EBA Guidelines On Outsourcing: Eight Steps To Comply ...
文章推薦指數: 80 %
EIGHT KEY STEPS TO SUCCESSFUL AGILE AND TIME-BOXED DELIVERY · 1. Outsourcing register: · 2. Business case: · 3. Risk assessment: · 4. Due diligence: ... EBAGUIDELINESONOUTSOURCING:EIGHTSTEPSTOCOMPLYBEFOREDECEMBER2021DEADLINE EBAGUIDELINESONOUTSOURCING: EIGHTSTEPSTOCOMPLYBEFOREDECEMBER2021DEADLINE AlexandreVandeput Published:19April2021 TheEuropeanBankingAuthority’s(EBA)guidelinesonoutsourcing,issuedinFebruary2019andenteredintoforceinSeptember2019,haveconsiderablyincreasedthelevelofcontrolofthird-partiesincludingcloudproviders.Fortunately,theEBAhadforeseenatransitionalperiod,whichwillendon31December2021.Thisgivesbanks,assetmanagers,paymentserviceprovidersandelectronicmoneyinstitutionsninemonthstoadapttheiroperationalriskmitigationframeworksandtoremediatelegacyoutsourcingcontractstoensurecompliance. Thistimeframeis,indeed,veryshort.Ourexperienceconfirmsthatmanyfinancialinstitutionsareyettoaddressthekeyaspectsoftheguidelines,includingassigningrolesandresponsibilities,reviewingtheservicelevelagreements(SLAs)forintra-grouparrangementsanddraftingtheadaptedoutsourcingpolicy.Meanwhileallcontractualarrangementswiththird-partieswillneedtobeproperlyremediatedbytheendoftheyear. Furthermore,twomajortrendsareputtingadditionalpressureonfulfillingthoseobligations-theincreasingrelianceoncloudserviceproviders(whichfallentirelyintotheguidelinesscope)andtheaccelerateddigitalizationeffortsbymanyifnotallfinancialinstitutionsfollowingthepandemic. Inthisfirstbloginourseriesoninformationandcommunicationtechnology(ICT)risksmitigationframework,AlexandreVandeputdiscusseshowtoensuresafecomplianceontime. TIMEISRUNNINGOUTONCOMPLIANCEWITHTHEEBAGUIDELINESONOUTSOURCINGARRANGEMENTS Baseduponourobservationsfromprojectswithinretail,commercial,paymentsandelectronicmoneyinstitutions,thepressureisrisingonIT,operationsandriskdepartmentstoadapttheiroutsourcingcontrolframeworkstotherevisedguidelines.Furthermore,firmsneedtoensurethattheactualoutsourcingarrangementsareproperlymanaged. Manyinstitutionsarebehindscheduleforcomplyingwiththeguidelines,withsubstantialinternalalignment,effortstodeliverkeydocumentationaswellasgapanalysisandprocessreviewstilloutstanding.Leavinga‘sanity’bufferofthreemonthsbeforetheenddateisbestpractice,whichmeansthatanyinstitutionfallingintothescopeoftheEBAsupervisorycontrolneedstobesetandreadywithinsixmonths(i.e.bytheendofSeptember)–thisalsoincludesthesummerholidayperiod.Withsuchatighttimeframe,iftheexecutionisnotmanagedwithrazor-sharpprecision,institutionsmayendupinbreach. EIGHTKEYSTEPSTOSUCCESSFULAGILEANDTIME-BOXEDDELIVERY Workingonkeydeliverablesandprocesses,prioritizingtheworkahead,havingcleargovernanceinplacearesomeoftheprerequisitesforensuringthatfinancialinstitutions’ExecutiveCommitteeswillbeabletovalidatetheworkontimeandcomplysafely. Moreprecisely,werecommendthefollowingeight-stepprocesstofullycomplywithintherequiredtimeframe: 1.Outsourcingregister:Startbyleveragingyourexistingoutsourcingregister,whilemakingsureyouareaddingtherelevantfieldsrequired.Donotforgetthatthisexerciseisdoneforthebenefitoftheservicereceiverandthatthisregisterneedstobeconsideredfromalegalentitystandpoint.Also,ensurethatallcloud-relatedoutsourcingengagementsareidentified. 2.Businesscase:Thisdocumentisdraftedtodemonstratethatthejustificationforoutsourcingisarticulatedandacceptedandthattheservicereceiverhasconsideredthedifferentoptionsavailablebeforeoptingforanoutsourcingsolution,withthematerialitylevelofalloutsourcingcontractsproperlydefined. 3.Riskassessment:Ensurethattherisktaxonomyisclearlyconsistentacrosstheinstitution,potentiallyleveragingtheoutcomesoftheInternalControlFramework.Thelevelofautomationoftheseassessmentsiskeyforthistobeefficient.Youwillalsoneedtoidentifyinherentrisksandmakesuretheyareaccepted,mitigated,orrejected. 4.Duediligence:Thisinvolves‘vetting’serviceproviderswhomustdemonstratesufficientandrelevantexperience,reputationandoverallsuitabilitytoperform(includingkeycertificationsasrequired). 5.Oversight:Developasetofagreedkeyriskindicators(KRIs)andkeyperformanceindicators(KPIs)betweentheserviceproviderandservicereceiver,aswellasapplyingtheongoingmonitoringprinciple(thefrequencywilldependonthematerialityoftheoutsourcedactivityorprocess). 6.Contracts,SLA’sandguidelines:Startdraftingcontractualagreementsbetweenintra-andextra-groupserviceproviders.Involveatthatstagethekeystakeholdersfromyourlegaldepartment. 7.DRP,BCMandexitplans:Draftexitplansforanymaterialoutsourcingarrangementsdescribingexitscenariosandrelatedexittriggers,precededbytangibledisasterrecoveryplanning(DRP)andbusinesscontinuitymanagement(BCM). 8.Outsourcingpolicy:Thisisthecornerstoneofyouroutsourcingremediationframeworkandshouldbetheconclusiveoutcomeofthewholeinitiative.Avoidtreatingthisasatick-boxexerciseasitwillonlyleadtofrustration,misalignmentandmisunderstandingamongkeystakeholders. OURRECOMMENDATION Startingnowisnottoolate,butthetimeisshortandthetaskischallenging.Ensurethatyoucan: -Workinatime-boxedmanner -Leverageapre-definedsetofdeliverablesanddocuments -Haveaconsistentriskstaxonomyinplace -Putinplaceacleargovernancestructurewithstrongsponsorship -Workonachangemanagementplanfromtheoutset Wewouldalsoemphasisethatautomationshouldbeconsidered,astherequiredprocesses,toolsanddocumentsarelikelytogenerateasubstantialadministrativeburden.Automationtoolsprovideusefulfunctionalitiessuchascentralizedaccess,workflowmanagementandautomateddashboardsandreporting. ContactustodiscusshowCapcocanhelpyourfirmreachthefast-approachingcompliancedeadlineontime. CONTACTS JeroenDossche,Partner M+32478221180 [email protected] AlexandreVandeput,PrincipalConsultant M+32499755200 [email protected] RELATEDINSIGHTS Readmore 19April2021 EBAGUIDELINESONOUTSOURCING:EIGHTSTEPSTOCOMPLYBEFOREDECEMBER2021DEADLINE AreyouontracktocomplywiththeEBAguidelinesonoutsourcingbytheendoftheyear?Automationiskeytomanagethechallengewithjustafewmonthstogo. Readmore 09July2021 HOWWILLTHEDIGITALOPERATIONALRESILIENCEACT(DORA)CHANGEYOURORGANIZATION? Inthisarticle,weexploretheconceptofoperationalresilience,thetypesofentitiesaffectedandtheimmediateimpactonfinancialinstitutionsandcriticalICTthird-partyserviceprovidersbyDORA. Readmore 01December2021 ADAPTINGTOTHENEWSTANDARDCONTRACTUALCLAUSES(SCCS)–ANORGANIZATION-WIDEEFFORT Cross-bordertransfersofpersonaldatanowrequiretheuseofnewstandardcontractualclauses–SCCs.WillyourfinancialfirmbeontimetofullyintegratethembytheDecember2022deadline?Findoutwhattechnicalandorganizationalchangesarerequired. TermsofUse DataPrivacyNotice CookieNotice Imprint ©Capco2022,AWiproCompany
延伸文章資訊
- 1EBA Outsourcing Guidelines – delivering a successful remediation ...
- 2EBA Outsourcing Guidelines – delivering a successful ...
The EBA Guidelines apply to any "Outsourcing" arrangements, defined as: "an arrangement of any fo...
- 3Guidelines on outsourcing arrangements
- 4EBA Guidelines on Outsourcing Arrangements - Cledara
EBA Guidelines on Outsourcing Arrangements: Everything You Need to Know. Learn how to easily navi...
- 5EBA guidelines on outsourcing arrangements: 7 key aspects
The Guidelines aim at establishing a more harmonised framework for the outsourcing arrangements o...