What is SS2/21 outsourcing and third-party risk management?
The PRA expect UK Financial Services firms to have robust continuity measures in place for “important business services” and specifically stipulate that any material cloud outsourcing arrangement must adopt the highest of resiliency options.
PRA Outsourcing regulations: Solutions to support compliance
Providing you with the necessary materials to engage with an alternative third-party to rebuild an outsourced SaaS application.
1. Assess the risks of ALL third-party arrangements
The PRA states that it expects firms to assess the materiality and risks of third-party arrangements, irrespective of whether they fall within the usual definition of “outsourcing”.
We recommend you review your current third-party software portfolio with risk assessment tools or work with an independent specialist to assess potential risks associated with any extensive reliance your firm may have on one service provider.
Think about the size and complexity of the business areas that could be affected by disruption to this outsourced function.
style=”margin-left:0px; margin-right:0px”>Would an interruption in service stop you from complying with the guidelines?
Would it impact your financial performance? Would you still be able to perform the activities of your core business lines?
2. Categorize third-party dependencies on criticality and concentration risk
PRA SS2/21 stipulates that in scope firms will need to maintain an up-to-date register of outsourcing relationships, distinguishing between those that are material (or high risk) and those that are not.
Any applications that are deemed as material must have an exit plan, which means you should categorize the materiality of third parties based upon the role they perform in supporting critical business services.
This will allow you to prioritize the highest-risk vendors and focus your efforts where they are needed most. This way you’ll immediately reduce the greatest risks to your organization should you experience a stressed exit.
Wayne Scott, our Regulatory Compliance lead, explains what is meant by a stressed exit.
3. Carry out supplier risk assessment & due diligence
Once you’ve established which services are most critical to your business, you’ll then need to conduct proper due diligence on any potential service provider.
A superficial evaluation is not sufficient to proactively assess and mitigate risk – so make sure your due diligence practices reflect the materiality and risk assessment from the previous steps. For material (or high risk) outsourcing your due diligence process should address:
- Whether the software provider has the ability, capacity, resources, organizational structure and authorization to reliably deliver the service.
- The software providers ability to meet standards of service quality, security and reliability for the length of the contract.
- Any sub-contracting or additional party collaboration that might be required, along with any risks these additional relationships may bring.
- Any potential conflicts of interest.
4. Immediately revisit procurement procedures
It’s important to remember that signing a contract with a third-party vendor doesn’t mean that responsibility and accountability has been outsourced to the third party as well.
That’s why we recommend you develop an onboarding process for any new third-party software providers. This will ensure any future applications you add to your software estate have a demonstrably working stressed exit plan in place as soon as they are procured, rather than at go live.
5. Document and test business continuity and exit plans
The PRA expects you to demonstrate that you can retain flexibility to deliver important business services when disruption occurs. When building your stressed exit plan make sure it is comprehensive, well documented and where possible, regularly tested.
We recommend implementing software resilience measures such as Escrow agreements and Verification to help protect outsourced software and ensure compliance with PRA guidelines.
Software Escrow Agreements combined with Escrow Verification provides firms with the legal and technical assurance to bring an important service back-in house or the necessary materials to migrate to another service provider to rebuild the outsourced service should disruption occur.
Head of Product & Solution Architecture, Jamie Mackay, explains how Software Escrow can be used to meet PRA SS2/21 requirements.
6. Continual monitoring
Ongoing vendor monitoring throughout the life of a third-party relationship is critical. Engagements with third parties do not end after the assessment phase – or after your stressed exit plans have been built.
Continually review and revise your due diligence activities, procurement policies as well as both material and non-material applications as the business, and any third-party relationships, evolve.
Identify any current non-material services which have the potential to become a material service overtime and make sure these are built into your stressed exit plan to avoid having to adapt when new issues arise.
- Review your current third-party software portfolio and assess potential risks associated with any reliance your firm may have on one service provider.
- Categorise the materiality of third parties based upon the role they perform in supporting critical business services to ensure the highest-risk vendors have the necessary stressed exit plan in place.
- For high-risk outsourcing arrangements make sure due diligence processes address whether the software provider has the ability, capacity and resources to reliably deliver the service.
- Develop an onboarding process to ensure a demonstrably working stressed exit plan is in place as soon as new third-party applications are procured, rather than at go live.
- Software Escrow and Verification solutions form a vital part of any business continuity plan as they provide regulated firms with the legal right to access the outsourced application and gives a firm the knowledge required to execute their exit plan accordingly.
- Continually review and revise your due diligence activities and procurement policies to ensure any current non-material services can be built into your stressed exit plan.