By Alex Saric, Smart Procurement Expert at Ivalua
As UK banks try to keep up with the pace of transformation, meet customer expectations and drive efficiency, outsourcers are becoming embedded in key areas from people to technology and processes, helping to share the load.
But sharing the load also means sharing the risk. Outsourcer failure can expose banks to all manner of risks across the supply chain, from poor environmental practices to modern slavery, corruption, or data privacy breaches. The cost for outsourcer failure is skyrocketing too. Deloitte found almost half of organisations (46%) said the financial impact of third-party or subcontractor failure has at least doubled over the last five years.
At the same time, the upcoming Prudential Regulation Authority (PRA) regulations are set to increase banks’ accountability for risk when identifying, selecting and managing third-parties. This could be an astronomical task for the procurement department, but it’s an essential one. Banks need to make sure they are preparing for the new rules efficiently.
Those who don’t comply could face dismissal of top management, limitations on their banking activity or even suspension of banking authorisation. What’s more, banks that don’t improve resilience will be less able to combat supplier risk at a time where third-party data breaches and CSR issues are rife.
A new set of rules
To reduce supplier risk and prepare for the incoming PRA rules, banks must drastically improve visibility into their suppliers and other third-parties. They must also put due diligence and business continuity plans in place, so they can identify risks ahead of time.
Essentially, the PRA says the rules will “improve the ability of firms to manage relevant risks and facilitate oversight of outsourced and third-party service providers by firms and the PRA.” This will help financial institutions to make informed decisions and ensure records are accurate and easy to audit.
Practically, financial institutions will need to bolster their record keeping and governance, and develop detailed processes for risk assessments on all suppliers and outsourcers. They must also ensure contracts always contain clear descriptions of outsourced functions, renewal dates and termination notices.
The 2019 European Banking Authority Outsourcing Guidelines covers a lot of these record-keeping needs, requiring an up-to-date register of information on all outsourcing arrangements. But banks have never had to delve so deeply into how their outsourcers prepare for, manage and react to disruption.
Increasing governance and control
To improve visibility for each outsourced project, banks must ensure they have a digitalrepository of policy documents, specifying expiry dates and notifying stakeholders when an important date is approaching. To maximise the value of this additional reporting, banks must gather this data into a single repository, and use it to enforce policies across the complete Source-to-Pay process.
For critical outsourced activities, banks should also put specific approval workflows in place, including involving compliance teams when needed, launching risk assessments, and ensuring that dedicated clauses are signed off by suppliers. Improvement plans should be automated and auditable when gaps are identified, to both ensure issues are rectified and prove that the bank acted responsibly.
Banks must continue to improve their auditory capabilities so they can show if an outsourcer is critical or non-critical, onshore or offshore. But, the new rules will require them to go further; banks must collect data to mitigate any potential risks. This includes data on contract audit timings, identified alternate suppliers, substitutability, and re-integration assessment plans. So, procurement teams need to ensure they can gather this information quickly.
Going beyond tier one suppliers
It’s no longer enough to track for supply chain risk in direct suppliers. Banks must strictly and permanently assess, manage and mitigate their third-party risk, including subcontractor exposure, also known as fourth-party risk, before entering into an agreement.
To track outsourcing risk at such a granular level, organisations must establish comprehensive supplier risk mapping with a direct view into the subcontractors and their risk level. This will create a complete view of risk, aggregating internal risk data sources, and external sources like Ecovadis, which rates suppliers on CSR and sustainable procurement practices. Risk maps can also be designed so procurement leaders and stakeholders will receive contextual alerts in case of a rising risk exposure, giving them a head start to start forming mitigation plans as soon as possible.
A smarter choice
As the cost and frequency of outsourcing failure rises, banks must choose the right technology to prepare effectively for upcoming PRA regulations and reduce supplier risk. If not, it could cost them huge amounts of additional time and resources and increase risk exposure.
This means taking a smart approach to procurement, implementing the right tools to manage supplier data. Banks need a platform that can manage, automate and drive efficiency across the sourcing, contracting, supplier management and contract assessment stage that is compliant with regulations. What’s more, as processes are digitised, they can be easily configured to accommodate updated regulations or changes in outsourcing contracts, avoiding future disruption.
Armed with greater visibility and flexibility across the supply chain, financial institutions can reduce risk when onboarding, managing and ending outsourcing relationships. Ultimately, this will speed up the onboarding process, saving time and cost, while also reducing risk of non-compliance.