Third party providers or Outsourced Service Providers (OSP), have become a critical component of a firm’s operating model and over a number of years this criticality has increased as more services are outsourced. While OSPs may have a level of responsibility to you (if they supply services to you), it is vital to remember that your clients are YOUR clients – not the third party’s clients. It may be a chain, but your firm bears responsibility for and accountability to the client, not the OSP, no matter what is written into a contract.
If a client can’t get money out of their ISA and they need it urgently, it will be you they blame, not the OSP. While firms can outsource activities, they cannot outsource the accountability of Operational Resilience. And regulators are absolutely clear on this fact. Be under no disillusion a contract is going to direct the regulator to the OSP, they are coming after the firm.
A simple way to think about the relationship between an organisation and its OSP, is that an organisation is only as strong as its weakest provider. And it doesn’t matter how large that OSP is. When an OSP delivers key parts of your service, if a disruption to their service could impact one of your important business services, you must be comfortable with their resilience.
But this regulation is new for OSPs too. It’s important that you build a relationship of strength and involve the OSP in your Operational Resilience programme at the earliest possible stage and on-going. This should not become a “them and us” exercise. It is about working closely and in tandem to reach the best outcome for clients and the market. Our clients are often using our OSP framework to ensure close alignment of objectives and monitoring of service and progress.
Another consideration is the fact that while there will be contracts in place with some of your OSP’s third parties, this will not be the case for all. While some will be a supplier to your organisation, others may be firms you rely upon but where there is no contract in place to fall back on. Relationships with these organisations are also critical so, again, it is important to engage and build a relationship of trust with key contacts as soon as you can.
Firms also need to build OSPs into their Operational Resilience framework. Firms must map the processes, technology, information, people, and facilities that are critical to the delivery of their important business services. But firms should also look to map their third parties and be clear on where interactions occur, and threats exist. This may already be undertaken as part of a business’s wider OSP Management framework although ultimately, firms need to know what parts of their services touch which OSPs – and critical fourth parties, where appropriate too.
Within the sector a number of firms will use the same OSP. This appears fine from the perspective of service alignment, but in reality, it can create a concentration risk that all firms should seek to discuss and address with the OSP. In reality, OSPs should actively seek this alignment in any case, as it will facilitate single solutions and therefore potentially reduce cost for the OSP.
Our advice is that firms can begin to develop the management of third parties by:
- developing or designing an OSP Management Framework
- implementing ongoing due diligence and oversight to consistently monitor the provider and maintain strong relationships
- involving third parties in scenario testing to build the relationship and to align on resilience – although this may be tricky if the organisation is not in scope of the regulation
- assigning Relationship Managers and closely managing SLAs and KPIs
If you would like to discuss any of the points raised in this article and how Davies can help, please contact us. It’s never too late to start making progress.
Read the previous articles from this series:
Download the results of our survey:
Read more on this topic