LO 57.1: Explain how risks can arise through outsourcing activities to third- party service providers, and describe elements of an efFective program to manage outsourcing risk.
R i s k s o f O u t s o u r c i n g A c t
i v i t
i e s t o T h i r d -P a r t y S e r v i c e P r o v i d e r s
The following risks could arise when a financial institution outsources its operational functions to third-party service providers: Compliance risk refers to a service provider not operating in compliance with the
relevant local laws and regulations.
Concentration risk refers to having very few service providers to choose from or that the
service providers are clustered in only a few geographic areas.
Reputational risk refers to a service provider executing its tasks in a substandard manner,
resulting in a negative public perception of the financial institution.
Country risk refers to using a service provider based in a foreign country and subjecting
the financial institution to potential economic and political risks in that country.
Operational risk refers to potential losses sustained by a financial institution as a result of
internal control breaches and human error caused by a service provider.
Legal risk refers to subjecting the financial institution to lawsuits and other costs due to
potentially negligent activities of a service provider.
E f f e c t i v e P r o g r a m t o M a n a g e O u t s o u r c i n g R i s k
The risk management program with service providers needs to contain adequate oversight and controls over activities that have a material impact on the institutions finances and operations. In addition, importance must be placed on activities relating to sensitive customer information and new products and services. The depth and complexity of the program may be relatively low if there are few outsourced activities, and the service providers are established and reliable. Conversely, the depth and complexity may be relatively high if there are many service providers involved in outsourced activities.
2018 Kaplan, Inc.
Page 259
Topic 57 Cross Reference to GARP Assigned Reading – Board o f Governors o f the Federal Reserve System
Risk management programs should include (1) risk assessments, (2) due diligence in selecting service providers, (3) contract provisions, (4) incentive compensation review, (5) oversight and monitoring of service providers, and (6) business continuity and contingency plans.
The last five elements will be discussed in subsequent sections. The crucial first step is to perform risk assessments of the applicable business activities to determine whether these activities are best executed in-house or by a third party. Assuming the outsourcing option is consistent with the financial institutions business objectives, then a cost-benefit analysis and a risk analysis of the service provider should be performed. Two key questions to be answered include the following: (1) Do qualified and experienced service providers exist? (2) Is the financial institution sufficiently qualified to perform oversight duties and manage the relationship with the service provider? Risk mitigation techniques should be updated on a sufficiently regular basis as a result of updated risk assessments.
D u e D i l
i g e n c e o n S e r v i c e P r o v i d e r s