Managing Outsourcing Risks Joseph A. McCahery Tilburg University and ECGI
September 18-22, 2017 Central Bankers and Private Bankers Certificate Programme Dilijan
1
Outline
I. Outsourcing in Financial Institutions II. International Principle and Standards on Outsourcing III. Outsourcing Contracts IV. Monitoring and Enforcement of Outsourcing Contracts in Financial Institutions V. From Outsourcing to Cloud Computing
2
1. Outsourcing in Financial Institutions Regulation of Outsourcing Arrangements
Outsourcing for banking and financial services has attracted supervisors’ and regulators’ attention. In EU and US, outsourced operations are treated as institution’s own operations and subject to examination and other scrutiny.
Regulatory guidance in regard to diligence, contracts and governance adheres to good commercial practice.
How do financial institutions address outsourcing risk contractually?
Can contract terms help mitigate quality and enforcement problems?
Do some risks of relative importance and complex contracts require more innovative approaches, such that the parties not fully specify all aspects of a contract?
3
1. Outsourcing in Financial Institutions Examples of Outsourcing Concerns
Asset management firm outsources operational activities to third party provider that is part of a financial institution considered “too big to fail”
Need for on-going and effective business continuity and information monitoring programs is well appreciated
If big shock does come or stressed scenario occurs, firms may not be able to rely upon the transfer of operations to other providers, step-in rights or other remedies to address
In an environment of generalized financial distress, financial institutions need to rely on:
viable exit strategy in case of supplier termination
robust business contingency plan that ensures protection is available even under stressed market conditions
4
1. Outsourcing in Financial Institution: Why Outsource?
5
1. Outsourcing in Financial Institutions
6
1. Outsourcing in Financial Institutions The Crisis and Outsourcing for Financial Services Firms
Banks around the world have delegated or outsourced computer-based risk models for pricing hybrid and complex securities.
Data mining and credit scoring software used by financial institutions to market mortgages, loans and other financial product to consumers failed to pick up important market changes that led to availability of credit for mortgages, many of which suffered failures.
Longer term structural change caused by the crisis has led to growing momentum for banks to move more high-end, complex or analytical processes offshore, while moving simpler processes to third-parties
Reduction in margins has translated into:
Investment banks adopting a buy model to support their transactional processes
Banks spreading operations across locations to decrease dependence 7
Outline I. Outsourcing in Financial Institutions II. International Principle and Standards on Outsourcing III. Outsourcing Contracts IV. Monitoring and Enforcement of Outsourcing Contracts V. From Outsourcing to Cloud Computing
8
2. International Principles and Standards on Outsourcing Basel Guidelines: Nine Core Principles
Comprehensive policy on whether and how specific activities may be outsourced
Comprehensive outsourcing risk management process
Procedure that ensures outsourcing agreements refrain from impinging on existing regulatory compliance and effective supervision
Process to secure adequate due diligence in selection
Comprehensive written contracts
Adequate contingency planning
Confidentiality and security of sensitive information
Regulators:
Take outsourcing into account in ongoing risk assessment; and
Be aware of outsourcing risk. 9
1. Policy and Procedure
2. Contracting
•
• • • • • • • • • • • •
•
•
Comprehensive taxonomy of operations by business-criticality (materiality) • Outsourcing and extent of regulation • Risk identification in multiple scenarios Tender process and objective assessment criteria • Operational, financial, regulatory evaluation • Country risk Board responsibility and coverage • Strength of voice within organization
3. Vendor Management • • •
• •
Service Level Agreements • Independent assessment Triggers: termination Key Performance Indicators (specificity and flexibility) • Qualitative and quantitative • Independent audit • Remedial action (penalties) Reporting and periodic assessment Bonus/malus; improvement measures • Alignment of incentives
Definition, scope, function, cost Access to, and ownership of, information Reporting and notification Monitoring and assessment Confidentiality and security (NDA) Dispute resolution Contingency planning Termination and exit Alignment of incentives Subcontracting limitations and approval Guarantees and indemnities Compliance with firm’s policies and procedures
4. Post-Agreement Activity • • • •
Contingency planning (in-house expertise/management; back-up vendor) Ongoing confidentiality and security obligations Intellectual property rights Regulator access and supervisory authority over service providers
2. International Principles and Standards on Outsourcing FFIEC’s Four Risk based Policies 1.Policy and Procedure
Comprehensive taxonomy of operations by business-criticality (materiality)
Outsourcing and extent of regulation
Risk identification in multiple scenarios
Tender process and objective assessment criteria
Operational, financial, regulatory evaluation
Country risk
Board responsibility and coverage
Strength of voice within organization
11
2. International Principles and Standards on Outsourcing FFIEC’s Four Risk based Policies 2. Contracting
Definition, scope, function, cost
Access to, and ownership of, information
Reporting and notification
Monitoring and assessment
Confidentiality and security (NDA) Dispute resolution
Contingency planning
Termination and exit
Alignment of incentives
Subcontracting limitations and approval
Guarantees and indemnities
Compliance with firm’s policies and procedures
12
2. International Principles and Standards on Outsourcing FFIEC’s Four Risk based Policies 3. Vendor Management
Service Level Agreements
Independent assessment
Triggers: termination
Key Performance Indicators (specificity and flexibility)
Qualitative and quantitative
Independent audit
Remedial action (penalties)
Reporting and periodic assessment
Bonus/malus; improvement measures
Alignment of incentives
13
2. International Principles and Standards on Outsourcing FFIEC’s Four Risk based Policies 4. Post-Agreement Activity
Contingency planning (in-house expertise/management; back-up vendor)
Ongoing confidentiality and security obligations
Intellectual property rights
Regulator access and supervisory authority over service providers
14
2. International Principles and Standards on Outsourcing •
•
•
Office of the Comptroller of the Currency, and office of Thrift Supervisors (OCC Bulletin 2013-29) Updated Guidance to US banks and federal savings associations concerning risk management arising from third party relationships (vendors and non-contractual entities) Principles Framed in terms of ‘life cycle’ of such relationships Encourage financial institutions to introduce risk-mangement procedures early in relationships Flexible guidelines requiring risk-management procedures commensurate with level of complexity of a firm’s third-party relationships Requires comprehensive risk management and oversight of third party relationships involving ‘critical activities’.
15
2. International Principles and Standards on Outsourcing OCC’s Risk Management Guidelines Updated Eight Characteristics of Effective Risk Management
Preliminary plans identifying risks of third party relationship and process of selection, assessment and oversight;
Due diligence and selection procedures, including on vendors’ vendors.
Written contracs, including scope, performance benchmarks, information and audit rights, compliance, cost compensation, ownership and licensing, confidentiality, business interruption, contigency rights, indemnification, insurance, dispute resolution, liabiltiy, default and termination, rules on subcontracting, choice of law and OCC supervision.
Ongoing monitoring procedures, including business strategy, compliance, financial condition, insurance coverage, retention of key personnel, risk management and response to audit findings, adjustments of policies to changes in business environment, threats or vulnerabilities, management of information systems, response to disruption, exposure to risk from sub-contrators, conflicts of interest.
Termination rights and adequate transition procedures.
16
2. International Principles and Standards on Outsourcing OCC’s Risk Management Guidelines Updated Eight Characteristics of Effective Risk Management
Division of responsibility for oversight and accountability between board of directors, senior management and bank employees.
Documentation and reporting requirements to facilitate accountability and monitoring.
Independent audit or review of financial institutions’s risk management procedures and of a third party’s internal controls.
Scope of OCC Monitoring of Outsourcing Arrangements
All outsourcing arrangements, emphasis on critical activities (payments, clearing and settlements, shared services such as IT and other activities with significant impact on customers.
Critical activities require heightened scrutiny on all aspects of risk management, requiring board approval of such arrangements and seniormanagement involvement in negotiation and montioring.
Guidelines acknowledge inadequacy of pre-crisis regulations. 17
Outline I. Outsourcing in Financial Institutions II. International Principle and Standards on Outsourcing III. Outsourcing Contracts IV. Monitoring and Enforcement of Outsourcing Contracts in Financial Institutions V. From Outsourcing to Cloud Computing
18
3. Outsourcing Contracts Four Risk Scenarios Associated with Outsourcing
Lock-in
Contractual amendments
Unexpected transition and management costs
Disputes and Litigation
So, what are the consequences of associated with the four risk factors?
1. Service debasement—quality decline through contract or falls below agreed-upon levels 2. Cost escalation – not just cost of performing activity, but range of costs, including development and monitoring costs
19
Strategic Risk
• • • • •
Shirking Renegotiation Risk Appropriation Risk Concentration Risk Relational Risk
Supplemental Functions
• Compliance Risk • System Breakdown • Communication
Core Functions
-----Low Risk ------------ High Risk----Suppliers
Operational Risk
Transactional Functions
Accounting
Front Office
IT Compliance / Legal
Catering HR
Geographic Risk
• Country/Sovereign Risk • Exchange-Rate Risk
Basic Services
Marketing
Product Management
3. Outsourcing Contracts
Business Criticality
Transaction Cost
Hold-Up Risk 21
3. Outsourcing Contracts Risk Mitigation Mechanisms
Firms exposed to lock-in can respond in a variety of ways:
Dual sourcing
Mutual hostaging
Contractual amendments can be avoided by
Sequential relationships
Flexible contracting– price adjustments, provisions for termination, renegotiation, and shortening of the contract
Unexpected transition and management costs mitigated by
Hiring technical expertise
Disputes and Litigation addressed through
Alternative dispute resolution or mediation 22
Micro-level
Mid-level High level
Formal Controls
Informal Controls Norms and Guidelines
Outcome Control
Behavioral Control
Process Measures
Result Measures
Social indicators
-
-
-
-
Regulatory contract Detailed process-level KPIs NDAs Policies Rules and processes
Flexible contract Outcome-focused KPIs Externally driven SLAs Accounting controls
Principle-based contract Corporate culture Relational outcomes
Spot Market -> Short-term Contract -> Long-term Contract -> Strategic Alliance -> Joint Venture
Adapted from Nicholson and Aman, 2008; and Padovani and Young, 2006
Hierarchical Governance • Unilateral Relationships • Behavioral Controls • Hard Obligations
Relational Contracts • Flexible Relationships • Output Controls • Negotiable Obligations
Market Governance • Equity Ownership in Service Provider • Commoditization of Services • Alignment of Incentives
-----------Strong Governance-----------------------------Weak Governance----------
Contract Terms
Hierarchy (Strong Governance)
Relational (Medium Governance)
Market (Weak Governance)
- Pricing Structure
Cost-plus
Fixed fee / Cost-plus
Fixed fee
- Equity purchase
No
No
Yes
Earn-out
Penalties
-
Key-man
No
No
- Business process control
Yes
Limited
No
- Training
Yes
No
No
Micro-managing
No
No
Frequent focus
Verification
High-level
- Third-party monitoring
Extensive
Limited
Limited
- Reporting
Frequent
Periodic
Infrequent
Some
Some
Some
Financial Incentive Terms
- Other Control Rights - Personnel
- Direct control - Service level agreements
Duration and Dispute - Termination
- Escrow - Dispute Resolution
Key information / assets Arbitration / internal mechanism
Outline
I. Outsourcing in Financial Institutions II. International Principle and Standards on Outsourcing III. Outsourcing Contracts IV. Monitoring and Enforcement of Outsourcing Contracts in Financial Institutions V. From Outsourcing to Cloud Computing
26
4. Monitoring and Enforcement of Outsourcing Contracts Empirical Study
Aim: Understanding of monitoring and control behavior of financial institutions
Methodology: Comprehensive survey that directly measures preferences of institutions with respect to four main areas:
Consideration of outsourcing: screening and evaluation
Monitoring capacity of outsourced activities
Contractual mechanism between financial institution and service provider
Conflict resolution and termination
Survey: Focuses on the legal perceptive regarding outsourcing
The financial institutions are regulated and therefore incorporate risk mitigating strategies in their outsourcing procedures
Respondents: Surveys sent to risk managers of the 828 AFM registered financial institutions located in the Netherlands
82 financial institutions responded to our survey, for a response of 10%
72 responses showed consistency throughout the survey 27
4. Monitoring and Enforcement of Outsourcing Contracts Main Findings (2) Monitoring capacity
The main factors driving the overall monitoring oversight are
Legal environment of the financial institution: positive effect
Post-agreement oversight: positive effect
Termination/Negotiation: positive effect
Financial institutions attach less value to other important risk mitigating factors, while they should from a regulatory perspective be incorporated
28
4. Monitoring and Enforcement of Outsourcing Contracts
Financial institutions Characteristics
29
4. Monitoring and Enforcement of Outsourcing Contracts
Financial institutions Characteristics
4. Monitoring and Enforcement of Outsourcing Contracts
Financial institutions Outsourcing
Outsourcing in Financial Institutitions Financial service firm Investment management firm
70%
Insurance Firm Other
60%
50% 40% 30% 20% 10% 0%
Internal control
Facilities management
Security (IT)
Privacy Protections
Maintenance of Records
Business Resumption
System Development
Employee Checks
Asset/liability Risk management management
Accounting
32
4. Monitoring and Enforcement of Outsourcing Contracts
Hypotheses and Predictions
We hypothesize that in the screening and evaluation process of the financial institutions the costs are most important
We hypothesize that large financial institutions are more capable of performing monitoring oversight than the smaller financial institutions
We hypothesize that the contractual mechanism is used to govern the relation between service provider and institution as a risk mitigating strategy proposed by the regulator
We hypothesize that termination clauses are deemed important in order to prevent a potential hold-up problem in the relation with the service provider
33
4. Monitoring and Enforcement of Outsourcing Contracts
Consideration of outsourcing
Note: Range from 0%=Strongly disagree to 100%=Strongly Agree
34
4. Monitoring and Enforcement of Outsourcing Contracts The risk perception of financial institutions
4. Monitoring and Enforcement of Outsourcing Contracts Monitoring capacity
36
4. Monitoring and Enforcement of Outsourcing Contracts Control and financial aspects in the relation with the service provider:
These results are not observed in the contractual preferences
4. Monitoring and Enforcement of Outsourcing Contracts
38
4. Monitoring and Enforcement of Outsourcing Contracts
Conflict resolution and termination:
39
4. Monitoring and Enforcement of Outsourcing Contracts Implications of Findings
Institutions focus on issues related to quality performance of service provider
For screening and evaluation of service providers, institutions say that the decide based on quality and costs
Confirms Ren and Zhang (2005) that most outsourcing contracts fail to realize efficiency gains when they fail to consider trade-off between costs for capacity and quality.
In contrast with previous studies, financial risk associated with outsourcing is deemed less important
Monitoring receives less attention, except for relative performance related to the service level agreement. Moreover, there is no substantial difference between small and large firms
Risk mitigating strategies, other than termination, are less likely to be implemented
Dissatisfaction of services performed by service providers leads to renegotiation, thus the termination impacts the feasibility of the contracts 40
4. Monitoring and Enforcement of Outsourcing Contracts
We decompose the monitoring oversight of financial institutions using the a principle component factor approach
10 factors are constructed using the survey responses
For example: the legal environment of the financial institutions factor is constructed by questions on the ability to contract with service providers
41
4. Monitoring and Enforcement of Outsourcing Contracts
Model
We decompose the oversight as follows
4. Monitoring and Enforcement of Outsourcing Contracts The estimates of our model
43
4. Monitoring and Enforcement of Outsourcing Contracts What are the Implications?
Three important factors for determining the oversight capacity of institutions:
Legal environment: Importance for awareness of the supervisor
Post agreement monitoring: Largest impact on general outsourcing oversight
Termination: Institutions with high capacity seem to have significant bargaining power over the service providers
Other risk mitigating factors do not seem to be important
Regulators emphasize most of these risk mitigating strategies (OCC 2013)
44
Outline
I. Outsourcing in Financial Institutions II. International Principle and Standards on Outsourcing III. Outsourcing Contracts IV. Monitoring and Enforcement of Outsourcing Contracts in Financial Institutions V. From Outsourcing to Cloud Computing
45
5. From Outsourcing to Cloud Computing Cloud Computing: The use of computing power and/or storage capacity of a third party Also, use of third party applications residing in the cloud Seen as a new cost-savings model Will Cloud Outsourcing Replace Outsourcing? Perhaps for some limited transactions, but requires an entirely different business model Does not offer many of the core competency cost-saving and risk mitigation benefits of outsourcing • Far less control • Limited service levels, etc.
5. From Outsourcing to Cloud Computing Five features of Cloud Computing: Sharing of Resources: resources shared at network, host and application level Elasticity: Rapid increase or decrease of resources when required Broad Network of Access: Resources accessed from thick or thin platforms Pay-as-you-go: Payment only for usage duration On Demand self-provisioning of resources: users can provision resource on self-service basis at their choice
5. From Outsourcing to Cloud Computing Major Factors Effecting Growth of Cloud Computing Cost effectiveness: Cloud computing enables reduction in the hardware and software costs as there is no capital expenditure needed Reduction in the number of the IT people employed by the customer Reduction in the costs as it enables the payment only for the services used as opposed to outsourcing Architectural benefit: Cloud is a simple and abstract environment which enables the access to data or applications in any time through multiple devices Strategic benefit: It enables for the customers to allocate the time on business strategies instead of IT
5. From Outsourcing to Cloud Computing Main Challenges in the Cloud Data Privacy Loss of Location
– It is possible to identify the machines on which the data is located at the time of the request by the cloud service or infrastructure provider, but it is difficult to identify it at the time when the data was transferred
Forensic Challenges
– Multiplicity: replication of data by service provider due to performance, availability, back up and redundancy which are likely to be stored across different virtual and physical machines or in different jurisdictions – Distributed storage: due to techniques used in order to store the data such as sharding and partioning, the data is likey to be stored as fragments rather than as a single continuous data set – Protected Data: the submission of data by the cloud user may be in a protected form such as a cryptographic which render the data opaque to the cloud service provider. – Identity: difficulty to establish a link between the data held in the cloud, the user device from which the data is created, submitted or accessed from, the cloud service and an individual user
5. From Outsourcing to Cloud Computing Unclear distinction between electronic communication services (ECS) and information society services (ICS)
ECS does not include information society services (ICS) as defined in Article 1 of Directive 98/34/EC, which do not consist wholly or partly the conveyance of signals on electronic communication networks. ICS, which is mainly registered under Electronic Commerce Directive does not make a clear distinction in terms of interpretation of the conveyance of signal creates legal and regulatory uncertainty for cloud providers
Remote data retrieval v. seizure of suspect’s device
Remote data retrieval refers to obtaining a copy from the existing data, whereas the seizure of a suspect’s device refers to the taking of a property.
Multi-regime compliance
Personal data security rules: in practice, personal data processor is obliged to apply both safeguards both in the law of the country of its registered office and in the country of the data controller’s registered office.
Main Reasons for Cloud Computing Main reasons for using Cloud Computing
Main reasons for not using Cloud Computing Compliance Issues
Changing business environment and customers' demand
2,17
3
Improvement of internal accessability
2,67
Technical Issues
2,25
Lock - in: dependency on service provider
2,25
No need for capacity Scalability and capacity issues
2,6
2 Security and Privacy Issues
Cost Effective
1,75
0
1
2
1,8
Cost Ineffective
3
Mean Response (1= Important, 5= Unimportant)
4
2,75 0
0,5
1
1,5
2
2,5
Mean Response (1= Important, 5= Unimportant)
3
Present vs. Future Cloud Users Business Processes Outsourced 60%
50% 40% 30% 20% 10% 0%
Existing Cloud Users Future Cloud Users
Cloud Computing Activities 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0%
Cloud Users Future Cloud Users
Cloud Contract Terms Liability Exclusion, and Limits and Remedies for Breach Data Integrity, Resilience and Business Continuity
Service Level Agreements, Service Credits Data Location
Data Subject Rights
• Exclude Liability • Liability Limited (direct losses only) • Liability Capped (eg 125% of 6 months fees)
• Backups (no warranty as to data integrity), Warranties (with Liability) • Warranties (with liability) data loss or corruption • More Control (IaaS or PaaS) since users can terminate virtual servers • SaaS Providers (force majeure in context of provider liability)
• Guaranteeing different service levels at different prices • Performance indicators (five or ten key indicators) • Mission critical applications (availability levels, warranties and undertakings on notice of termination, downtime etc) • Remedies are usually service credits
• Location of data centers (warranties or undertakings all data center in EEA or EU) • Data Prohibition Directive (prohibition of personal data outside EEA unless specified) • Enforcement (ensure that support etc is not involved in transferring data to non-EEA countries) • Prohibition on use of sub-contractors in certain contexts (pre-approval required)
• Effective use of confidentiality (information on intended purpose and usage of service) • Liability for breach of confidentiality (capped) • Unauthorized usage (back door access to user’s data and reserved rights) • Service monitoring (limit scope of monitoring to usually security matters) • Security measures (pre-contractual audits); Certifications (standards) Due Diligence
Contracting with Service Provider Importance of Contract Terms with SP Dispute Resolution Terms
Contract Term Valuation by organisations Step - in rights
3,07
2,73
Penalty and service credits for the SP Incentive Schemes
3,21
Termination Rights
Subsets of material breach which allows for termination of…
1,53
Control and Governance Terms
1,73
0
1
2
2,67
Business resumption and contingency planning
2,15
Quality Terms: SLA provisions
2,93
1,87
Renegotiation terms and procedures
2,47
Timely access to financial statements
2,6
Insurance coverage of SP 3
Mean Response (1= Important, 5= Unimportant)
4
2,33 0
0,5
1
1,5
2
2,5
3
3,5
Mean Response (1= Strongly agree, 5= Strongly disagree)
Monitoring and Termination Organisational Assessment on contracting, negotiating and outsourcing Our organisation monitors the SP's ability to innovate our services
Assesment of statements regarding termination
3,6
Our organisation periodically monitors the financial condition of the SP
SPs are reluctant to invoke contractual rights before court from reluctance to appear hostile to business environment
4
Our organisation establisges internal regulation on monitoring of a specific SP
3,2
Our organisation has a centralized risk planning and oversight process
4,69
Breach of contract leads to renegation with current SP rather than new contract with another SP
3,86
2,87
We define termination rights for our organisation and limit termination rights for vendors
Our organisation can quickly terminate contracts following a quick change in control of supplier
3,07
Prior to rendering, we establish a SLA based on our standards
4,64
2,64
We draft our own standard master outsourcing contracts when negotiating
Customer dissatisfaction can lead to renogation with current SP regardless of negotiated terms
2,93 0
1
2
3
4
Mean Response (1=Excellent, 5=Poor)
5
5,36
0
1
2
3
4
5
Mean Response (1= Strongly disagree, 7= Strongly agree)
6
5. From Outsourcing to Cloud Computing Statement of Federal Financial Institutions Examinations Council (FFIEC 2012)
First regulatory guidance for financial institutions on specific risks relating to usage of cloud computing It outlines six important areas in outsourcing cloud services: due diligence of IT vendors, management of cloud IT vendors, vendor audit responsibilities, information security, legal, regulatory and reputational risks and business continuity planning It highlights that the contractual arrangements between financial institutions and cloud computing vendors should not account for legal and regulatory requirements and the potential benefits related to cloud computing
5. From Outsourcing to Cloud Computing European Banking Authority, Draft Recommendations (May 2017) Based on earlier CEBS Guidelines
Recommendations include data and systems, location of data and data processing, access and audit rights, chain outsourcing and contingency plans and exits. It outlines six important areas in outsourcing cloud services: risk assessment of cloud based providers to ensure security of data, notification of location of data and processing services (special care outside EU), institutions ensure service providers allow full access to networks and data used for services; requirements that all subcontractors comply with existing requirements; and exit plans should be well-tested. Many other technological innovations that use cloud computing (FinTech) will require attention in future.
5. From Outsourcing to Cloud Computing Conclusions
Cost and Quality are major considerations for users; Effective due diligence procedures needed to screen competencies and capabilities of service providers; Termination rights and lock-in risks are major concerns for users.