Outsourcing can be beneficial, but it isn’t magic
Making use of third-party vendors changes your risk; it doesn't cause it to vanish
Outsourcing business activities has many advantages. It is often cheaper and more efficient than keeping those same activities in house, and can be an easier way to keep up to speed with industry best practice. More importantly, it frees up valuable internal resources that can instead be focused on the things that really matter.
Financial services firms are no strangers to the benefits of outsourcing; by some accounts, they have made use of it for clerical tasks since the 1970s. But since then, it has become ever more prevalent – particularly with the increased importance of IT – and has grown to cover a more diverse range of activities.
Given the size and complexity of the largest financial firms, some of them now have large armies of contractors and subcontractors scattered across the globe. These vendors – who deal with areas from financial crime software through to credit card processing, call centres and risk analytics – can sometimes be a source of mishaps. Both New York-based data vendor Bloomberg and US custodian BNY Mellon suffered high-profile outages due to third parties in 2015, leading to frustration among clients and negative media coverage.
Plenty of other worrying incidents go unreported, however. In a recent conversation with Risk.net, one operational risk manager at a US bank said some of its outside suppliers had been involved in security breaches, while another was found to be in violation of the law. "What we do in those instances is we exit those relationships," he added.
To some in the consulting world, outsourcing possesses almost magical qualities. But when it comes to risk, outsourcing is no disappearing act. Outsourcing a business activity changes the risk associated with that activity; it won't cause it simply to vanish. However, this seems to have been the working assumption of some financial firms, which gleefully outsource activities without thinking about the different sets of controls they need to put into place.
Regulators have noticed this. In 2013, the US Federal Reserve Board and Office of the Comptroller of the Currency both issued separate guidance notes for banks on third-party risk. Reflecting the importance of subcontractors, these pieces of guidance even included references to "fourth-party risk". That means you don't just have to care about your vendors, but also your vendor's vendor too.
Some risk managers argue the guidance goes too far. But it seems to have worked. In some cases, US banks have responded by bolstering the teams that manage and monitor their vendor relationships, while others say they have significantly cut the number of third-party providers they use.
Of course, regulators must be careful not to overdo it. Outsourcing is a fact of modern business life: a tool that, if used appropriately, can deliver positive results. There's no reason to exclude banks or other financial firms from accessing those. But given the vast scale of outsourcing in financial services – combined with some firms' apparently wilful ignorance – they are right to focus on it.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@risk.net or view our subscription options here: http://subscriptions.risk.net/subscribe
You are currently unable to print this content. Please contact info@risk.net to find out more.
You are currently unable to copy this content. Please contact info@risk.net to find out more.
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Printing this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. Copying this content is for the sole use of the Authorised User (named subscriber), as outlined in our terms and conditions - https://www.infopro-insight.com/terms-conditions/insight-subscriptions/
If you would like to purchase additional rights please email info@risk.net
More on Risk management
Buy side would welcome more guidance on managing margin calls
FSB report calls for regulators to review existing standards for non-bank liquidity management
Japanese megabanks shun internal models as FRTB bites
Isda AGM: All in-scope banks opt for standardised approach to market risk; Nomura eyes IMA in 2025
Benchmark switch leaves hedging headache for Philippine banks
If interest rates are cut before new benchmark docs are ready, banks face possible NII squeeze
Op risk data: Tech glitch gives customers unlimited funds
Also: Payback for slow Paycheck Protection payouts; SEC hits out at AI washing. Data by ORX News
The American way: a stress-test substitute for Basel’s IRRBB?
Bankers divided over new CCAR scenario designed to bridge supervisory gap exposed by SVB failure
Industry warns CFTC against rushing to regulate AI for trading
Vote on workplan pulled amid calls to avoid duplicating rules from other regulatory agencies
Top 10 op risks: change brings challenges as banks splash the cash
Higher interest margins and a trend toward insourcing drive major tech projects
Top 10 op risks: deepfakes drive rise in fraud fears
External fraud re-enters top 10 as artificial intelligence provides new tools for criminals
Most read
- Top 10 operational risks for 2024
- Top 10 op risks: third parties stoke cyber risk
- Japanese megabanks shun internal models as FRTB bites