In today’s interconnected business landscape, outsourcing has become a fundamental aspect of operational strategy, especially within the insurance sector. As firms strive to meet Operational Resilience requirements, it is imperative to ensure that their outsourcing policies and third-party relationships are robust and capable of withstanding disruptions.

In recent years, regulators have increasingly shifted their focus towards Critical Third Parties (CTPs) due to the growing reliance of financial firms on a small number of external providers for key services. This reflects concerns over the systemic risks posed by disruptions to these third parties, particularly in areas such as cloud services, IT infrastructure, and outsourcing; brought to life by recent events such as the CrowdStrike incident. Firms must ensure that their material third-party service providers meet stringent Operational Resilience standards, with enhanced scrutiny on how firms manage third-party risks and integrate these dependencies into their overall resilience frameworks. There are two main scenarios for firms to consider: ensuring that all third-party suppliers have an adequate Operational Resilience framework in place and for outsourced services supporting one or more IBSs, these need to be fully included in resource mapping, scenario testing and vulnerability resolution. This shift highlights the need for rigorous assurance reviews of outsourcing policies and third-party risk management practices.

This is the penultimate article of the ICSR Operational Resilience Assurance Week’s series (Follow the conversation on LinkedIn at: #ICSROpResAssuranceWeek) and explores the significance of assurance reviews in the context of outsourcing policies, third-party risk management, and the assessment of critical third parties. It delves into the key components of an effective outsourcing framework, the methodologies for managing third-party risks, and the strategies for ensuring resilience among critical external partners. By understanding these elements, firms can enhance their Operational Resilience and minimise potential vulnerabilities associated with third-party dependencies.

The Role Of Outsourcing In Operational Resilience

Outsourcing allows firms to leverage specialised expertise, reduce operational costs, and enhance service delivery. However, it also introduces risks, especially when external providers support key business operations. In the context of Operational Resilience, the management of outsourcing relationships becomes crucial to ensuring continuity in the face of disruptions.

Key Components Of An Outsourcing Policy

A well-defined outsourcing policy serves as a framework for managing third-party relationships effectively. Assurance reviews should evaluate the following critical components:

  1. Due Diligence and Selection
    Prior to engaging with third-party providers, firms must conduct thorough due diligence to assess potential risks. This includes evaluating the provider’s financial stability, operational capabilities, including appropriate expertise and compliance with regulatory requirements. The assurance review should focus on whether your firm has established criteria for selecting outsourcing partners – including Operational Resilience maturity and history of disruptions – and whether these criteria are consistently applied.
  2. Contractual Provisions
    Contracts with third-party providers should clearly outline the expectations regarding service delivery, performance metrics, and resilience obligations. Assurance testing should verify that contracts contain specific clauses related to Operational Resilience, such as:
    • Service Level Agreements (SLAs): Detailed SLAs that specify performance expectations, including recovery times and penalties for non-compliance.
    • Termination Clauses: Provisions that allow your firm to terminate the contract if the provider fails to meet resilience standards to a defined level.
    • Right to Audit: Clauses that grant your firm the right to conduct audits or assessments of the provider’s operations to ensure compliance with contractual obligations.
  3. Ongoing Monitoring and Reporting
    Effective outsourcing policies require continuous oversight of third-party performance. Assurance reviews should assess whether firms have established monitoring mechanisms to track the performance of third-party providers and whether they receive regular updates on resilience measures and incidents. Key areas of focus include:
    • Performance Metrics: The establishment of key performance indicators (KPIs) to evaluate the provider’s service delivery and compliance with SLAs.
    • Incident Reporting: Procedures for reporting incidents, including disruptions, security breaches, or compliance failures, to ensure timely resolution and mitigation.
  4. Exit Strategies
    Firms must develop clear exit strategies, under stressed and non-stressed conditions, for critical outsourcing relationships. Assurance testing should evaluate whether these strategies are documented and feasible, allowing for a smooth transition to alternative service providers or in-house solutions if needed. Elements to consider include:
    • Transition Plans: Detailed plans outlining how services will be transitioned to another provider, including timelines and resource allocation.
    • Knowledge Transfer: Mechanisms for transferring knowledge and critical information from the outgoing provider to the new service provider.

Third-Party Risk Management: A Comprehensive Approach

As firms increasingly rely on third-party providers, effective third-party risk management (TPRM) becomes essential to maintaining Operational Resilience. TPRM involves identifying, assessing, and mitigating risks associated with external partnerships. Assurance reviews should focus on validating the robustness of your firm’s TPRM framework.

Key Components of Third-Party Risk Management

  1. Risk Assessment
    Assurance reviews should assess your firm’s methodologies for evaluating the risks posed by third-party providers. This includes:
    • Risk Categorisation: Classifying third parties based on the criticality of their services and the potential impact of their failure on your firm’s operations.
    • Threat Identification: Identifying specific threats that third-party providers may pose, including operational, financial, reputational, and cybersecurity risks.
  2. Risk Mitigation Strategies
    Once risks are identified, firms must implement appropriate risk mitigation strategies. Assurance testing should evaluate the effectiveness of these strategies, including:
    • Diversification of Providers: Ensuring that firms do not rely heavily on a single provider for critical services by engaging multiple suppliers for similar services, where possible.
    • Contractual Safeguards: Establishing contractual protections that address potential risks, such as service outages or data breaches.
  3. Monitoring and Reporting
    Continuous monitoring of third-party relationships is vital for effective TPRM. Assurance reviews should focus on whether firms have implemented robust monitoring mechanisms, including:
    • Performance Reviews: Regular assessments of third-party performance against established SLAs and KPIs.
    • Compliance Audits: Conducting periodic audits to ensure that third-party providers adhere to regulatory requirements and contractual obligations.
  4. Incident Response and Recovery
    Firms should have clear incident response plans in place for managing third-party incidents. Assurance testing must evaluate whether these plans are well-documented and regularly tested. Key areas to consider include:
    • Escalation Procedures: Clearly defined escalation procedures for reporting and responding to incidents involving third-party providers.
    • Communication Protocols: Mechanisms for communicating with stakeholders, including customers and regulators, during incidents.

Material Third Parties: Ensuring Resilience

Material third parties are those external providers that play a vital role in delivering your firm’s IBS. Given their importance, firms must ensure that these providers have robust Operational Resilience frameworks in place. Assurance reviews should focus on assessing the resilience of material third-party relationships.

Identifying Material Third Parties

To effectively manage risks associated with critical third parties, firms must first identify which providers are essential to their operations. Assurance reviews should evaluate the following criteria:

  • Service Dependency: Assessing the extent to which your firm relies on a particular third party for the delivery of essential services.
  • Market Position: Evaluating the significance of the provider within the market and the potential systemic risks posed by their failure.
  • Impact Assessment: Understanding the potential consequences of service disruptions on customers, regulators, and other stakeholders.

Assurance Reviews Of Material Third Parties

  1. Business Continuity Planning
    Assurance reviews should verify that material third parties have effective business continuity plans (BCPs) in place. Key areas of focus include:
    • Plan Testing: Assessing whether the third party conducts regular tests of its BCPs to ensure effectiveness in real-world scenarios.
    • Alignment with your Firm’s Plans: Evaluating whether the third party’s recovery plans align with your firm’s resilience objectives and Impact Tolerances.
  2. Service Level Agreements (SLAs)
    Assurance reviews should evaluate the adequacy of SLAs established with material third parties. This includes assessing:
    • Performance Metrics: Ensuring that SLAs include measurable performance metrics that align with your firm’s expectations for service continuity.
    • Penalties for Non-Compliance: Verifying that SLAs include penalties or consequences for third parties that fail to meet established performance standards.
  3. Third-Party Audits
    Assurance reviews should consider whether firms regularly conduct audits of material third-party providers. Key aspects of these audits include:
    • Compliance Checks: Assessing whether third parties adhere to regulatory requirements and contractual obligations.
    • Vulnerability Assessments: Evaluating the resilience of third-party systems and processes to identify potential vulnerabilities.
  4. Contingency Planning
    Firms must ensure that contingency plans are in place for material third parties. Assurance testing should evaluate the robustness of these plans, including:
    • Alternative Solutions: Assessing whether your firm has identified alternative providers or in-house solutions that can be deployed in the event of a disruption.
    • Knowledge Transfer: Ensuring that material knowledge and resources can be easily transferred to alternative providers if needed.

Material Third Parties:  What Should You Consider?

When conducting an assurance review of outsourcing policies, third-party risk management, and material third parties, firms must take a thorough and critical approach. Here are some of the key questions firms should ask themselves to ensure their Operational Resilience frameworks adequately address these areas:

  1. Are our Material Third Parties properly identified and reviewed?
    Have we correctly identified which third parties are critical to our Important Business Services (IBS)? Do we have clear criteria for determining the criticality of each service provider? How regularly do we review the status and performance of these material third parties?
  2. Do we have a robust outsourcing policy that reflects regulatory expectations?
    Does our outsourcing policy align with the latest regulatory guidelines and Operational Resilience requirements? Is our policy comprehensive in addressing both onboarding and exit strategies for third-party relationships? Have we embedded resilience and continuity requirements into our contracts and service level agreements (SLAs)?
  3. How do we manage third-party risk in terms of Operational Resilience?
    Are we adequately assessing third-party risks, including the ability of those outsourcing service providers to meet our Impact Tolerances in the event of disruption? Are third-party dependencies accounted for in our scenario testing and resilience planning? How do we ensure ongoing oversight of third-party performance and their Operational Resilience capabilities?
  4. Do we have contingency plans in place for third-party failures?
    Do we have alternative suppliers or strategies if a material third party fails to deliver services within acceptable timeframes? How often are these contingency plans tested, and are the results integrated into our broader resilience framework? Are we confident that our exit strategies with third parties can be executed effectively without causing disruption to IBS?
  5. Are we continuously monitoring and updating our third-party risk management practices?
    Do we regularly review third-party performance and update our risk assessments based on new information, such as geopolitical changes or emerging threats? Are there mechanisms in place to ensure third parties adapt to changes in the regulatory landscape, technology, and operational demands?
  6. Do we have robust contracts in place?
    Do we have contractual commitment from our third-party service providers to SLAs, recovery times, Business Continuity Plans, Operational Resilience framework continuous improvements, participation in Scenario Testing, …

Asking these questions ensures that assurance reviews go beyond a surface-level check, critically evaluating the resilience of third-party relationships and the policies governing them. This helps firms safeguard against disruptions caused by outsourced functions and third-party failures, which are increasingly critical in a connected and interdependent financial services ecosystem.

Conclusion

As firms navigate the complexities of outsourcing and third-party relationships, assurance reviews play a pivotal role in ensuring Operational Resilience. By evaluating outsourcing policies, assessing third-party risks, and ensuring the robustness of critical third-party partnerships, firms can build a resilient framework that supports their IBS and aligns with regulatory expectations.

UK Regulators are introducing the concept of Critical Third Parties through a consultation (CP23/30). Key proposals include a framework for designating CTPs based on factors like the materiality, concentration, and systemic importance of the services provided. Designated CTPs would need to submit regular self-assessments, conduct scenario testing, and maintain a resilience playbook to respond to incidents. The overarching aim is to bolster Operational Resilience while enhancing transparency and oversight in financial services outsourcing and third-party risk management. Supervisory Statement and Policy Statement are planned to be published by the end of the year. In an increasingly interconnected world, the ability to effectively manage outsourcing and third-party risks is not just a compliance requirement—it is a critical component of a firm’s overall operational strategy.

If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulation, please do speak with either of the authors or your usual ICSR contact.

Tomorrow we will be covering how to remain relevant and adaptable beyond the 31st March 2025 deadline for the end of the transition period.

Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience

Related Articles

Advisory & Resourcing

Pin It on Pinterest

Share This