Read on to learn everything you need to know about the UK Prudential Regulation Authority Outsourcing and Third Party Risk Management Supervisory Statement SS2/21 and ensure compliance by 31 March 2022 when the new policy comes into effect.
The time has now come for firms to define their list of material and non-material outsources, set impact tolerances for each one and start building out their stressed exit plans.
No matter what stage you are at in your journey to PRA compliance, our final checklist will make sure you are ready for the impending changes.
The PRA states that it expects firms to assess the materiality and risks of third-party arrangements, irrespective of whether they fall within the usual definition of “outsourcing”.
We recommend you review your current third-party software portfolio with risk assessment tools or work with an independent specialist to assess potential risks associated with any extensive reliance your firm may have on one service provider. Think about the size and complexity of the business areas that could be affected by disruption to this outsourced function. Would an interruption in service stop you from complying with the guidelines?
Would it impact your financial performance? Would you still be able to perform the activities of your core business lines?
SS2/21 stipulates that in scope firms will need to maintain an up-to-date register of outsourcing relationships, distinguishing between those that are material (or high risk) and those that are not.
Any applications that are deemed as material must have an exit plan, which means you should categorise the materiality of third parties based upon the role they perform in supporting critical business services. This will allow you to prioritize the highest-risk vendors and focus your efforts where they are needed most. This way you’ll immediately reduce the greatest risks to your organization should you experience a stressed exit.
Once you’ve established which services are most critical to your business, you’ll then need to conduct proper due diligence on any potential service provider. A superficial evaluation is not sufficient to proactively assess and mitigate risk - so make sure your due diligence practices reflect the materiality and risk assessment from the previous steps. For material (or high risk) outsourcing your due diligence process should address:
It’s important to remember that signing a contract with a third-party vendor doesn’t mean that responsibility and accountability has been outsourced to the third party as well. That’s why we recommend you develop an onboarding process for any new third-party software providers. This will ensure any future applications you add to your software estate have a demonstrably working stressed exit plan in place as soon as they are procured, rather than at go live.
The PRA expects you to demonstrate that you can retain flexibility to deliver important business services when disruption occurs. When building your stressed exit plan make sure it is comprehensive, well documented and where possible, regularly tested. It should include the objectives of the strategy, an analysis of the potential business impact, the success criteria for migration and indicators that can be used to classify an unacceptable service level and therefore constitute as an exit.
Ongoing vendor monitoring throughout the life of a third-party relationship is critical. Engagements with third parties do not end after the assessment phase – or after your stressed exit plans have been built. Continually review and revise your due diligence activities, procurement policies as well as both material and non-material applications as the business, and any third-party relationships, evolve. Identify any current non-material services which have the potential to become a material service overtime and make sure these are built into your stressed exit plan to avoid having to adapt when new issues arise.
The imminent deadline for banks to comply with the guidelines is by no means an endpoint to compliance. Rules and guidelines around third-party outsourcing will continue to evolve over time and banks will need to remain proactive in ensuring their systems comply with the different requirements.
If you would like more information on how your organisation can improve its approach to PRA compliance before the March deadline, you can reach out to our experts here.
Interested in learning more?
