ARTICLE
4 April 2025

A Practitioner's Guide To IT Outsourcing – An Evolution Of Vendor Management And Oversight

AC
Arthur Cox

Contributor

Arthur Cox is one of Ireland’s leading law firms. For almost 100 years, we have been at the forefront of developments in the legal profession in Ireland. Our practice encompasses all aspects of corporate and business law. The firm has offices in Dublin, Belfast, London, New York and Silicon Valley.
In the final article of our mini-series ‘A Practitioners Guide to IT Outsourcing', Rhiannon Monahan, an Associate Director within our Governance...
Ireland Media, Telecoms, IT, Entertainment

In the final article of our mini-series 'A Practitioners Guide to IT Outsourcing', Rhiannon Monahan, an Associate Director within our Governance and Consulting Services Group highlights the key components of a robust vendor management programme, including key regulations to be incorporated into your oversight and due diligence activities.

Note: While this article uses the phrase 'Vendor Management' throughout, readers should understand this to be a general reference to the framework(s) used to govern and oversee their outsourced, delegated and other third-party arrangements.

Vendor Management Fundamentals

As highlighted in the ECB's recent article on outsourcing trends in the banking sector, the reliance placed by banks on IT Outsourcing continues to increase; with all indications pointing to this trend continuing for the foreseeable future. In addition, it is unlikely that this trend is confined to the banking sector as we continue to see firms across the wider financial services industry exploring the operational and commercial opportunities of increased automation and the use of artificial intelligence ("AI") technologies.

Recognising this growing dependence on IT Outsourcing in a time of increasing regulatory complexity, this article aims to highlight the key components of a robust vendor management programme which will support firms in managing and governing their third-party arrangements whilst also achieving their technology and AI strategy.

1. Centralised Repository

As many firms will have realised during their implementation of the EBA's Guidelines on outsourcing arrangements and/or or the Central Bank of Ireland's Cross Industry Guidance on Outsourcing (collectively the "Outsourcing Guidelines"), compiling an accurate and complete list of all external third-party and intragroup service providers who support your operations is rarely straightforward. Instead, firms often face a range of complicating factors, which have been known to include:

  • The lack of a centralised contracts repository within the firm and/or group
  • Details of external third-party service providers being spread across a variety of billing and payment systems
  • Transfer pricing arrangements which do not capture the full extent of intragroup outsourcing arrangements – for example, in the situation where the costs associated with IT Services and related support is allocated to the largest revenue generating entity as opposed to the entities making use of the services; and
  • The unintended consequences of internal mobility within a group structure on the ability to identify the most appropriate contracting entity, as well as the location of service delivery, and location of data storage and processing.

However, without this holistic view of service providers, it is impossible for a firm to fully quantify and manage the ICT and Third-Party Risk arising across their outsourcing universe. In addition, if a firm does not have clear visibility into all services received from a service provider, it can greatly reduce their ability to develop effective business continuity and resilience strategies, or to negotiate preferential terms or fee rates with their service providers.

2. Standardised Methodologies and Processes

To accurately identify, classify and categorise outsourcing arrangements, each and every proposal to engage a service provider should be subject to the same standardised assessments at prior to contract execution and on an ongoing basis thereafter. Put simply, irrespective of who the service provider is or what types of services are to be provided, the firm should not approach the governance or oversight of any arrangement differently until such time as it has determined at least the following:

  1. Whether the arrangement is aligned to the firm's business model, strategy and risk appetite
  2. Which legal and regulatory requirements apply to the governance and oversight of the arrangement (see below for further details)
  3. Whether the arrangement is itself critical or important, and/or supports the performance a critical or important business service or function; and
  4. Whether the arrangement is subject to regulatory notification and filing requirements.

Despite the volume of regulations which have recently been introduced to govern technology and AI services, regulators have made it clear that each new requirement is intended to build on the last. In adopting this approach, there is a clear expectation that the oversight frameworks adopted by each firm can be continuously scaled up and adapted to incorporate the requirements introduced by each regulation, which as of the time of this article, may include:

Regulation Primarily Applicable To:
General Data Protection Regulation (GDPR) Any Firm who handles the personal data of EU residents.
ESMA Guidelines on outsourcing to cloud providers (353 KB) AIFMs, UCIT Management Companies, certain investments firms and credit institutions, central counterparties, central securities depositories, credit rating agencies, securitisation repositories and administrators of critical benchmarks.
ECB Guide on outsourcing cloud services to cloud service providers (PDF, 214 KB) Any institution that is supervised directly by ECB Banking Supervision.
Central Bank of Ireland's Cross Industry Guidance on Operational Resilience (PDF, 995 KB) All firms regulated by the Central Bank of Ireland.
Network and Information Systems Directive, 2022/2555 (NIS2) Certain firms operating within the eighteen critical sectors named within the legislation, with the exception of those financial entities in scope of the Digital Operational Resilience Act (DORA)
Digital Operational Resilience Act (DORA) (PDF, 1,458 KB) All financial entity types listed within Article 2 of DORA
EU AI Act Providers and deployers of AI technologies
Payment Services Directive and Payment Services Regulations Banks and non-bank payment service providers and e-money firms who support payments within the EU
Corporate Sustainability Reporting Directive Large EU-domiciled firms who meet the at least two of the following criteria: an annual net turnover exceeding €50 million, a balance sheet total exceeding €25 million, or an average of 250 employees. Non-EU firms who have substantial operations within the EU, such as subsidiaries or branches.

What this means in practice is that firms do not have the time to review their arrangements and contracts each time a new requirement is introduced. Instead, gathering all necessary information at the outset of an arrangement and ensuring it remains up to date through periodic reviews allows the firms to keep pace with regulatory changes and provides enriched information to be used in management and the Board decision-making.

3. Clarity of Roles and Responsibilities

To effectively manage and oversee an arrangement with a service provider, particularly one which supports a critical or important service or function, there needs to be a clear understanding of who is responsible for what within the vendor management programme as well as who may be called upon for further support and guidance. In clarifying the roles and responsibilities of each stakeholder, the firm will benefit from:

  • strengthened service provider relationships through a co-ordinated and joined-up approach to oversight and due diligence i.e. the service provider is not asked to deal with multiple teams/individuals
  • optimised servicer provider performance as risk, compliance, operational, technology etc. queries and concerns can be quickly identified and resolved; and
  • enhanced clarity in the expectations of service providers as the firm's multi-disciplinary team contribute to the design of oversight and due diligence engagements, including the contents of the service level agreement.

In defining roles and responsibility, it is important to recognise that the resources available to firms is likely to differ significantly depending on the nature, scale and complexity of their operations and whether they are part of a wider group structure. That being said, in accordance with the Outsourcing Guidelines, firms must ensure that they assign responsibility for the oversight of outsourcing risk and outsourcing arrangements to an appropriately designated individual, function and/or committee and that they maintain appropriate skills and knowledge to effectively oversee outsourcing arrangements from inception to conclusion. This is especially important where the activities being outsourced are technical and/or complex in nature, for example in the case of outsourcing to IT Service Providers.

Where a Firm's vendor management programme is managed or co-ordinated centrally within their group, care must be given to ensuring that any oversight is conducted in line with local requirements and that the local individual/function delegated responsibility for the oversight of outsourcing risk and outsourcing arrangements can fulfil their obligations.

4. Defined Approach to Proportionality

All too often, firms choose to adapt or amend the oversight and due diligence requirements they apply to service providers under the guise of applying proportionately. Over time, these changes unintentionally create inconsistencies in the approach taken to similar arrangements and ultimately undermine the integrity of a firm's vendor management program. In the same way firms should have a defined approach to identifying and classifying arrangements, they should also have a defined methodology to how and when the principle of proportionality will be applied which should consider at least the following:

  • The regulatory expectations which apply to the firm based on its assigned PRISM/SREP rating.
    • The higher the overall risk profile of the firm, the more robust and comprehensive its internal control and governance arrangements will need to be.
  • the importance of the overall relationship with the service provider.
    • The frequency and intensity of oversight and due diligence of any service provider should be informed by the level of dependence the firm has on the uninterrupted delivery of services by the service provider.
  • the importance of the specific services received by the firm to its continued operations.
    • Certain licensed services are subject to strict regulatory and legal requirements. Where a service provider is engaged to support services which underpin the firm's licensed activities and authorisations, the oversight of these services should be proportionately heightened.

By formally documenting the criteria to be used in determining the appropriate frequency and intensity of oversight and due diligence to be applied to each service provider, the firm will benefit from a scalable and standardised approach to vendor management which will withstand the scrutiny of both clients and regulators.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More