Outsourcing review will force firms to rethink risk

Many financial firms could struggle to meet international regulator's proposed guidelines

Many financial firms could struggle to meet international regulator's proposed guidelines

Financial services firms could come under pressure to review their outsourcing arrangements following the publication of a consultation document by international regulators.

Some experts have warned that many companies may struggle to meet the detailed guidance on minimising the risks of outsourcing deals if the regulators' proposals are introduced globally.

The consultation document was published by the Joint Forum - which includes global regulators for the insurance and securities industries and the committee behind the Basel 2 code on risk management. In the document the Joint Forum outlined the risks to financial firms posed by IT and business process outsourcing.

The Joint Forum said financial firms needed a policy to assess the suitability of outsourcing. It called for companies to put in place a risk management programme and urged businesses to conduct appropriate due diligence in selecting service providers.

Regulators would use the proposed guidelines and measures when conducting a review of the risks faced by financial firms.

These principles, which have yet to be ratified, are likely to have far reaching implications for the way financial firms handle IT outsourcing deals, according to John Machin, head of sourcing advisory services at professional services firm KPMG.

The guidelines could be of real benefit to users and suppliers and improve the success rate of outsourcing deals, he added.

"[The Joint Forum principles] should hopefully make outsourcing contracts more transparent and reduce the number of disputed contracts over time. This is because there will be a clearer idea between users and suppliers about what is expected."

However, Machin warned that many financial services firms have a patchy approach to minimising the risks associated with outsourcing. "The initial due diligence for an outsourcing deal is often time-driven because, for instance, the company wants to announce something to the market. There can be the temptation to cut corners," he said.

Machin advised IT directors to review their relationships with their suppliers and to make sure their company has a coherent policy to minimise the risks of outsourcing deals.

Nigel Roxburgh, founding director of the National Outsourcing Association, welcomed the recommendations of the Joint Forum, which he said brought together best practice on outsourcing. He added that regulators should take a "light touch" to outsourcing and not wrap deals up in red tape.

Outsource your changes >>

The risks of outsourcing


  • The supplier may conduct activities on its own behalf which are inconsistent with the strategy of the user
  • Inadequate expertise to oversee the service provider.


  • Poor service from supplier
  • Customer service does not meet the standards of the user.


  • Privacy laws are not complied with.


  • Privacy and consumer laws are not adequately complied with
  • The outsourcing provider has inadequate compliance systems and controls.

Exit strategy

  • Lack of appropriate strategies to exit an outsourcing contract
  • Fraud or error in the contract.

Source: Basel Committee on Banking Supervision

The Joint Forum's guiding principles      

  • A regulated firm considering outsourcing should have a comprehensive policy to assess whether the IT system or service is suitable to be outsourced. The board of directors should retain responsibility for outsourcing 
  • Establish a risk management programme to oversee the outsourced services and relationship with the supplier. Consider the effect on the user of the failure of an outsourced service, the cost of the service, and the links between the service and other parts of the user's business 
  • Conduct appropriate due diligence in selecting third-party service providers 
  • Outsourcing contracts should be governed by written contracts that clearly describe all material aspects of the outsourcing relationship, including the rights, responsibilities and expectations of all parties 
  • Regulated firms and service providers should establish and maintain contingency plans, including disaster recovery and periodic testing of back-up facilities.

Source: Basel Committee on Banking Supervision

Read more on IT outsourcing