How do I include outsourcing risk in my enterprise risk governance framework?
Any potential outsourcing arrangement should be impact assessed and monitored on an ongoing basis. The risk assessment should:<br/><br/>
- identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures;<br/><br/>
- conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored;<br/><br/>
- consider the consequences of where the service provider is located (within or outside the EU);<br/><br/>
- consider the political stability and security situation of the jurisdictions in question, including:<br/><br/>
i) the laws in force, including laws on data protection;<br/><br/>
ii) the law enforcement provisions in place; and<br/><br/>
iii) the insolvency law provisions that would apply in the event of a service provider’s failure and any constraints that would arise in respect of the urgent recovery of the institution’s or payment institution’s data in particular;<br/><br/>
- define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture;<br/><br/>
- consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if<br/><br/>
The assessment should consider operational risks. The results should be documented and assessment should be proportionate i.e. "small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis."