Regulatory Alerts2011-05-01
Managing Outsourcing Risk: A Thematic Report on Practices within the Banking Sector of the Bailiwick of Guernsey
The Guernsey Financial Services Commission issued this thematic report to evaluate the management of outsourcing risks within the local banking sector following its 2010 Guidance Note. The review found that while most banks actively manage outsourcing arrangements, significant vulnerabilities persist regarding the treatment of intra-group outsourcing and the absence of exit strategies. The Commission mandates that local boards retain active oversight of all outsourcing activities, including intra-group arrangements, and requires robust due diligence and contingency planning to ensure regulatory compliance and service continuity.
[Logo: Guernsey Financial Services Commission]
Managing Outsourcing Risk
A Thematic Report on Practices within the Banking Sector of the Bailiwick of Guernsey
May 2011
Guernsey Financial Services Commission | Managing Outsourcing Risk
Table of Contents
- Foreword..................................................................................................................................3
- Executive Summary..................................................................................................................4
- Introduction .............................................................................................................................4
- Methodology............................................................................................................................5
- Findings ...................................................................................................................................7
- Conclusions ...........................................................................................................................18
- Acknowledgements ................................................................................................................19
- Useful reference sources........................................................................................................20
Disclaimer:
This report is not intended as formal regulatory guidance, nor should it be taken to cover all relevant aspects of the subjects addressed. Rather, its purpose is to identify and communicate examples of good practice, along with, where necessary, examples of practice where improvements could be made.
Produced by: Dr Simon Ashby
Foreword by: Philip Marr, Director of Banking
Guernsey Financial Services Commission | Managing Outsourcing Risk
1. Foreword by Philip Marr, Director of Banking
Outsourcing is a fundamental feature of the economic business model employed in Guernsey and the other Crown Dependencies. In resource constrained small economies like Guernsey and Jersey this is a vital element of efficient operation. It allows access to a broader and deeper pool of expertise and resources which may allow economies of scale which would not otherwise be available to a small standalone unit. Outsourcing may allow access to a wide range of resources including IT systems, internal audit, credit appraisal, loan recovery, treasury management and credit card processing. How much of an operation is outsourced and how that is managed are all critical decisions which feed into the financial performance of banks in our jurisdiction.
In the paper we distinguish between pure third party outsourcing – as would be typical in credit/debit card processing – and intra group outsourcing, for example of internal audit or treasury management. It is evident from the responses to our outsourcing questionnaire that there is a belief that intra group outsourcing is inherently less risky than pure third party outsourcings. Whilst there are usually fewer formalities in setting up intra group outsourcing we are firmly of the view that intra group outsourcing still contains many risk and performance delivery issues which should be addressed head on and not ignored.
In the compliance sphere there are activities which should not be outsourced but elsewhere there are few activities which cannot be outsourced. However the risks in any outsourcing agreement need to be identified and addressed at the outset in order to maximise the benefit from the arrangement but also to protect the branch and the jurisdiction from a failure of service delivery. We are aware that some current outsourcings relate to performance of activities necessary to comply with legal obligations of the bank in Guernsey e.g. the performance of screening of customer names against sanctions lists which are not legal obligations of the service provider. Clearly the responsibility for complying with Guernsey legal obligations cannot be outsourced. Hence best practice requires that proactive measures need to be taken to protect the Guernsey bank even when the outsourcing is intra group.
The Commission published in April 2010 its “Outsourcing Risk Guidance Note for Banks” in response to constructive comments made by the IMF Assessment Team in the context of Basel Core Principle 15 on Operational Risk. That Guidance note with its 12 guidelines is itself a resource and statement of good practice but is generic in its approach. This thematic report is therefore both timely and instructive in that it sets out to ground those guidelines in the local scene by focussing on the typical activities which are outsourced by Guernsey banks.
Guernsey Financial Services Commission | Managing Outsourcing Risk
2. Executive Summary
Outsourcing remains fundamental to many Guernsey Licensed Banking Subsidiaries and Branches, especially intra-group outsourcing. The purpose of this report is to build on the Commission’s past work in the area (the 2008 Thematic Report and the 2010 Guidance) to see how the management of outsourcing risk has progressed within the Bailiwick. As in 2008 a two-stage approach was adopted with an initial survey of all licensed banks followed up by site visits to a representative sample of those surveyed. The Commission’s main findings are as follows:
- Practices appear to have improved in recent years with most banks actively managing their outsourcing arrangements and making use of a range of policies and procedures. However practices vary, with some banks having much more sophisticated management frameworks than others. Differences in the nature, scale and complexity of banks’ activities explains much of this diversity, but not all.
- Most Guernsey licensed banks have a policy on outsourcing however some of these policies are generic, group-wide policies. In other cases a Guernsey policy is in place which reflects local vulnerabilities, regulations, etc.
- Some banks seem to believe that intra-group outsourcing is inherently less risky than the use of external arrangements and occasionally do not even treat intra-group agreements as outsourcing. The Commission does not, however, share this view. A perspective taken by a number of other banks is to treat intra-group outsourcing no differently to their external arrangements.
- Most banks have in place some form of supplier due diligence arrangements, both on an initial and ongoing basis. In some banks this is supported by some high quality documentation and action planning, where potential concerns with service providers have been identified.
- Not all banks have developed and included exit strategies, especially in the case of their intra-group activities, arguing that these are not necessary, or are impractical to implement. However the Commission’s research has shown that certain banks have successfully created such strategies, even for many of their intra-group arrangements.
- In the absence of an exit strategy the Commission expects that an appropriate written contingency plan should be in place.
- Some banks are placing a high level of reliance on central functions like Internal Audit and Risk Management to monitor their intra-group outsourcing arrangements. Guernsey Licensed Banks cannot fully outsource the oversight of their outsourcing arrangements to central functions. It is important that local boards or branch management actively monitor outsourced activities and service providers to ensure that local priorities and vulnerabilities are being addressed.
3. Introduction
Notwithstanding the advantages, outsourcing (including intra-group) is not without risk. By outsourcing an activity a Guernsey Licensed Bank will typically lose day to day control over its operation and management. As a result they can find themselves subject to poor quality service or even significant disruptions to service, that could become permanent in the event that a service provider was to cease its operations (due to insolvency, for example). Equally there are potentially costly legal risks, due to disagreements over the terms of a contract or
Guernsey Financial Services Commission | Managing Outsourcing Risk
service level agreement (SLA), along with some significant regulatory risks, where a service provider may be unfamiliar with local laws and regulations. In short, with the practice of outsourcing can come significant operational risk, that needs to be managed in an effective way in order to ensure that the benefits of outsourcing an activity outweighs any associated costs.
Given the importance of outsourcing within the Bailiwick, coupled with the potential for outsourcing to be a significant source of operational risk, the Commission decided to update the findings of its 2008 Thematic Report with a further review of outsourcing practices. The purpose of the review is as follows:
- To help the Commission gain a deeper understanding of outsourcing practices within the Guernsey banking sector, paying particular attention to the management of intra-group outsourcing arrangements and other intra-group dependencies – since, as identified in the 2008 report, these are the dominant form of outsourcing within the Bailiwick.
- To attempt to assess whether the implementation of the Commission’s recent ‘Outsourcing Risk Guidance Note’ (April 2010) has helped to improve the management of outsourcing risk.
- To collect information on current management practices to help Guernsey banks further improve the management of their outsourcing arrangements (whether intra-group or external).
This report summarises the results of the Commission’s findings from its 2011 review. Note that this report is not intended as formal regulatory guidance, nor should it be taken to cover all relevant aspects of the subjects addressed. Rather, its purpose is to identify and communicate examples of good practice, along with, where necessary, examples of practice where improvements could be made.
4. Methodology
As with the 2008 review a two stage approach was adopted:
- Stage 1 consisted of an industry-wide survey of Guernsey Licensed Banks issued December 2010.
- Stage 2 consisted of on-site visits to a representative sample of banks (some subsidiaries and some branches) to look in more detail at how outsourcing arrangements are being managed, completed March 2011.
As before the initial survey collected information on the types of activities that are outsourced and to whom (external or intra-group) along with the rationale for this outsourcing – the purpose being to identify any changes in activity/approach since the 2008 survey. However, additional information was also collected to provide a more complete picture of the frameworks that Guernsey banks have in place to help manage the risks that can be associated with outsourcing (e.g. information on the nature of any due diligence arrangements, whether outsourcing risk is considered within risk assessments, whether intra-group outsourcing is treated any differently to fully external arrangements, etc.). The Commission felt that this was now appropriate given that banks have had a number of years to consider the findings of the last review and that formal guidance had been in place on
Guernsey Financial Services Commission | Managing Outsourcing Risk
outsourcing for several months prior to the survey. Hence it was expected that the management of outsourcing arrangements would have matured over the last few years, providing increased evidence of further good practice compared with 2008. In addition the Commission wanted to provide some early feedback on compliance with the new guidance; to help banks understand where improvements might need to be made to their management frameworks for outsourcing.
Similarly the scope of the on-site visits was increased to provide a more detailed picture of management practices in relation to outsourcing. Notably each of the selected banks was asked to supply a range of documentation to allow the Commission to better understand the contents of their outsourcing contracts and SLAs. In addition, matters such as the management of intra-group outsourcing arrangements and how/why the management of such arrangements may differ from fully external contracts were discussed at length during the visits. This included a focus on the outsourcing of some particularly important activities such as risk management, internal audit and financial crime prevention, in order to understand how local management were able to retain control when they are being supported/supplied by other parts of their parent group. More specifically the typical agenda for these meetings covered the following:
- Policies and procedures for outsourcing, including the contents of local (Guernsey) policies and procedures, where available.
- The management of intra-group outsourcing arrangements and whether/why they may be treated differently to fully external contracts.
- Service provider due diligence arrangements – both initial and ongoing.
- The contents of contracts and SLAs. In particular the Commission was interested to learn whether SLAs contain performance metrics to facilitate monitoring by local management and penalty clauses for poor performance.
- Whether/how outsourcing risk is incorporated into banks’ risk management frameworks, including the Individual Capital Adequacy Assessment Process (ICAAPs) of licensed banking subsidiaries.
- Communication and relationship management – covering how each bank remains in touch with their service providers, along with the mechanisms that are in place to help deal with any decline in service quality.
- Contingency planning arrangements – what the bank has done to help plan for and overcome any disruptions to the continuity of service, including any exit strategies that might be in place (i.e. strategies to help take an activity back in house, or to transfer it to another provider, in the event that a contract has to be terminated).
- Sub-contracting and ‘chain’ outsourcing – focusing on how each bank is kept informed by their providers of any changes to the sub-contracted organisations which they may be using to help provide particular services.
- How each bank has improved its outsourcing arrangements in recent years, especially following the last thematic review and the issuing of the recent guidance on outsourcing.
- Arrangements for compliance with the Commission’s local regulations, including in particular its regulations on countering financial crime. Each bank was asked whether any aspect of its local compliance arrangements is outsourced.
The Commission was very grateful for the considerable amount of time that the banks it visited had spent on preparing documentation for review and for their openness in discussing
Guernsey Financial Services Commission | Managing Outsourcing Risk
their approaches to outsourcing. In each case specific feedback was provided to them after the site visit highlighting both areas of good practice and areas where improvement might be needed (where appropriate). However it should be stressed that these visits were not formal supervisory visits and the feedback provided does not constitute guidance. Rather the aim was simply to try to help these banks to further enhance their frameworks for managing their outsourcing arrangements.
5. Findings
5.1 Overview
Outsourcing remains a fundamental part of the business model employed by most Guernsey Licensed Banks, especially intra-group outsourcing. Such outsourcing arrangements can yield significant benefits if managed properly and for the most part this review has not identified any serious weaknesses in their management. However the level of good practice does vary significantly.
Equally there remain some areas of vulnerability which are addressed below. For example, some banks believe that intra-group outsourcing is significantly less risky than external outsourcing and only a few banks seem to have appropriate exit strategies or business continuity plans in place.
5.2 Findings from the Questionnaire
Functions being Outsourced and to Whom
The split between core and non-core outsourcing remains roughly the same as in 2008 with only a slight increase in the percentage of core functions outsourced (up from 63% to 67%).
Figure 1 Core/Non Core Split
[Pie chart showing: Non Core 33%, Core 67%]
Guernsey Financial Services Commission | Managing Outsourcing Risk
The range of core and non-core functions outsourced remains diverse, with core functions such as investment dealing, investment management and administration and IT systems provision/support continuing to be relatively popular. In addition some functions have become more popular as candidates for outsourcing, with a slight rise in the outsourcing of risk management activities, though for the most part this relates to a limited set of activities such as fraud monitoring, provision of management information or business continuity support. However certain banks identified that they were fully outsourcing the management of some significant risk areas, such as operational risk.
The Commission recognises that some banks may lack specialist skills in key management control functions such as risk management or internal audit and that in the case of some smaller branches it is hard to justify maintaining these skills at a local level though this does not apply to local compliance considerations including the need for a money laundering reporting officer. However in the case of larger banks, especially subsidiaries, it would be much less appropriate to rely solely on intra-group service provision for risk management.
Figure 2a Core Banking Functions Outsourced
[Pie chart showing: Banking Operations 13%, Payments 7%, Credit 5%, Card Services 8%, Custody 9%, Structured Products 2%, Risk Management 9%, Compliance 5%, Back Office 5%, IT Systems 14%, Treasury 7%, Investments Dealing, Management and Admin 16%]
Guernsey Financial Services Commission | Managing Outsourcing Risk
The current split of non core functions is outlined below.
Figure 2b Non Material Outsourcing
[Pie chart showing: Internal Audit 11%, Finance 13%, HR 13%, Cheque Books 3%, Archiving 14%, Payroll 4%, Marketing 4%, Legal 17%, Other 21%]
In terms of intra-group outsourcing it remains the most popular choice for Guernsey Licensed Banks, the split between external and intra-group outsourcing being virtually unchanged from 2008 (when it was 33% external, 67% intra-group). This reaffirms the importance of intra-group outsourcing within the Bailiwick.
Figure 3: Location of Outsourced Functions
[Pie chart showing: External 30%, Intra-Group 70%]
Guernsey Financial Services Commission | Managing Outsourcing Risk
Management of Intra-Group Outsourcing Arrangements
As indicated above intra-group outsourcing remains the dominant form of outsourcing for local Banks (whether subsidiaries or branches). Almost all licensed banks make use of this form of outsourcing to a greater or lesser extent.
The Commission fully understands the rationale for this type of outsourcing. Many local banking operations do not have the resources or expertise to provide certain services and even when they do the economies of scale that can be associated with using a central group service provider can be considerable (as indicated by many of the responding banks).
The fact that a service provider is part of the same parent group does not guarantee good or even continuous service. For example a service provider might prioritise other ‘customers’ which the parent group perceives as more important. Equally the fact that a local branch or subsidiary may have no choice but to use a group service provider puts this provider at an advantage when it comes to dealing with problems or disagreements (which can and do occur from time to time). Of particular importance to the Commission is the fact that a central service provider might not understand the specific requirements of the local law or regulatory regime for banks (e.g. local money laundering regulations).
The Commission was however pleased to note that many Guernsey Licensed Banks have decided to manage their intra-group outsourcing arrangements in the same way as any external arrangements which they may have in place. This includes the use of legally binding contracts, the monitoring of detailed SLAs, supplier due diligence processes (though possibly excluding detailed financial analyses) and active relationship management. In our view treating intra-group outsourcing no differently to a fully external arrangement is very good practice.
Policies and Procedures Including Due Diligence of Service Providers
In almost all cases an outsourcing policy was in place. However the Commission noticed that a significant number of these policies were not unique to the local branch or subsidiary. Rather a generic group-wide policy was being used.
Using a group-wide policy as the basis for managing outsourcing arrangements makes a lot of sense and should help to ensure a consistent approach across the group. However the fact that Guernsey branches and subsidiaries operate in a different legal jurisdiction means that such a generic policy may not be wholly appropriate. Hence it is good practice for the local Board and or senior management team to review and adapt the group policy to create a Guernsey specific document which, for example, reflects the recent (April 2010) guidance on outsourcing.
It was also reassuring to note that in almost every case, policies are reviewed and updated on an annual basis. This should be standard practice for any policy.
Guernsey Financial Services Commission | Managing Outsourcing Risk
In terms of supplier due diligence most banks had some form of process in place, with varying levels of sophistication. This is to be expected as the level of sophistication required will vary according to the nature, scale and complexity of their activities.
The Commission was however concerned to discover that a few banks had no service provider due diligence processes in place – especially in relation to the ongoing due diligence of intra-group arrangements where some banks either did little to monitor their performance or placed full reliance on group-wide functions such as internal audit. The argument for this was that there was simply no need to conduct ongoing due diligence where services are provided by the parent or another part of the group. For the reasons outlined in the previous section the Commission does not believe that sufficient comfort can be obtained from the fact that a service is provided on an intra-group basis to negate the need for either initial or ongoing due diligence.
Outsourcing and Risk Management
Reassuringly most banks included an assessment of their outsourcing risks as part of their risk management programme, which included providing regular (sometimes monthly) reports on outsourcing risk to their local board/senior management committee. Many also commented that outsourcing risks were considered as part of their ICAAPs, with supplementary capital via Pillar 2 add ons being held in the case of any significant risk exposures.
However a small minority commented that they did not assess or report on their exposure to outsourcing risk. This is not good practice and it is hard to see how such an omission is consistent with Guideline 7 of the Commission’s Guidance Note on Outsourcing, which states:
Guideline 7
An outsourcing institution should manage the risks associated with its outsourcing arrangements.
- Compliance with this article should include an ongoing assessment by the outsourcing institution of the operational risks and the concentration risk associated with all its outsourcing arrangements. An outsourcing institution should inform its supervisory authority of any material development.
Exit Strategies
Having an exit strategy, in case an outsourcing service provider cancels a contract, or is suddenly unable to provide the required services (e.g. due to insolvency or some other type of major disruption), is an important component of effective outsourcing management. However, it was evident that very few banks had put in place exit strategies. The Commission recognises the practical realities of operating within a group business context so that, understandably, many banks did not feel that such strategies were necessary in the case of intra-group arrangements. Whilst it may be impractical for some banks to articulate an exit strategy we feel that most banks should address the concept and in the absence of an exit strategy should set out a written contingency plan to be activated in the event that service
Guernsey Financial Services Commission | Managing Outsourcing Risk
delivery fails or becomes unacceptable. By adopting one of these alternatives banks would be observing Guideline 6.1.
Guideline 6
6.1 The outsourcing institution should have a policy on its approach to outsourcing, including contingency plans and exit strategies.
6.2 An outsourcing institution should conduct its business in a controlled and sound manner at all times.
The Commission does recognise that it may not always be possible to have a fully effective exit strategy, especially when a bank no longer has any ability to take a service back in house. In such circumstances the need for high quality preventative measures such as regular risk assessments, due diligence, etc. becomes even more important. Going forward a bank might well be asked to justify the absence of any exit strategy or contingency plan and the measures that it has taken to help address the increased risk that this might present.
Ongoing enhancements to outsourcing frameworks, especially in the light of the Commission’s 2008 Report and 2010 Guidance
The management of every aspect of a bank’s operations is something that will usually be subject to ongoing improvement. The management of outsourcing is no different. In particular the publication of reports, such as this or the 2008 report, and Guidance Notes, should be seen as a useful opportunity to benchmark current practices and make improvements as necessary.
As such it was good to see that many banks had reviewed their outsourcing practices in the light of the last report and the recent Guidance Note. Areas where improvements have been made include:
- The establishment of legally binding contracts and SLAs for intra-group arrangements.
- Development of service provider due diligence procedures.
- Implementation of risk reporting arrangements to support the monitoring of outsourcing risk.
- Increased board level visibility of outsourcing risk (e.g. via regular risk reports).
- Implementation of relationship management frameworks.
- Improved monitoring of sub-contracting/chain outsourcing.
- Development of exit strategies or contingency plans.
That does not mean that enhancements are necessarily expected where existing practices remain appropriate. However conducting regular reviews would be considered good practice.
5.3 Findings from the Site Visits
The tables below outline the examples of good practice that were found by the Commission, along with some of the key areas that were identified where improvements could be made.
Guernsey Financial Services Commission | Managing Outsourcing Risk
These examples are organised according to the following key elements of an effective outsourcing framework:
- The decision to outsource.
- Policies and procedures.
- Service provider due diligence arrangements (initial and ongoing).
- Contracts and Service Level Agreements.
- Risk assessment.
- Communication and relationship management.
- Contingency planning arrangements.
- Regulatory compliance.
The Commission acknowledges that not all of the good practice outlined below may be appropriate for every bank. It is up to individual banks to decide what enhancements, if any, they may wish to make depending on the nature, scale and complexity of their activities.
The Decision to Outsource
| Examples of good practice | Practice that could be improved |
|---|---|
| Retention of core management functions | Total reliance on ‘Group Internal Audit’ and or ‘Group Risk’ functions |
| None of the banks that we visited outsourced their compliance activities. This included key compliance areas such as money laundering and financial crime avoidance. <br><br>In some cases this decision was reflected in their outsourcing policies, which clearly stated that management functions such as compliance and risk management cannot be outsourced. | Depending on the nature, scale and complexity of a bank’s activities the outsourcing of internal audit and even many risk management activities (e.g. the production of management information or the use of central controls over data security, etc.) can be appropriate. However the Commission noted in a couple of cases that the banks in question were not actively monitoring the performance of these central functions and/or had no formal authority to influence their operations (for example, they did not have a formal right to demand audits of particular activities where necessary). |
| Use of group systems and expertise to support local management functions | |
| Some of the banks that were visited commented that they used group level resources (both people and IT systems) and/or resources from Jersey or the Isle of Man to supplement (but not replace) local management. They reported that this provided expertise that was not available locally coupled with an extra layer of control – for example where local decisions about loans, suspicious transactions, etc. could be overseen and challenged as necessary. | |
| Use of group IT systems to improve resilience | |
| One of the banks visited commented that the decision to use central group systems to support their local operation had been made on the basis |
Guernsey Financial Services Commission | Managing Outsourcing Risk
| Examples of good practice | Practice that could be improved |
|---|---|
| that their parent group had access to better data security and backup arrangements. | |
| Linking the outsourcing decision to corporate strategy | |
| One bank commented that their decision to limit their use of outsourcing had been made in the light of their corporate strategy – which was to provide a high quality local service to their customers. They commented that they did not believe that outsourced service providers could provide the quality of service that many of their customers expect. |
Policies and Procedures
| Examples of good practice | Practice that could be improved |
|---|---|
| A local (Guernsey specific) board approved policy on outsourcing | Reliance on a generic group policy on outsourcing |
| In most cases the banks (which were mostly subsidiaries) that created such policies had simply adapted their group policy. This maintained consistency while ensuring that the policy was appropriate to the bank in question. | Generic policies may not have been approved by the local board/senior management and may not adequately reflect Guernsey’s regulatory/legal regimes. |
| Clear statement of responsibilities | Not reviewing the effectiveness of the outsourcing policy |
| Some policies made it clear that each outsourcing arrangement must be managed by a nominated individual with the local branch or subsidiary. The responsibilities of this individual were typically made clear within the policy. | Failing to review whether a policy is working effectively or not may mean that outsourcing arrangements are managed in an improper or inconsistent manner. It would be good practice for the local board/senior management of a bank to review the effectiveness of their outsourcing policy on an annual basis. |
| Materiality criteria | |
| Some banks had created guidance/decision matrices to assist in the assessment of whether an outsourcing arrangement is material or not. This helps to ensure a consistent approach to this important decision. |
Service Provider Due Diligence
| Examples of good practice | Practice that could be improved |
|---|---|
| Due diligence checklists | Review of due diligence checklists |
| Some of the banks we visited had implemented standard due diligence checklists to ensure that all aspects of this process are covered (financial, business continuity, performance, etc.), both on an initial and ongoing basis. The best of these included columns for explanatory text and actions, where issues had been identified. In one case “action owners” were also specified, helping | On one case it was observed that a checklist had been implemented, but that the completed due diligence checklists had not been signed off by the relevant managers or reported to the local board. However it was noted that these would be reported to the board in due course. |
Guernsey Financial Services Commission | Managing Outsourcing Risk
| Examples of good practice | Practice that could be improved |
|---|---|
| to ensure that identified issues are rectified in a timely fashion. | |
| Service migration plan | |
| One bank complemented its due diligence with comprehensive service migration plans. The aim being to ensure a smooth transfer of services from one provider to another (or from in-house to an external or intra-group provider). These plans covered all aspects of the transfer including areas such as an initial risk assessment, human resource considerations, staff training and business continuity. |
Contracts and SLAs
| Examples of good practice | Practice that could be improved |
|---|---|
| SLAs which reflect local priorities | Contracts that imposed more responsibilities on the customer than the provider |
| One bank had an SLA in place to ensure that the central lending team complied with Guernsey requirements regarding house purchases. | It is not unusual for experienced service providers, especially external providers, to attempt this tactic – not least because it can give them the upper hand in any legal disputes. Banks should be aware and vigilant of this and ensure that the contractual responsibilities which are imposed on them are reasonable. They should also ensure that all necessary responsibilities are imposed on their service providers, including key areas such as data security, the suitability and conduct of the service provider’s staff, etc. Instructing a lawyer with experience of outsourcing contracts to help review the relevant documentation and negotiate any necessary changes would be a good way to help manage this. |
| SLAs that include penalty arrangements for poor service | Occasional absence of SLAs |
| We only observed one SLA with penalty arrangements – whereby the bank in question would receive a discount on their monthly fee in the event that certain service criteria were not met. This is very good practice and helps to ensure that an appropriate level of service is maintained. | In a few cases banks did not have SLAs for certain arrangements or had SLAs that did not outline any performance indicators (e.g. systems availability, etc.) – so arguably were of very limited use. This was most common in the case of intra-group arrangements. |
| Use of a standard SLA template for all outsourced activities | |
| One bank was in the process of implementing a Group-wide standard template for its intra-group outsourcing arrangements. The use of such a template made it very easy to review each agreement and helped to ensure that there were no significant omissions in each SLA. | |
| Local signoff of intra-group SLAs |
Guernsey Financial Services Commission | Managing Outsourcing Risk
| Examples of good practice | Practice that could be improved |
|---|---|
| One bank required all of its intra-group SLAs to be signed off by their local board. This helps to ensure that the SLAs are appropriate and is a good way of involving the local board in the initiation of each new outsourcing arrangement. |
Risk Assessment
| Examples of good practice | Practice that could be improved |
|---|---|
| Regular risk reports that include outsourcing risk | No local review of key risk and performance indicators |
| Some of the banks that were visited reviewed their exposure to outsourcing risk on a monthly basis, monitoring statistics relating to both the quality and continuity of service (both for external and intra-group arrangements). In all such cases a risk report was provided to the local board, either monthly or quarterly – helping them to meet their responsibilities under Guideline 2 of the Commission’s Guidance Note. | This seemed more common in branches, where branch managers may fail to realise the importance of regular risk monitoring, especially in relation to intra-group services – placing their reliance on group risk and or audit functions. <br><br>However the local monitoring of outsourcing risk, including the performance of intra-group service providers and the systems and processes that they may provide, is an important part of effective branch management. <br><br>For example if a local bank was to be affected by a significant IT systems disruption and/or the loss of customer data it could have a direct effect on its ability to service its customers and meet the Commission’s regulatory requirements. By having access to risk/performance statistics managers are more likely to receive an early warning of potential problems or have the opportunity to highlight areas of local concern, helping to prevent problems in the first place. |
| Support from a local risk management expert | |
| All of the banks visited retained an on-island compliance manager and in some cases also had a local risk manager/head of risk. Having a local risk management specialist should improve the quality of risk monitoring and ensure that immediate support is available to help enhance the control of outsourcing risk where necessary. | |
| Initial and ongoing risk assessments | |
| One bank performed a detailed risk assessment before implementing any new outsourcing arrangement, whether external or intra-group. This is a good way to help determine the suitability of outsourcing particular activities for the first time. |
Communication and Relationship Management
Guernsey Financial Services Commission | Managing Outsourcing Risk
| Examples of good practice | Practice that could be improved |
|---|---|
| Regular relationship management meetings | Requirement for relationship management meetings not in policy |
| Often these were monthly, helping to ensure that potential service problems are discussed and corrected as soon as possible. | On one occasion it was observed that a bank did not specify a requirement for regular relationship management meetings within its outsourcing policy. <br><br>Such meetings are an important part of effective outsource service management – providing a forum for regular communication in which potential service problems can be discussed and addressed. By making the requirement for such meetings clear within the outsourcing policy a consistent approach can be maintained across business areas. |
| Establishment of user-groups and operating committees | Absence of meeting minutes/actions |
| User groups – (whether for the users of an external or intra-group provider) can be a good way of sharing experiences and rectifying common problems. They also allow the users of a service to exert joint pressure on external or group providers where necessary. <br><br>One bank has also created a system of operating committees – where each division of the bank has such a committee (one of which covered its Guernsey operation) allowing them to oversee the provision of the services that they received from Group providers. These meetings were monthly and included the review of a range of risk and performance statistics. They commented that these meetings had done a lot to improve the quality of service that they received from intra-group providers. | On occasion certain banks claimed to have regular relationship management meetings but could not provide any evidence of this in the form of minutes/actions arising. <br><br>Documenting discussions and agreed actions helps to ensure that issues are not forgotten and permits more effective senior management oversight. |
Contingency Planning Arrangements.
| Examples of good practice | Practice that could be improved |
|---|---|
| Local plans in place to address sudden loss of service | An intra-group service provider’s business continuity plan did not include any reference to the Group’s Guernsey operation |
| One bank has worked with its intra-group service providers to develop Guernsey specific continuity plans. | It is important that the continuity plans of all service providers (intra-group or external) address the actions they would take in the event of significant business disruption. At a minimum this should include informing their customers that they have had to invoke their plan and keeping them informed of their recovery process. |
| Lack of exit strategies | |
| The fact that services are provided on an intra- |
Guernsey Financial Services Commission | Managing Outsourcing Risk
| Examples of good practice | Practice that could be improved |
|---|---|
| group basis does not automatically excuse the need to address effective exit plans. In such cases it might still be possible to bring activities back to the Guernsey bank or find an alternative supplier. In the case of external outsourcing exit strategies are essential. Where no exit strategy has been articulated the rationale for this should be documented and steps taken to mitigate the associated risks in other ways, for example, by enhanced risk monitoring and the development of a written contingency plan. |
Regulatory Compliance.
| Examples of good practice | Practice that could be improved |
|---|---|
| Completion of a gap analysis comparing current practice against the Commission’s Guidance Note on outsourcing | Implementing changes simply to ensure compliance with the Commission’s Guidance Note |
| Several of the banks that were visited had completed gap analyses and identified areas in their practice where improvements were required. The best examples of these had a clear discussion of how local policies and procedures were or were not compliant and the actions that needed to be taken as a result. <br><br>Gap analyses against established standards and guidance on outsourcing is a good way of not only demonstrating compliance, but also of improving management practices – ensuring both better quality and more consistent service delivery. | Managing outsourcing risk makes good business and management sense – helping to minimise business disruption and improve efficiency, customer service, etc. Simply doing the minimum required to satisfy the Commission is unlikely to ensure that a bank maximises the benefits of its outsourcing arrangements. |
6. Conclusions
The Commission’s review of current practices has outlined more good practice than poor. This would seem to indicate that in the main outsourcing arrangements are being managed in an appropriate way, allowing the benefits of outsourcing to be maximised without undue risk or cost.
However that does not mean that there are no areas of concern. The key issues to be addressed being as follows:
- The fact that some banks believe that intra-group outsourcing is inherently less risky than external arrangements and in some cases do not even treat it as outsourcing. In the opinion of the Commission any service that a bank might normally be expected to deliver itself which is transferred to a ‘third party’ – whether this is an external party or another part of a wider parent group – counts as outsourcing. In addition the
Guernsey Financial Services Commission | Managing Outsourcing Risk
Commission does not share the view that intra-group outsourcing is by definition significantly less risky.
- The absence of exit strategies for many arrangements is noteworthy. The Commission’s review has shown that exit strategies can be created and are already in place in certain banks. As a result there is no reason why other banks should not address the issue although it is recognised that it may be impractical to adopt such strategies within some groups. In the event that exit strategies are absent then the Commission would expect appropriate written contingency plans to be in place.
- The level of reliance that some banks put on central functions like Internal Audit and Risk Management to monitor their intra-group outsourcing arrangements. Guernsey Licensed Banks and Subsidiaries cannot fully outsource the oversight of their outsourcing arrangements to central functions. It is important that local boards/management actively monitor outsourced activities and service providers to ensure that local priorities and concerns are being addressed.
The Commission recognises that outsourcing, whether to an external company or intra-group, can bring many benefits, especially for smaller banks which may lack the resources to deliver every aspect of their operation in-house. However where such arrangements are in place they must be managed effectively where proper oversight and control of outsourced activities is essential to ensure that a bank’s strategic objectives are met. Ultimately a bank cannot outsource its regulatory responsibilities.
7. Acknowledgements
The Commission would like to thank all of the banks that completed the initial questionnaire. Particular thanks should also go to the banks that agreed to have site visits. The time and effort they spent in supplying the requested documentation and discussing their approach to outsourcing was much appreciated and yielded some excellent evidence of good practice.
Guernsey Financial Services Commission | Managing Outsourcing Risk
8. Useful reference sources
For further information on the management of outsourcing arrangements within financial services, see:
Basel Committee on Banking Supervision/Joint Forum
Report on ‘Outsourcing in Financial Services’:
http://www.bis.org/publ/joint12.pdf
‘Sound Practices for the Management and Supervision of Operational Risk’:
http://www.bis.org/publ/bcbs183.pdf
European Banking Agency (EBA)
‘High Level Principles on Risk management’:
UK Financial Services Authority (FSA)
Regulatory requirements on outsourcing:
http://fsahandbook.info/FSA/html/handbook/SYSC/8
Guernsey Financial Services Commission (GFSC)
Guidance Note on Outsourcing:
Institute of Operational Risk (IOR)
A global professional body for operational risk managers. The IOR has recently published a number of sound practice guidance papers in the area of operational risk: