The emphasis on operational resilience is greater than ever in a post-pandemic world. Most notably, the financial services sector has received a lot of attention regarding operational resilience due to the announcement of new regulations by the FCA and PRA. These regulations were created in an effort to strengthen the risk management practices of the financial services sector to better protect the public. A major concern within these new regulations is maintaining operational resilience when outsourcing.
The Requirements Of Regulated Financial Firms
By law, firms need to assess all of their business services and conduct a business impact analysis for each. A business impact analysis will set the tolerance against future disruption for each business unit. However, many businesses outsource important processes and have third-party partners in the operational process. During this process, many firms will have to take a heavy look at their third-party partners and ensure that they are taking adequate steps toward risk management, so the burden doesn’t ever fall on their own organization.
When you outsource key business processes, you expose your organization to new risks. A common issue is when a single vendor or supplier is the only one for a particular market vertical. For example, this can be seen in the microchip market today. Many car and computer manufacturers use one supplier for microchips which is driving costs through the roof. These costs trickle to the organization that outsources, which can disrupt important relationships with clients. This is one of many new risks that organizations expose themselves to when outsourcing.
How Can Firms Manage Outsourcing Risks?
There are a few different ways you can manage these risks. First, you should always keep the negotiation power in your court. Improving negotiations and having other suppliers, allows you to have leverage when price hikes happen or other supply chain issues. Many potential risks can be mitigated heavily by proper planning. Second, you should conduct pooled audits of your potential third-party vendors. A pooled audit is where multiple companies audit the same company to determine what risks could arise. Your own organization may miss some things another organization can catch. Lastly, organizations should have the ability to sub-outsource in the event of last-minute changes to the supply chain. Sub-outsourcing allows for your organization to quickly pivot to another third-party vendor that can carry the load while your primary handles their breach.