal and internal audit functions.
A clear challenge businesses face is that of ensuring consistent management and mitigation of risks throughout the entire outsourcing lifecycle. All too often, the focus of outsourcing is on the procurement and vendor evaluation process up until the signing of a written agreement. A fully-fledged outsourcing strategy will go beyond procurement and contractual modalities. It will look into the execution and ongoing monitoring of outsourcing agreements, including assessing vendor performance, reviewing contract compliance, and ensuring effectiveness and efficiency.
All contracts end, whether on a planned or unplanned date, and outsourcing arrangements should include a contractually agreed exit strategy and a transition lifecycle and process, ensuring managed migration of organisational assets or destruction of confidential data, where applicable.
The way you manage your outsourcing arrangements says a lot about your business. Having a good hold on outsourcing is undoubtedly necessary to mitigate associated threats and vulnerabilities, ranging from the operational impact of third party failures to the reputational impact of poor work practices of third parties. But it also sets the standard by which third parties will perceive you and, managed effectively, could open the door to strategic opportunities emanating from positive cost-reduction and innovation. Organisations that lose control of their management of outsourcing face heightened regulatory scrutiny, reputational damage and, ultimately, consumer backlash.