The brief of bank operational risk managers is changing rapidly. Where once they spent their days fretting about internal systems, now they face a galaxy of potential points of failure and back doors for cyber attackers across thousands of third-party service providers. And regulators have made it increasingly clear that banks cannot delegate responsibility without maintaining a strict level of oversight.

In its latest guidelines on outsourcing, the European Banking Authority (EBA) requires