As financial firms become increasingly reliant upon third parties to deliver key business services, the potential risks these partnerships place upon a firm’s operation resilience are of greater concern to regulators.
A new paper from Capco, Getting the Mix Right – A Look at the Issues Around Outsourcing and Operational Resilience, explores how firms should engage with third parties for the delivery of critical services and the best practices they should follow to meet regulators’ expectations of how third parties should be managed. Central to both of these is the importance of fully integrating third parties into a firms’ operational resilience environment to ensure preparedness on scenario planning and recovery control.
Capco highlights three principles – Prepare, Manage and Learn – to ensure optimal levels of operational resilience. The paper’s key takeaways include:
- Start the conversation early: When firms are outsourcing to a third party, they must be clear on their partner firm’s ability to maintain service delivery in the face of disruptive events, and that they will be appropriately prioritised by that partner when it comes to ensuring resumption of services. Addressing these points at the very start of the engagement process is vital to understanding if the third party can meet the obligations set out in the contract.
- Coordination and efficiency can overcome disruptive events: The key truth underlying all aspects of operational resilience planning and execution is that disruptive events will happen – and often in unpredictable and unforeseen ways. Identifying these issues early, notably through data analysis and effective communication, will reduce any delays in responding to events and enable the recovery of the compromised process through collaboration.
- Assess past events: Identifying lessons from previous events that have impacted the firm and other organisations is key to ensuring ongoing future resilience. Third parties should be included in the analysis of past events and scenario planning to identify how future vulnerabilities can be mitigated. With incoming UK operational resilience regulations mandating annual self-assessments, any third parties involved in delivering key services should be included in this process as a matter of necessity.
Will Packard, Managing Principal at Capco and author of the paper, comments: “The expansion in the use of third parties to deliver key services looks set to continue as financial services firms focus on competitive advantage and cost reduction. While this undoubtedly creates challenges in an operational resilience context, if firms follow a clear process of best practice when engaging with third parties, it should have the effect of hardening delivery processes and improving overall resilience.
“With careful management, and by incorporating operational resilience considerations into the conversation right from the outset, outsourcing to third parties is not detrimental to the reliable delivery of important or critical services. In fact, it is can be central to improving operational resilience for an enterprise. However, ensuring proper engagement and planning is likely to be a significant undertaking for most firms, and they will need to give careful consideration as to how this is factored into their timelines and budgets in order to meet the applicable regulations.”