Cross Industry Policy and Guidance

Outsourcing – Findings and Issues for Discussion

In November 2018 the Central Bank of Ireland issued cross industry minimum supervisory expectations in relation to outsourcing governance arrangements, risk management controls and business continuity practices. These are set out in Part A of a two part paper which also invites feedback from interested parties on key risks and evolving trends associated with outsourcing.

While outsourcing risk is not new, the current and expected level of reliance of regulated firms on outsourcing arrangements to deliver their products and services across the financial services industry has brought it into sharp focus for all regulators, including the Central Bank. The implementation by all regulated firms of appropriate governance structures, with robust risk management and BCM processes, is fundamental to ensuring regulated firms can effectively monitor, manage and mitigate the risks presented by outsourcing. 

Part A of this Paper articulates the Central Bank’s minimum supervisory expectations in relation to management of outsourcing risks.

Please note that the minimum supervisory expectations should not be interpreted as an exhaustive list with which regulated firms must comply; nor are they a replacement for any legislation, regulations, guidelines and standards that firms must comply with as part of their regulatory obligations.  Regulated firms must at all times refer directly to the relevant legislation, regulations, standards and guidance to ascertain their statutory obligations and to ensure that they are taking appropriate steps to mitigate and manage outsourcing risk.

Information Technology and Cybersecurity Risks

In September 2016 the Central Bank of Ireland issued cross industry guidance in relation to information technology (IT) and cybersecurity governance and risk management by regulated financial services firms in Ireland .

IT and cybersecurity risks are a key concern for the Central Bank given their potential impact on firms and their customers, and the risks for financial stability.

Accordingly, the Central Bank expects boards and senior management of regulated firms to fully recognise their responsibilities in relation to cybersecurity and IT governance and risk management and place these among their top priorities.

The guidance articulates the Central Bank’s expectations in relation to management of IT risk and governance, IT outsourcing and cybersecurity, addressing key issues such as alignment of IT and business strategy, outsourcing risk, change management, cybersecurity, incident response, disaster recovery and business continuity

Please note that this guidance is not a replacement for, and does not supersede, the legislation, regulations, guidelines and standards that firms must comply with as part of their regulatory obligations, particularly in the areas of risk management, internal controls and corporate governance.  Firms must at all times refer directly to the relevant legislation, regulations, standards and guidance to ascertain its statutory obligations and to ensure that it is taking appropriate steps to mitigate and manage IT and cybersecurity risk.