Site Search

Menu

Technology

Menu

Cybersecurity, Forensics and Privacy

Menu

Digital Tools

Menu

About Us

Loading Results

Reflections on the inaugural CBI Outsourcing Register submission process

The Central Bank of Ireland (CBI) is heavily focused on outsourcing due to its increasing prevalence across the financial services sector. If not effectively managed, outsourcing can threaten the operational resilience of financial services providers regulated by the CBI and the Irish financial system. The CBI’s focus is evidenced by its publication of the Cross Industry Guidance on Outsourcing in December 2021.  

Given this context, maintaining records concerning a regulated organisation’s outsourcing universe is essential in facilitating effective oversight and management of outsourcing arrangements and related risks.

One of the key components of the guidelines is establishing and maintaining an outsourcing register. The inaugural outsourcing register submission was completed by all regulated organisations whose Probability Risk and Impact SysteM (PRISM) rating is medium-low or above (or its equivalent) during October 2022. This was a landmark component of the outsourcing process.

This insight reflects on the outsourcing register submission process and identifies vital activities organisations should consider for future submissions. While each organisation will undoubtedly have their own learnings, we outline six key reflection points and suggested responses based on discussions with the market.

1. Assess the criticality or importance of the outsourced activity

Many organisations had yet to finalise their outsourcing determination and criticality assessment methodology during the collation process for the inaugural CBI outsourcing register submission. Consequently, interpretation of the guidelines, determination and categorisation of outsourcing arrangements, and criticality classification proved challenging for many organisations.

In response, organisations should consider the following actions:

  • Design a methodology that supports the practical interpretation and consistent application of the guidelines;
  • Integrate the methodology with broader risk management and business continuity frameworks;
  • Obtain board approval for the methodology; and
  • Deploy the methodology and reflect on the results. Consider if the nature and extent of ongoing management are sufficient.

2. Assess your outsourcing risk

The outsourcing risk assessment process requires an extensive time investment from stakeholders across the business. Outsourcing relationship managers, business unit heads, risk domain subject matter experts (SMEs), risk management teams and executive and board committees typically have roles in the outsourcing risk assessment process. The additional regulatory focus on complex areas such as cloud, cyber, concentration risk, sensitive data and sub-outsourcing have added to the complexity. Given the number of preparation, review, oversight and approval points throughout the process, bottlenecks are common. Consequently, many organisations find finalising the required periodic outsourcing risk assessments before the register submission challenging.

In response, organisations should consider the following actions:

  • Confirm that your risk assessment methodology not only complies with the guidelines but also integrates with the broader enterprise risk management framework;
  • Ensure roles and responsibilities are formally documented;
  • Create a plan that allocates risk assessments evenly throughout the year;
  • Devote sufficient and appropriately skilled resources to the process; and
  • Keep your board up-to-date on risks and associated actions.

3. Review contractual arrangements and service level agreements

The guidelines focus on a series of prescriptive contractual requirements. In many cases, this requires organisations to perform a contract renegotiation process across their outsourcing portfolio, particularly for critical and important third-party outsourcing service providers (OSPs), together with the formalisation of their intragroup contracts. Discussions with third-party OSPs can be a sensitive and onerous process with additional provisions in sub-outsourcing, business continuity and exit strategies, among others, often meeting resistance. While formal contracting and service level agreement (SLA) requirements are nothing new for intragroup outsourcing arrangements, varying formality levels across the sector have required significant focus for many organisations to ensure alignment with regulatory requirements. These factors significantly impacted the completion of recent outsourcing register submissions.

In response, organisations should consider the following actions:

  • Ensure appropriate engagement with all internal stakeholders, as contractual updates will require support from legal, procurement, arrangement owners, relationship managers and risk domain SMEs;
  • If you haven’t already done so, notify your OSPs that you will require their support in tailoring contracts; and
  • Leverage senior stakeholder involvement as required to secure buy-in from your OSPs.

4. Review your business continuity management processes

Documenting the details of OSPs’ latest business continuity plans (BCPs) was one of the key requirements of the outsourcing register submission. This area continues to receive pointed regulatory focus given the adverse impact on customers, clients and the market in the event of any operational disruption or failure. Many organisations struggled to obtain the required level of information from OSPs, with some OSPs refusing to engage or provide any form of BCP information, while others only offered verbal discussions to demonstrate results.

In response, organisations should consider the following actions:

  • Confirm that OSPs have their own business continuity plans and, for critical or important services, confirm that they complete testing of such plans at least annually;
  • Check that your contractual documents support these requirements; and
  • Create a process document to outline how your organisation will obtain and review the results of business continuity testing and how this will be evidenced.

5. Develop and test your exit strategy

The outsourcing guidelines advise that the effectiveness of the contingency measures in place, including exit strategies, will largely dictate the resilience of any regulated organisation to vulnerabilities presented by outsourcing arrangements. Given this context, there is an increasing regulatory focus on exit strategies. At the time of the inaugural outsourcing register submission, many organisations had yet to finalise enhancements to their exit strategies and the underlying exit strategy testing methodology. As such, deployment of the associated testing was often not performed.

In response, organisations should consider the following actions:

  • Design an exit strategy template to support consistent documentation;

  • Document an approach for the nature, timing and extent of exit strategy testing;

  • Apply a risk-based approach that is proportionate based on the materiality of arrangements; and

  • Secure buy-in from those who must be involved in the process, including business owners, relationship managers and SMEs.

6. Review all outsourcing arrangements within the group

The outsourcing register should include all existing outsourcing arrangements. While entering into third-party arrangements is generally an obvious and tangible process, the formal and complete identification and outsourcing risk management of intragroup arrangements remains challenging. In most cases, this is the result of organically developed relationships across intragroup entities in an unstructured way over time. As such, many organisations struggled to formally document and retrofit all the outsourcing requirements as part of the outsourcing register submission process.

In response, organisations should ensure the following is in place to support optimal future register submissions:

  • Identify all intragroup arrangements;
  • Create a plan to identify all required data fields for these arrangements; and
  • When devising this plan, remain cognisant of the volume of work required to apply the outsourcing lifecycle to these arrangements.

Conclusion

The industry has been heavily focused on enhancing outsourcing risk management practices following the publication of the guidelines. Although it is a laborious exercise, the outsourcing register submission has supported organisations in identifying key outsourcing process gaps and risks. With this in mind, organisations should continue implementing the remediation actions identified, which will deliver key operational, commercial, risk and resilience benefits to organisations—and indeed, the Irish market as a whole.

We are here to help you

PwC has extensive experience working with firms across the financial services sector to efficiently and effectively transform their outsourcing frameworks and governance structures, to reflect regulatory guidance and leading best practice. We are ready to help you. Contact us today.

Related Content

Contact us

Andy Banks

Partner, PwC Ireland (Republic of)

Linkedin Follow Email

Shane Walker

Director, PwC Ireland (Republic of)

Email

Damien Carty

Director, PwC Ireland (Republic of)

Email
Follow PwC Ireland
About Us Services Industries Issues Media Centre Careers

© 2024 - 2025 PwC. All rights reserved. PwC refers to the PwC network or one or more of its member firms or both, each of which is a separate legal entity. Please see pwc.com/structure for further details.