In the second article of our mini-series 'A Practitioners Guide to IT Outsourcing', Rhiannon Monahan, an Associate Director within our Governance and Consulting Services Group and former Head of Outsourcing Oversight to a number of financial entities, outlines which sub-contractors firms should be focused on, the impact sub-contracting can have on third-party risk and how changes to sub-contracting arrangements should be managed.
Who is a material sub-contractor?
In the context of the Cross Industry Guidance on Outsourcing (the "Outsourcing Guidelines"), firms must have visibility of those sub-contractors to which material parts of a critical or important outsourcing arrangement have been sub-outsourced.
Firms are wholly reliant on their outsourced service providers ("OSPs") for complete and accurate information on their sub-contractors. As there are no prescribed thresholds for what constitutes "material" sub-contracting, firms must establish their own internal definition and guidelines and ensure the same is formally discussed and agreed with their OSPs.
Moreover, firms need to protect and defend their own Resilience, both from a digital and operational perspective. Firms should be prepared to challenge OSPs on which sub-contractors materially underpin the services they receive irrespective of where they sit in the contractual hierarchy i.e. fourth, fifth party etc. As proven by the system crash at CrowdStrike in July 2024, the less visibility that firms have of material sub-contractors, the higher their resilience risk in the face of service outages or disruptions.
Third-Party Risk Considerations
As highlighted in the ECB's recent analysis of outsourcing trends in the banking sector:
"The third-party risk from sub-outsourcing depends on two factors: the length of the supply chain and whether the sub-outsourcing involves external service providers."
Put simply, each additional layer in the sub-outsourcing chain has an additive effect on third-party risk thus increasing the effort and resources needed to ensure the arrangement remains within risk appetite and tolerance. While it is reasonable to expect that the service provider will oversee each sub-contractor it appoints, firms should trust but verify that the level of oversight and due diligence applied is proportionate to the nature, scale and complexity of the sub-contracting arrangements. At a minimum, firms should ensure that each OSP supporting a critical or important arrangement:
- Has a robust and thorough Risk Management Framework and Vendor Management Programme in place.
- Has an appropriate contract and service level agreements in place with each sub-contractor, which grants the firm the right of access and audit.
- Is conducting sufficiently frequent and robust oversight and due diligence of each sub-contractor, to include on-site visits where appropriate.
- Knows exactly where the firm's data is being processed and stored; and
- Is testing relevant business continuity, disaster recovery and exit plans to ensure their own resilience in the case of a service outage or failure.
<
In the second article of our mini-series 'A Practitioners Guide to IT Outsourcing', Rhiannon Monahan, an Associate Director within our Governance and Consulting Services Group and former Head of Outsourcing Oversight to a number of financial entities, outlines which sub-contractors firms should be focused on, the impact sub-contracting can have on third-party risk and how changes to sub-contracting arrangements should be managed.
Who is a material sub-contractor?
In the context of the Cross Industry Guidance on Outsourcing (the "Outsourcing Guidelines"), firms must have visibility of those sub-contractors to which material parts of a critical or important outsourcing arrangement have been sub-outsourced.
Firms are wholly reliant on their outsourced service providers ("OSPs") for complete and accurate information on their sub-contractors. As there are no prescribed thresholds for what constitutes "material" sub-contracting, firms must establish their own internal definition and guidelines and ensure the same is formally discussed and agreed with their OSPs.
Moreover, firms need to protect and defend their own Resilience, both from a digital and operational perspective. Firms should be prepared to challenge OSPs on which sub-contractors materially underpin the services they receive irrespective of where they sit in the contractual hierarchy i.e. fourth, fifth party etc. As proven by the system crash at CrowdStrike in July 2024, the less visibility that firms have of material sub-contractors, the higher their resilience risk in the face of service outages or disruptions.
Third-Party Risk Considerations
As highlighted in the ECB's recent analysis of outsourcing trends in the banking sector:
"The third-party risk from sub-outsourcing depends on two factors: the length of the supply chain and whether the sub-outsourcing involves external service providers."
Put simply, each additional layer in the sub-outsourcing chain has an additive effect on third-party risk thus increasing the effort and resources needed to ensure the arrangement remains within risk appetite and tolerance. While it is reasonable to expect that the service provider will oversee each sub-contractor it appoints, firms should trust but verify that the level of oversight and due diligence applied is proportionate to the nature, scale and complexity of the sub-contracting arrangements. At a minimum, firms should ensure that each OSP supporting a critical or important arrangement:
- Has a robust and thorough Risk Management Framework and Vendor Management Programme in place.
- Has an appropriate contract and service level agreements in place with each sub-contractor, which grants the firm the right of access and audit.
- Is conducting sufficiently frequent and robust oversight and due diligence of each sub-contractor, to include on-site visits where appropriate.
- Knows exactly where the firm's data is being processed and stored; and
- Is testing relevant business continuity, disaster recovery and exit plans to ensure their own resilience in the case of a service outage or failure.
Alerts and Notifications
By now, all pre-existing contracts for critical or important outsourcing arrangements should have been updated to require OSPs to i) notify firms in advance of any proposals to introduce or amend material sub-contracting arrangements and to ii) grant firms the right to approve or object to the proposal within a reasonable timeframe and on justifiable grounds.
As soon as a notification is received, firms must act quickly to:
- Collate any additional information required from the OSP to assess the proposal and its impact on the firm's third-party risk.
- Reach an internal consensus based on the results of the risk assessment and analysis on whether the outsourcing arrangement will be retained or terminated; and
- Where relevant, notify the Central Bank via the firm's Supervision Team of the planned changes to the firms' Outsourcing Universe including details of the Responsible Executive charged with responsibility for the oversight of the arrangement and a confirmation that the arrangement is aligned to the firm's Risk Management Framework and Outsourcing Strategy.
Recognising that not all sub-contracting arrangements are created equal in terms of risk and complexity, there is no definitive regulatory guidance to determine what constitutes 'timely' notification from either the OSP to the firm or from the firm to the Central Bank. However, it is reasonable to expect that the greater the impact the proposed sub-contracting may have on the delivery of critical services, the earlier in the process the relevant notifications should be made.
>Alerts and Notifications
By now, all pre-existing contracts for critical or important outsourcing arrangements should have been updated to require OSPs to i) notify firms in advance of any proposals to introduce or amend material sub-contracting arrangements and to ii) grant firms the right to approve or object to the proposal within a reasonable timeframe and on justifiable grounds.
As soon as a notification is received, firms must act quickly to:
- Collate any additional information required from the OSP to assess the proposal and its impact on the firm's third-party risk.
- Reach an internal consensus based on the results of the risk assessment and analysis on whether the outsourcing arrangement will be retained or terminated; and
- Where relevant, notify the Central Bank via the firm's Supervision Team of the planned changes to the firms' Outsourcing Universe including details of the Responsible Executive charged with responsibility for the oversight of the arrangement and a confirmation that the arrangement is aligned to the firm's Risk Management Framework and Outsourcing Strategy.
Recognising that not all sub-contracting arrangements are created equal in terms of risk and complexity, there is no definitive regulatory guidance to determine what constitutes 'timely' notification from either the OSP to the firm or from the firm to the Central Bank. However, it is reasonable to expect that the greater the impact the proposed sub-contracting may have on the delivery of critical services, the earlier in the process the relevant notifications should be made.
This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.
