Book 3. Operational Risk

FRM Part 2

OR 12. Managing Outsourcing Risk

Presented by: Sudhanshu

Module 1. Managing Outsourcing Risk

Module 1. Managing Outsourcing Risk

Topic 1. Risks of Outsourcing Activities to Third-Party Service Providers

Topic 2. Effective Program to Manage Outsourcing Risk

Topic 3. Due Diligence on Service Providers 

Topic 4. Business Background, Reputation and Strategy

Topic 5. Financial Performance and Condition

Topic 6. Operations and Internal Controls

Topic 7. Contract Provisions

Topic 1. Risks of Outsourcing Activities to Third-Party Service Providers

• Compliance Risk: Service provider not adhering to relevant local laws and regulations.

• Concentration Risk: Limited choice of service providers or providers clustered in few geographic areas.

• Reputational Risk: Substandard performance by service provider leading to negative public perception of the financial institution.

• Country Risk: Exposure to economic and political risks in a foreign country where the service provider is based.

• Operational Risk: Potential losses due to internal control breaches and human error by the service provider.

• Legal Risk: Financial institution subjected to lawsuits and other costs due to negligent activities of a service provider.

Practice Questions: Q1

Q1. Bank, Inc., (Bank) operates in the United States and has a service contract in place with Service Co. (Service), which operates in France. Service manages a significant amount of confidential customer data for Bank, and recently a computer glitch at Service resulted in the accidental public disclosure of confidential customer data. As a result of the data breach, which of the following risks is Bank least likely to face?

A. Compliance risk.

B. Country risk.

C. Legal risk.

D. Operational risk.

Practice Questions: Q1 Answer

Explanation: B is correct.

Country risk refers to using a service provider based in a foreign country and subjecting the financial institution to potential economic and political risks in that country. Clearly, it is not a relevant risk arising from the breach of confidential customer data.
Compliance risk is a possibility given the apparent lack of security controls of the service provider that resulted in the data breach. Operational risk is clearly a relevant risk to the financial institution here given the data breach caused by the service provider. Legal risk is clearly a relevant risk given that the customers affected by the data breach may sue the financial institution as a result of the breach.

Topic 2. Effective Program to Manage Outsourcing Risk

• Core Principle: Adequate oversight and controls over activities with material impact on finances and operations, especially sensitive customer information and new products/services.

• Program Complexity: Varies with the number and reliability of service providers.

• Key Elements:

  1. Risk Assessments (Crucial first step)

  2. Due Diligence in Selecting Service Providers

  3. Contract Provisions

  4. Incentive Compensation Review

  5. Oversight and Monitoring of Service Providers

  6. Business Continuity and Contingency Plans

• Risk Assessment Focus: Determine if activities are best in-house or outsourced.

  • Cost-benefit analysis and risk analysis of the service provider.

  • Key Questions:

    • ​Do qualified and experienced service providers exist?

    • Is the financial institution qualified to oversee and manage the relationship?

  • Regularly update risk mitigation techniques based on assessments.

Topic 3. Due Diligence on Service Providers

• Purpose: Ensure the service provider adheres to all relevant laws and regulations while performing services.

• Involvement: Relevant technical specialists and important stakeholders.

• Three Key Areas of Review

  1. Business Background, Reputation, and Strategy

  2. Financial Performance and Condition

  3. Operations and Internal Controls

• Review Areas

  • Past business history and key management personnel.

  • Evidence of adequate background checks for new employees.

  • Service provider's experience, strategy, mission statement, service philosophy, and quality maintenance methods.

  • Flexibility and feasibility of the business model for long-term service provision.

• Verification

  • Contact and confirm references.

  • Confirm necessary licenses and certifications.

  • Search for past or present legal and compliance problems.

Topic 4. Business Background, Reputation and Strategy

• Analysis

  • Obtain and analyze recent financial statements (and annual report) for assets, liabilities, liquidity, and operating performance.

  • Analyze financial information of any subcontractors.

  • Determine the expected financial impact of the contract on the service provider.

• Long-Term Viability

  • Analyze survival prospects (operating history, market share growth).

  • Ascertain ability to provide service for contract length (capital, personnel).

  • Consider insurance coverage and other financial impact issues.

Topic 5. Financial Performance and Condition

• Evaluation:

  • Internal controls.

  • IT systems development and support.

  • IT security systems.

  • Methods of securing confidential information.

• Review and Confirmation:

  • Staff training.

  • Service support provided.

  • Employee background checks.

  • Record maintenance processes.

  • Disaster recovery processes.

Topic 6. Operational and Internal Controls

Practice Questions: Q2

Q2. Which of the following statements regarding risk management programs with service providers to manage outsourcing risk is correct?

A. The program should focus on business continuity and contingency plans.

B. The program should contain more detail if there are only a few outsourced activities to established service providers.

C. The program should contain adequate oversight and controls over all activities that impact the financial institution.

D. The program should require risk assessments to be updated as a result of updated risk mitigation techniques on a sufficiently regular basis.

Practice Questions: Q2 Answer

Explanation: A is correct.

Unexpected events could result in the inability of the service provider to provide its services to the financial institution. Depending on the nature and importance of the services provided, the financial institution may be exposed to substantial losses as a result of the inability of the service provider to provide its services. Therefore, business continuity and contingency plans should be a key focus in any risk management program with service providers.
The program should contain less detail if there are only a few outsourced activities to established service providers given that the risk to the financial institution would be reduced substantially as a result of the service provider being established. The program should not deal with all activities that impact the financial institution but instead focus only on those that have a material impact. The program should require risk mitigation techniques to be updated on a sufficiently regular basis as a result of updated risk assessments.

Practice Questions: Q3

Q3. When performing due diligence on a service provider, ascertaining the sufficiency of its insurance coverage would most appropriately be covered under which of the following categories?

A. Business background, reputation, and strategy.

B. Financial performance and condition.

C. Operations and internal controls.

D. Oversight and monitoring.

Practice Questions: Q3 Answer

Explanation: B is correct.

A review of a potential service provider's financial performance and condition would include queries regarding its level of insurance coverage.
The area of business background, reputation, and strategy takes a more global view of the service provider and would be far less concerned with financial matters such as insurance. Operations and internal controls deal with compliance with relevant laws and regulations, for example, and would be less concerned with financial matters such as insurance. Oversight and monitoring is not an element within the due diligence process, but it is one of the elements (together with due diligence) of an effective risk management program with service providers.

Topic 7. Contract Provisions

• Key Elements to Address:

  • Scope

  • Cost and Compensation

  • Incentive Compensation

  • Right to Audit

  • Establishment and Monitoring of Performance Standards

  • Oversight and Monitoring

  • Confidentiality and Security of Information

  • Ownership and License

  • Indemnification

  • Default and Termination

  • Dispute Resolution

  • Limits on Liability

  • Insurance

  • Customer Complaints

  • Business Resumption and Contingency Plan of the Service Provider

  • Foreign-Based Service Providers, Subcontracting

• Scope: Rights and responsibilities (duration, support, maintenance, training, subcontracting policies, insurance, use of financial institution's assets).

• Cost and Compensation: Payment responsibilities (equipment, legal, audit fees), listing of compensation types (fixed, variable, special charges).

• Incentive Compensation: Financial institution's right to review appropriateness; incentives structured to prioritize customer interests and avoid excessive risks.

• Right to Audit (Optional): Allows financial institution to audit; may require specific audit reports (e.g., AICPA SOC 2, FFIEC TSP).

• Establishment and Monitoring of Performance Standards: Specific, measurable metrics for service provider's work.

• Oversight and Monitoring: Requirement for annual financial statements; provision for increased monitoring due to deficiencies, weaknesses, or viability concerns; extra reporting for higher-risk providers.

• Confidentiality and Security of Information: Extensive provisions for both financial institution and customer data; service provider access limited to necessary information; compliance with FFIEC guidance and GLBA Section 501(b); addressing access, security, retention of NPPI; notification of data breaches; clarifying roles/responsibilities for NPPI.

• Ownership and License: When service providers can use financial institution's property (data, equipment); clarification of data ownership/control; escrow agreements for software source code.

Topic 7. Contract Provisions

• Indemnification: Service provider indemnifies financial institution against legal proceedings from negligence.

• Default and Termination: Clarify default actions, remedies, and methods to overcome default; common termination reasons (change in control, poor performance); sufficient notice of termination; return of data, records, and property.

• Dispute Resolution: Agreed-upon plan for quick resolution and minimal disruption.

• Limits on Liability: May allow service providers to limit liability, subject to board/management approval.

• Insurance: Stipulate sufficient insurance coverage and evidence; communication of significant changes.

• Customer Complaints: State which party handles complaints; if service provider, require reports on complaints and status.

• Business Resumption and Contingency Plan of the Service Provider: Details on service continuity during disasters; focus on critical services, alternative arrangements, backups, disaster recovery, testing responsibilities and frequency.

• Foreign-Based Service Providers: Contract may stipulate only financial institution's jurisdiction for enforcement/dispute resolution to avoid conflicting laws.

Topic 7. Contract Provisions

Practice Questions: Q4

Q4. The use of performance metrics to assist in determining an acceptable level of performance by a service provider would most appropriately be included in which of the following provisions of a contract with a financial institution?

A. Customer complaints.

B. Default and termination.

C. Indemnification.

D. Right to audit.

Practice Questions: Q4 Answer

Explanation: B is correct.

With regard to the default and termination provision, common reasons include poor performance and nonperformance of duties, which would be detected through the use of performance metrics. The customer complaints provision deals with which party will deal with customer complaints. The indemnification provision deals with the service provider to indemnify the financial institution in the event of any legal proceedings arising from the service provider's negligence. The right to audit provision deals with allowing the financial institution to audit the service provider.

Practice Questions: Q5

Q5. Which of the following provisions would a financial institution least likely include in a contract with a third-party service provider?

A. Establishment and monitoring of performance standards.

B. Indemnification.

C. Ownership and license.

D. Right to audit.

Practice Questions: Q5 Answer

Explanation: D is correct.

The right to audit provision is optional and is the least important provision of the four listed. The use of performance standards is essential for monitoring and oversight purposes that may result in the determination of default by the service provider and possible termination of the contract. The indemnification provision is important because it deals with the service provider indemnifying (i.e., holding harmless) the financial institution in the event of any legal proceedings arising from the service provider's negligence. The ownership and license provision is crucial because it would state when service providers are permitted to use the financial institution's property (i.e., data and equipment) as well as clarify the ownership and control of data produced by a service provider.