Risks from outsourcing business activities to third parties can take a variety of forms and impact firms in different ways. From disrupting a critical business process, exposing confidential employee or client data, or even damaging a firm’s reputation and goodwill, outsourcing risks can have a severe and lasting effect on firms if not effectively monitored.
The Central Bank of Ireland (Central Bank) in its recently published report, ‘Outsourcing - Findings and Issues for Discussion November 2018’, noted the importance of ensuring that outsourcing risk is a core risk management priority for regulated firms. The Central Bank identified a number of areas of weakness across the financial services sectors, including board awareness of net risk and complexity arising from outsourcing, and inadequate governance, risk management and business continuity management practices both at inception and throughout the life-cycle of the arrangement. The Central Bank also restated its common supervisory expectations for intra-group and third party outsourcing. It is expected that against this background outsourcing will remain a key area of focus for the Central Bank in 2019.
Key concerns for firms
- Have I assigned the right risk severity or have I missed some critical due diligence?
- Am I being consistent in my due diligence or will I miss critical third party changes?
- Am I properly evaluating the correct third party controls or do I lack adequate skills?
- Do my business partners understand my approach or do they think I am a barrier?
- How do I strike the right balance? To be effective without exposing my organisation or driving business inefficiency.
We understand these challenges
At Grant Thornton, we understand these challenges and believe the solution starts with a strong risk culture and the ability to communicate outsourcing risk in business terms. It is about getting on the same page with your business partners who understand the criticality of their relationships and the potential negative impacts they could have on the overall organisation.
Firms that are forward thinking tend to strike the right balance between building an outsourcing risk programme that is effective without driving business inefficiency. At Grant Thornton, we help firms protect value today, to seize opportunities in the future.
As firms risk leaders mature their programmes, are they truly efficient and sustainable? Outsourced services are not created equal, nor generate the same severity of risk. Knowing where to focus your skills and resources will put your money where the risk is.
At Grant Thornton, our deep industry experience and extensive outsourcing risk regulatory knowledge, means we get the results our clients want. We help our clients understand their outsourcing risk exposure so they can proactively build or optimise their outsourcing frameworks to both efficiently and effectively measure, mitigate and monitor the risk exposure third parties may cause.
Outsourcing risk management programme strategy and design
Getting the basics right - what is my vision and strategy?
- third party identification and segmentation;
- governance and organisation;
- policy and standards; and
- holistic program development.
Outsourcing execution - how can I be effective?
- process and procedures;
- risk assessments;
- on-going monitoring;
- services type modelling; and
- managed services.
How can I be more efficient and consistent?
- right business coverage;
- maximised user interface;
- reporting and dashboards; and
- systems integrations.
Although the third party threat landscape is broad it is still finite. Proper planning will determine what risks play an important role in your organisation and what mitigating controls are required. Without proper risk management oversight, these third parties may cause harm to their client’s operations, reputation and ultimately, their financial viability.