BITS GUIDE TO CONCENTRATION RISK



Similar documents
Risk Management of Outsourced Technology Services. November 28, 2000

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

GUIDANCE FOR MANAGING THIRD-PARTY RISK

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

White Paper on Financial Institution Vendor Management

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

Guidance Note: Stress Testing Class 2 Credit Unions. November, Ce document est également disponible en français

Federal Financial Institutions Examination Council FFIEC. Business Continuity Planning BCP MARCH 2003 MARCH 2008 IT EXAMINATION

Appendix J: Strengthening the Resilience of Outsourced Technology Services

CONSULTATION PAPER ON HIGH LEVEL PRINCIPLES ON OUTSOURCING COVER NOTE

Vendor Management. Outsourcing Technology Services

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Cloud Computing: Legal Risks and Best Practices

OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008

EUROSYSTEM ASSESSMENT REPORT ON THE IMPLEMENTATION OF THE BUSINESS CONTINUITY OVERSIGHT EXPECTATIONS FOR SYSTEMICALLY IMPORTANT PAYMENT SYSTEMS

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Federal Financial Institutions Examination Council FFIEC BCP. Business Continuity Planning FEBRUARY 2015 IT EXAMINATION H ANDBOOK

Capital Market Integration and Stock Exchange Consolidation in the Asia-Pacific

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

GUIDELINES ON OUTSOURCING

Re: Notice and Request for Comments - Determinations of Foreign Exchange Swaps and Forwards (75 Fed. Reg )

GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004

Statement of Guidance: Outsourcing All Regulated Entities

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

OUTSOURCING REGULATIONS IN THE BANKING AND INSURANCE INDUSTRIES IN ASIA PACIFIC

PAPER-6 PART-1 OF 5 CA A.RAFEQ, FCA

Supporting information technology risk management

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

The PNC Financial Services Group, Inc. Business Continuity Program

Technology Outsourcing. Tools to Manage Technology Providers Performance Risk: Service Level Agreements

Managing Outsourcing Arrangements

Standard for Business Continuity/Disaster Recovery (BC/DR) Service Providers

Monetary Authority of Singapore BUSINESS CONTINUITY MANAGEMENT GUIDELINES

Mapping of outsourcing requirements

Technology Outsourcing. Effective Practices for Selecting a Service Provider

Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital

Sound Practices for the Management of Operational Risk

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

SUPERVISION GUIDELINE

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

Year 2000 Business Continuity Planning: Guidelines for Financial Institutions Introduction

BOARD OF GOVERNORS FEDERAL RESERVE SYSTEM

Operational Risk Management Policy

Business Continuity Planning and Disaster Recovery Planning

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

Outsourcing Risk Guidance Note for Banks

The PNC Financial Services Group, Inc. Business Continuity Program

Cyber Risks in the Boardroom

GUIDELINES ON OUTSOURCING

ISSUES PAPER PAYMENT SYSTEMS BUSINESS CONTINUITY

To: Our Clients and Friends March 25, 2014

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

How To Assess A Critical Service Provider

14 December 2006 GUIDELINES ON OUTSOURCING

NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE

Business resilience: The best defense is a good offense

OCC 98-3 OCC BULLETIN

Financial Services Guidance Note Outsourcing

Resource Management Group

Cisco Disaster Recovery: Best Practices White Paper

Why Should Companies Take a Closer Look at Business Continuity Planning?

Statement of Guidance

Principles on Outsourcing by Markets

THE UH OH MOMENT. Financial Services Enterprises Focus on Governance, Transparency and Supply Chain Risk

Outsourcing Technology Services A Management Decision

Financial Stability Standards for Securities Settlement Facilities

Desktop Scenario Self Assessment Exercise Page 1

MEDIA RELEASE. IOSCO reports on business continuity plans for trading venues and intermediaries

GUIDANCE NOTE ON OUTSOURCING

2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP

OUTSOURCING POLICY

THE DOMESTIC SURVEY AND THE CONSEQUENT RECOMMENDATIONS

The promise and pitfalls of cyber insurance January 2016

Core Principles for Effective Banking Supervision: New Edition Released

Model Template for 165(d) Tailored Resolution Plan

12 Considerations for Managing Foreign Supplier Risk

Guidelines on Investment in Shares, Interest-in-Shares and Collective Investment Schemes

LIQUIDITY RISK MANAGEMENT GUIDELINE

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

RISK MANAGEMENt AND INtERNAL CONtROL

FFIEC Cybersecurity Assessment Tool

Guidelines on Investment in Shares, Interest-in-Shares and Collective Investment Schemes for Islamic Banks

An Agile Supply Chain to deal with Global Challenges. November 22 nd, 2012

3 rd Party Vendor Risk Management

Kuala Lumpur, Malaysia, May Report

FCPA 10 Hallmarks Self- Assessment

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions

Principles for BCM requirements for the Dutch financial sector and its providers.

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Prudential Practice Guide

Defining and Managing Reputation Risk

Cascading Risk. Tom Kellermann, CISM VP of Security Awareness. Core Security Technologies

CENTRAL BANK OF KENYA (CBK) PRUDENTIAL GUIDELINE ON BUSINESS CONTINUITY MANAGEMENT (BCM) FOR INSTITUTIONS LICENSED UNDER THE BANKING ACT

DATA BREACH COVERAGE

Internal Audit Progress Report Performance and Overview Committee (19 th August 2015) Cheshire Fire Authority

SUPERVISORY AND REGULATORY GUIDELINES: PU BUSINESS CONTINUITY GUIDELINES

Transcription:

BITS GUIDE TO CONCENTRATION RISK IN OUTSOURCING RELATIONSHIPS BITS A DIVISION OF THE FINANCIAL SERVICES ROUNDTABLE 1001 PENNSYLVANIA AVENUE, NW SUITE 500 SOUTH WASHINGTON, DC 20004 202-289-4322 WWW.BITS.ORG

TABLE OF CONTENTS Introduction...3 Defining Concentration Risk...4 Concentration Risk and Systemic Risk...4 Types of Concentration Risk...5 Identifying Concentration Risk...7 Remediating Concentration Risk...8 Conclusion... 10 Appendix: Mitigation Matrix...11 BITS 2010. 2

INTRODUCTION Concentration risk is a commonly recognized problem in the financial arena, but its presence is less commonly discussed in operational areas. Nevertheless, concentration risk is a fundamental matter in a number of operational areas, including outsourcing. Although many of the considerations in this paper are directly applicable to relationships with suppliers of goods, the primary focus of this paper is on concentration risk in outsourcing relationships with third-party service providers. Although institutions define outsourcing differently, relationships significant enough to be within the scope of an institution s vendor management program are primarily in view. If overlooked, unacceptable concentration risk can result in unplanned service outages, disruption of service to the financial institution customer, brand and reputation damage, poorly planned transitions to new service providers, reduced negotiating strength with replacement service providers, and higher costs. At the most basic level, concentration risk is usually recognized in single-vendor relationships. This paper intends to demonstrate that concentration risk can be present in much more diverse situations, including multi-vendor outsourcing structures. It is still more challenging to understand and manage an institution s aggregate concentration risk across all of its locations, businesses, and provider relationships. Institutions should have concentration risk identification, management, and reporting processes that are appropriate for the character, size, and complexity of their business. Although this paper includes some broad recommendations, they are offered with the understanding that there are cases in which other approaches may be more effective. Understanding that institutions in various sectors of the financial services industry have different outsourcing needs and risk tolerances, no recommendation in this paper should be interpreted as normative of or prescriptive for the financial services industry. Still, the content that follows should prove a useful guide to institutions as they examine their own concentration risk identification, tolerances, and remediation practices. BITS 2010. 3

DEFINING CONCENTRATION RISK In the outsourcing context, concentration risk can be defined as the probability of loss arising from a lack of diversification. This lack of diversification may present itself in the financial institution s pool of counterparties, geographic locations, or other identifiable risk scenarios. Outsourcing concentration risk is a subset of supplier concentration risk. Specific types of concentration risk are enumerated and explained in this paper s section on Types of Concentration Risk. CONCENTRATION RISK AND SYSTEMIC RISK When the same manifestation of concentration risk affects much or all of the financial services industry, it is known as systemic risk. The most common type of systemic risk is when a single service provider, often an industry utility, is the only viable service provider. Systemic risk has become more common and more complex with recent consolidation in some service provider communities and with increasing interdependence of countries, currencies, and financial institutions. Many boundaries that formerly served as logical barriers against concentration risk no longer afford substantial protection. Institutions should consider systemic risks as appropriate subjects of internal risk management, looking for mitigation techniques that preserve resilience in the face of simultaneous failures of multiple systems. These could be caused by the failure of common service providers such as those in the payment and settlement system. BITS 2010. 4

TYPES OF CONCENTRATION RISK Service Provider Concentration Institutions may discover they have not adequately spread their counterparty risk because they have given a single service provider too great a percentage of a single process, too many processes, too many applications, or too great a percentage of customers. Business Process Outsourcing (BPO) may be subject to greater concentration risk because it often includes operations, applications, and technology/infrastructure. If too much work is performed by a single service provider, any failure to deliver might impact the safety and soundness of the institution. Subcontractor Concentration Closely related to service provider concentration, subcontractor concentration can exist in two ways. First, an institution may have an unacceptable concentration of risk with a single service provider. This service provider may then be outsourcing most or all of the core processes to a single subcontractor. This situation, though not always transparent to the financial institution, represents both a service provider concentration risk and a subcontractor concentration risk. If either the service provider or the subcontractor failed to perform, the financial institution would be forced into its contingency plan for the affected process or processes. Second, subcontractor concentration can exist where there is no service provider concentration. An institution may have adequately diversified the performance of a key process, but each of those service providers may in turn be outsourcing the process or a key element of the process to the same subcontractor. In this case, the institution may be partially insulated from a failure by one of the service providers, but remains exposed to failure by the underlying subcontractor. For more information on a broader range of risks presented by subcontractors, refer to BITS Key Considerations for Managing Subcontractors (June 2008). Reverse Concentration Financial institutions should also be alert to cases in which they or another organization represents a concentration risk to their service providers. This is, from the institution s point of view, reverse concentration risk. It occurs when the institution or other client represents too large a portion of the service provider s business. Where reverse concentration risk exists, dramatic changes in transaction volume caused by mergers and acquisitions, market conditions, or sector-specific economic upheaval can each undermine the viability of a service provider overly dependent on the financial institution. Institutions should also be aware that reverse concentration risk can exist at the subcontractor level if that organization is wholly or mostly dependent on the work it performs, indirectly, for the financial institution. Similarly, reverse systemic risk is present when a service provider has a number of clients, but most or all of those clients come from a single sector of the economy. BITS 2010. 5

Geographic Concentration Concentration risk can also occur based on geography whether domestic or foreign. An institution may not have adequate protection against concentration risk if it diversifies among service providers, but fails to ensure that the work is performed in geographically diverse locations. For instance, financial institutions trading and settlement operations are vulnerable to concentration risk due to the tendency to cluster around exchanges and correspondents in global financial centers like New York, London, Frankfurt, Hong Kong, and Singapore. In other cases, geographic concentration risk may result from a cluster of service providers being located in a single geographic area. For example, many BPO providers are located in and around Mumbai, Hyderabad, Bangalore, and Chennai, India. The 2008 terrorist attacks in Mumbai adversely affected outsourcing operations in that city and the ripple effects were felt in other major Indian outsourcing locations, because many foreign companies restricted travel. Geographic diversity may or may not mean substantial physical distance. Institutions should consider the concerns that recommend geographic diversity and examine whether those concerns are relevant to their situation. Among the most important geographic concerns are geopolitical stability, exposure to natural disasters, and communications infrastructure independence. These concerns may apply in the same country, as well as with respect to multiple countries in a region having similar economic, geographical, sociological, or political considerations. These considerations may also be relevant to a service provider or multiple service providers that subcontract services to a single subcontractor in a location having material economic, geographical, sociological, or political risks. BITS 2010. 6

IDENTIFYING CONCENTRATION RISK Concentration risks are best identified with the assistance of well-designed and well-maintained vendor management processes and systems. The systems and processes will need to be supported by accurate information regarding the truly crucial processes or elements of processes being outsourced and the party (whether institution, service provider, or subcontractor) actually performing the crucial work. The importance of data for the ability to detect risk cannot be overestimated. It is equally important that the data be evaluated so that risks can be detected and responses, both proactive and reactive, can be planned and executed. Institutions should carefully consider whether to define limits or thresholds at which concentration risk remediation begins. Just as credit risk can be calculated based on a standardized approach of specific risk weights for certain types of credit risk, concentration risk may be amenable to calculation based on assigned weights for concentration risk categories (for example, the types identified above). Weighting should be based on the institution s judgment of risk rank for each category chosen and must allow for cumulative effects of multiple risks. If an institution determines that it should establish concentration risk thresholds, care should be taken to avoid overly broad thresholds and both the exception approval process and any granted exceptions should be well documented. It may be useful to adopt a process that requires executive acknowledgement and acceptance of any concentration risk that falls outside the bounds generally accepted by the institution. Mergers and acquisitions represent a particular threat in the area of concentration risk. Merged institutions may find that they have inadvertently rapidly increased their exposure to a particular service provider, subcontractor, or geography. In the press to consolidate service provider relationships, renegotiate or cancel contracts, and integrate vendor management programs, concentration risk concerns may not receive immediate and appropriate attention. Written concentration risk acceptance and mitigation policies should specifically address the merger and acquisition scenario. Similarly, mergers and acquisitions among other financial institutions or among service providers can affect an institution s concentration risk. Notice of these changes should be actively and regularly sought in order to leave adequate time for analysis and risk identification. Commercial services are available that may help institutions sift through publicly available information to locate relevant reports and announcements. BITS 2010. 7

REMEDIATING CONCENTRATION RISK First, institutions can reduce concentration risk through robust initial due diligence and ongoing monitoring. Not every process is a candidate for either service provider or geographic diversification. Especially in these cases, the financial institution should assure itself that the service provider and its subcontractors are financially healthy, adequately secure, and otherwise competent to perform. Second, careful contracting is a valuable risk mitigation tool. Contract terms can assist a financial institution to identify potential vendor concentration risk, and/or mitigate against a service provider s default in material obligation(s) due to concentration risk(s), and include the following: (a) (b) (c) (d) (e) Notification and Consent to Subcontracting: Requiring notification and consent to any vendor subcontracting of services will permit the financial institution to assess potential concentration risk(s) as part of the overall subcontractor review process. Right to Solicit and Hire Vendor Employees: Terms that permit the institution to hire the service provider s relevant employees if the service provider fails may provide some measure of protection against concentration risk. Care should be taken when entering into contracts that prohibit immediate subsequent hiring of a service provider s employees or subcontractors. Institutions should negotiate for an exception to these common clauses that would permit such hiring in the event the service provider goes out of business or fails to meet certain critical requirements (e.g., a materially weakened financial position that falls short of complete insolvency or bankruptcy). Transition Assistance: Transition assistance provisions may also mitigate against the risk of service provider default, and may include (1) obligating the service provider to continue providing services for a pre-determined period after contract termination, at the financial institution s election, (e.g., up to six months after notice of termination, as specified in the termination notice) (2) knowledge transfer, and (3) data and records return (in a pre-agreed upon format), or transfer to new a service provider. Audit Rights: Strong audit rights (including the right of regulators to audit) may help identify unknown service provider (and/or subcontractor) concentration risk, or financial issues due to existing concentration risk. Reporting and Requests for Information: Similarly, a right to request reports and general information on an ongoing basis as part of the monitoring and oversight process may assist the institution in the identification of service provider (and/or subcontractor) concentration risk. Third, financial institutions may find that in some cases they can mitigate their concentration risk by maintaining some level of internal capacity or alternate external capacity to perform the essential function in case of emergency. In addition to maintaining capacity in reserve, institutions should keep updated files on potential alternate service providers. Properly done, this can help an institution achieve an acceptable level of due diligence in a shorter period of time if a new service provider is unexpectedly required. BITS 2010. 8

Fourth, some processes are so critical or the volume is so large, that the work may be more easily spread among different service providers or across a service provider s geographically diverse facilities. Where this is possible, an institution will still need to consider the cost of the diversification and potential risks (such as socioeconomic, economic, geographic, and political risks) against the benefits of reduced concentration risk. Fifth, the institution should have contingency and continuity plans which are regularly updated, tested, and reviewed that specify, among other things, (a) who will perform the critical work in the short term, (b) who will perform the critical work after the short term, and (c) the time lines and processes for moving the work among these parties. Where concentration risks are not able to be mitigated through other measures, such as diversification, other approaches to mitigation may include: (i) business impact analyses; (ii) control evaluations; (iii) redundant systems; (iv) locating backup sites near central utility hubs that are different from those used by primary sites; (v) more frequent (1) monitoring and oversight processes (e.g., audits, reports, requests for information), and/or (2) financial reviews; and (vi) a robust exit plan which at a minimum establishes a detailed process for managing the transfer of the applicable services back in-house or to another service provider. Sixth, understand that some concentration risk is associated with utilities and other organizations that make traditional monitoring and oversight more difficult. In some cases, replacement may be extremely difficult and, where systemic risk exists, almost unimaginable. Carefully identifying these risks and detailing specific continuity plans will better prepare the institution for these more challenging possibilities. Some cases of systemic risk, especially industry utilities, may warrant industry-wide risk mitigation considerations. BITS 2010. 9

CONCLUSION Detection and mitigation of concentration risk with respect to third-party service provider outsourcing relationships is an ongoing operational risk management and vendor oversight activity which should include the following: 1. Identification of third-party service provider relationships which may pose significant operational risks. This process should include assessment of both single and multiple vendor relationships (including subcontractors), as well as in a financial institution s aggregate concentration risk across all of its locations (domestic and international), businesses, and service provider relationships. 2. Development of a detailed information-gathering process, beginning with initial due diligence, which at a minimum describes the critical processes or elements of processes being outsourced and the party (whether institution, service provider, or subcontractor) actually performing the work. Such information at the sourcing stage may help a financial institution avoid initiating a new third-party service provider outsourcing relationship which would cause the institution to exceed established concentration risk thresholds. 3. Consideration of contract provisions which may mitigate concentration risk, such as notification and consent to subcontracting, vendor employee solicitation and hire rights, vendor transition assistance (whether upon termination for convenience or for cause), audit rights, and service provider obligations to provide reports and respond to requests for information. 4. Development of contingency, business continuity, and other mitigation plans to adequately address identified concentration risk(s). 5. As with all components of managing outsourcing relationships, review concentration risk during ongoing oversight to evaluate whether changes in the evolving service provider business relationships increase one or more areas of concentration risk which warrant risk mitigation activities, including making appropriate adjustments to contingency plans. Ongoing oversight assessments should take into account all third-party service provider relationships that the financial institution has identified as posing significant operational risks, including those described in paragraph 1, above. BITS 2010. 10

APPENDIX: MITIGATION MATRIX This matrix applies the mitigation techniques discussed in this paper to the different types of concentration risk. While intended as a helpful, non-prescriptive guide to developing and maintaining your concentration risk mitigation analyses, this is not a substitute for careful work by vendor management professionals. All mitigation efforts should occur in the context of an institution s larger vendor risk profile. Concentration Risk Service Provider Subcontractor Reverse Service provider dependent on too few clients/industries Subcontractor dependent on too few clients/industries Geographic Systemic Risk Mitigation Techniques Initial due diligence; Contracting; Alternate capacity planning; Diversification (service provider); Continuity planning Initial due diligence to discover relevant subcontractors; Contracting; Alternate capacity planning; Diversification at service provider or subcontractor level, as appropriate; Continuity planning Initial due diligence to discover service provider client base; Contracting to require notification of material change in situation; Alternate capacity planning; Diversification (service provider); Continuity planning Initial due diligence to discover relevant subcontractors and subcontractor client base; Contracting to require notification of material change in subcontractor situation; Alternate capacity planning; Diversification (service provider); Continuity planning Alternate capacity planning; Diversification (geographic); Continuity planning Initial due diligence to discover systemic risk; Continuity planning; Industry mitigation efforts where possible BITS 2010. 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information