michael werneburg

third party risk


An enterprise cannot outsource accountability.one


The following guide on third party risk was written towards controlling a range of risks can possibly arise from the outsourcing of core functions, and is mindful of the following areas of risk:

One US regulatortwo noted instances where incomplete management of third party risk resulted in scenarios where financial institutions:

I quote that list verbatim here because I really can't say it any better. Impacts arising from these scenarios can be wide-ranging, including: reputational; financial; compliance; and opportunity. A negligent vendor can do unbelievable damage to a good firm like yours.


I've written this guidance based on a variety of regulatory sources, such as:

  1. OSFI Guideline B-10. Outsourcing of Business Activities, Functions and Processes.
  2. IIROC Guidance Note 14-0012. Outsourcing arrangements.

I use the term "vendor" a lot, but it's probably better to bear in mind that these practices should be followed in dealing with any service organization, even government agencies.

This article is written as a guide, and therefor uses the word "should". If you're writing a manual of risk control policy and practice around this guide (I've got one, you should write to me), never use "should", always use "shall" or your functional managers will wiggle out of all those "should be done" activities, and your auditors will have a field day.

This guide uses the IOSCO definitions of "outsourcing" and "core function"three:

1. Outsourcing risk practices

Building a framework

I know; process folk like me are always talking about frameworks. But a framework of risk evaluation will help your firm do a thorough job and stay consistent across all vendors. This not only helps eliminate surprises but allows for attention to be focused where it is due, as all vendor arrangements undergo an equal process – thereby "surfacing" relatively high risks. This framework should be created to manage risk for existing and proposed outsourcing arrangement of a core function. This should consist of:


During an outsourcing engagement

2. Determining materiality

Your firm should establish a process for determining whether a function is core. This process should consider:

Management functions not to be outsourced

Certain regulatory regimes (e.g. the Canadian wealth management sector, in which I worked for some years) outright forbid certain "material" management functions. Before spending the time necessary to do a full evaluation of a third party, be sure that you have regulatory permission to enter the arrangement. Outsourcing all or substantially all of a management oversight function should always be considered material, and therefor can not be outsourced under such regimes:

Evaluating risks

Prior to the commencement of an outsourcing arrangement for a core function (or prior to the next contract renewal for an existing arrangement), a risk analysis should be performed for that arrangement. This will take the form of:

Defining the outsourced function

When considering an outsourcing arrangement for a core function, your firm should define the scope of the arrangement, specifying:

Due diligence

The due diligence of service providers may include, but is not necessarily limited to, examining a service provider in light of these factors:


Due diligence activities should include:

Where either of the steps above are deemed not necessary, the decision and its rationale should be briefly documented at the time of the decision.

Service providers in foreign jurisdictions

A due diligence review of a service provider located in a foreign jurisdiction should additionally contemplate:

Your firm and the service provider must determine the "choice of law", that governs the legal jurisdiction under which the contract will be bound. This will be vital for resolving disputes.

Location of records

If you're operating in a regulated regime, you probably have to worry about the location of records shared with a vendor or service organization.

Your firm, its regulators, and its auditors must have access to the service provider's books and records that relate to the outsourced activities. Your firm's regulators, upon request, should be able to promptly obtain information concerning activities that are relevant to regulatory oversight. These rights must be guaranteed by contractual provisions. Where appropriate, access rights may include physical inspections at the premises of the service provider, delivery of books and records or copies of books and records to your firm or its auditor, or inspections that utilize electronic technology.

Business continuity plan

Your firm's business continuity plan should address reasonably foreseeable situations where the service provider fails to continue providing service. The business continuity plan and back-up systems should be commensurate with the risk of a service disruption. In particular, your firm's business continuity plan should ensure that your firm has in its possession, or can readily access, all records necessary to allow it to sustain business operations, meet its statutory obligations, and provide all information as may be required by your firm's regulator to meet its mandate, in the event the service provider is unable to provide the service.

Your firm should require that its service providers establish and maintain emergency procedures and a plan for disaster recovery, with periodic testing of backup facilities. Where appropriate, this should include periodic monitoring of testing conducted by the service provider of critical systems and back-up facilities to demonstrate the ability of the service provider to perform adequately even under unusual physical and/or market conditions, and to determine whether sufficient capacity exists under all relevant conditions.

Foreign jurisdictions

In the event that a service provider is located in a foreign jurisdiction, risk assessment activities should additionally contemplate:

Contract for services

Your firm should document its arrangement for outsourcing core functions in a legal contract with the service provider. This contract should address all issues relevant to managing the risks associated with the outsourcing arrangement to the extent feasible and reasonable given the circumstances:

Service level agreement

Your firm should establish a service level agreement with each contract for the outsourcing of a core function that:

Ongoing supervision

Your firm, when outsourcing core functions to a service provider, retains the responsibility to ensure that those activities are conducted in accordance with the requirements set out in the applicable regulations and securities legislation.

To carry out this responsibility, your firm must at a minimum supervise the activities performed on their behalf by the outsource service provider in a manner that is similar to the type of supervision that would be required if the activities were performed by your firm itself.

Establishing a program for monitoring and managing risks

Your firm should implement appropriate means, such as the following, for documenting processes and procedures that enable your firm to monitor the service provider's performance and compliance with its contractual obligations, including processes and procedures that:

Your firm should, on an annual basis, review the effectiveness of its monitoring program.

Advising the board of directors and chief executive

Management should report to the board on annual basis regarding the performance of the service provider of outsourced core functions, including:

Final thoughts

Internal controls

The following list of controls serves as a final checklist for ensuring that all due diligence has been carried out: prior to entering an outsourcing arrangement; and throughout the life of the service contract.

  1. Your firm has adopted a definition of core and non-core outsourced functions.
  2. Your firm categorizes each outsourced service either as core or non-core.
  3. Your firm ensures that third-party service providers of core functions have adequate safeguards for keeping information confidential. This includes conducting the survey titled "20 Questions for Cyber Security Assessment".
  4. Your firm ensures that third-party service providers of core functions have adequate safeguards for recovering from a business disruption.
  5. Your firm conducts ongoing reviews of the quality of outsourced services of core functions.
  6. Your firm develops and tests a business continuity plan with each third-party service provider of core functions to minimize disruption to your firm's business and its clients if the provider does not deliver the services satisfactorily. Tests are annual at a minimum.
  7. Your firm considers other legal requirements, such as privacy laws, that may apply when entering into outsourcing arrangements of core functions.
  8. Your firm, its regulator, and auditors have the same access to the work product of a third-party service provider of core functions as they would if your firm itself performed the activities. Your firm includes a provision requiring this access in any contract entered into with an outsourced provider of core functions.
  9. For providers of outsourced core functions, the firm maintains formal documentation of technical and organizational relationships covering roles and responsibilities.

Core functions

OSFIfour has published some guidance on deciding whether a function is "core", considering all of the following examples of potentially core functions. "FRE" means "federally regulated entity", such as a bank or life insurance carrier.

The following are generally not considered core functions.


1. "Cyber Risk: Resources for Practitioners", Institute of Risk Management, 2014. P76

2. U.S. Office of the Comptroller of the Currency, quoted here.

3. Principles On Outsourcing Of Financial Services For Market Intermediaries – IOSCO. 4. OSFI B-10 Outsourcing of Business Activities, Functions and Processes.

cybersecurity in financial industry outsourcing

Outsourcing technology service arrangements carry considerable risk to both parties. “Cybersecurity” risk is clearly one of these.

20 Questions for Vendor Cyber Security


This is a guide to evaluating vendors for their capabilities in keeping your data secure.

20 Questions for Vendor Cyber Security


This is a guide to evaluating a service organization's cyber security capabilities.

fintech and information risk


It's well and good to be leery of up-start fintech providers but don't take the incumbents' word that your bank has a better handle on where your data is or how it's protected.

SOC-2 versus SIG - a new audit standard


SOC-2 is effectively mandatory among service organizations looking to enter regulated industries such as finance and health. But the financial industry in the US has raised the bar.

cybersecurity in financial industry outsourcing


Outsourcing technology service arrangements carry considerable risk to both parties. “Cybersecurity” risk is clearly one of these.