Resilience Re-Wire – Chapter 3: Outsourcing and Third Party Risk
The next paper I looked at in this series relates to outsourcing and third party risk from the Prudential Regulation Authority (PRA).
I’m not a supplier manager and never have been and there are better skilled more experienced individuals than I who can provide further insight. I just want to interpret this for myself as a business continuity professional as best I can.
Also, page 21 lists no less than 14 bank and 10 Insurers regulatory articles which we are advised to “read alongside” this paper and most of which I’d never read.
My own research of third party risk extends to browsing the 10 years of Supply Chain Resilience Reports and the recent trend analysis undertaken by the BCI in 2019. I’ve also seen the folks from Zurich provide a few presentations on this and more recently I enjoyed Bert Burkles’ BCI World 19 presentation on supplier management and assurance at Addiko bank. It’s less than an ankle-deep understanding but I think it’s important to read and interpret these things.
I’d welcome anyone to comment on the usual channels to further my insight and/or provide their interpretation.
It’s a pretty detailed 57-page overview on updated expectations and requirements from the regulator. Much like the Bank of England papers I commented on in the previous post, the language is consistent and links well with the other consultation papers released.
The regulators (currently) expect to publish final rules in the second half of 2020, with implementation in the second half of 2021.
The paper is broken up into an overview, the proposals and a section on the PRA’s duty to consult.
The key objective of the PRA’s -Outsourcing and Third-Party Risk Management Consultation Paper is to:
“…clarify, strengthen and update the PRA’s expectations on how firms should manage outsourcing and third party risks.”
The main reasons they cite for providing this update is to address:
- the requirement to align with a regulatory framework on operational resilience
- the constant evolution of technology in third parties
- the risk of “vendor lock-in” and concentrated risk of particular third parties that heavily dominate the market
- the increasing risk of sub-outsourcing
The paper devotes an entire page to summarising the 2019 Treasury Select Committee Report on “IT Failures in the Financial Services Sector”, which provides a number of recommendations and serves as a rationale for what the PRA are about to recommend:
- structured vendor due diligence and pre-contractual assessments
- minimum contractual safeguards
- business continuity plans and exist strategies
- pool audit arrangements for cloud service providers
- application builds capable with being substituted with another supplier
This 11-Page section defines where and how the updates would be made via the supervisory statement. I naturally want to pick up on the section that relates to Business Continuity but I also wanted to highlight a few other points made in the wider section that caught my eye:
- Scope - The use of services that would presently fall outsider of the definition of outsourcing such as application programming interfaces (APIs), aggregators and off the shelf artificial intelligence/machine learning (AI/ML) will fall within the scope of the PRA’s Fundamental Rules governance, risk management and system controls and are reminded as such
- Intra-Group Outsourcing – it is not assumed that organisations outsourcing to a provider within a firm’s “group” is inherently less risky and will not be treated differently
- Pre-Outsourcing Assessments – the PRA expects firms to notify them of a material outsourcing arrangements sufficiently in advance of entering into them to allow for appropriate scrutiny
- Audit Rights – a long standing challenge being addressed here of being able to effectively audit a third party after entering into an agreement. The PRA was organisations to take reasonable steps to ensure that written agreements for material outsourcing arrangements provide them, the PRA and (if applicable) the Bank as a resolution authority unrestricted access, audit and information rights. I think this might limit some commercial discussions when the third party says “no”
- Sub-Outsourcing – the timely notification of changes to sub-outsourcing with the opportunity to approve or object and/or terminate agreements
I didn’t cover all sections and points made but only the ones that stood out to me.
Business Continuity Section – Get Your Head “in” the Clouds
The business continuity and exit plan section covers the usual requirement to develop, document and test plans. I found the point on cloud outsourcing arrangements and the requirement to assess the resilience of providers including technical aspects such as availability and data recovery capability. I think had I not spent several years in technology by this point I would have struggled with making this assessment in my present role and would have required further “re-wiring”. I highly suspect a number of professionals may feel the same as this space continues to grow.
The purpose of these post is purely to make (what appears to me) a pretty intimidating document more accessible to those who are interested. It doesn’t apply to everyone but the content does provide some interesting discussion points for the wider business continuity community. I think it’s important to share and discuss these up and coming requirements. I believe that sooner or later the business continuity practitioner will eventually have to be engaged in these discussions regardless of the region or sector.
The section on the PRAs duty to consult appears to be a justification and explanation of their involvement in this discussion and rule setting phase. I decided not to analyse this section to any great detail as wiser people than me have devoted years in this space and it makes no difference to my interpretation of the previous sections.
The appendix contains the supervisory statement which details all of the above points made (and more) into a structure document for consultation. Should the content be approved this is how the requirements would present themselves. I stuck to the higher level proposals to help me digest.Now on to the big one (for me) - Building operational resilience: impact tolerances for important business services and feedback to discussion paper!
About the author
Vice President - Business Continuity and Disaster Recovery
Award-winning continuity & resilience professional working in financial services.
Global Board Director for the Business Continuity Institute.
Business Continuity Institute Scotland Chapter Committee Member.
*All opinions shared are mine and not those of the BCI board, which is a collective decision-making body.