- What is Operational Risk?
Operational risk is the prospective loss because of inadequate or failed business processes, people, technology or any form of external event directly or indirectly impacting operations. Any event that disrupts the business process can be considered as operational risk.
Following are the few examples which can be classified as an operational risk:
- Failure of process or system
- Inadequacy of internal controls
- Human errors
- Banking industry and its functions
Banking industry is a network of financial institutions licensed by government body to provide banking services. Banks are institutions that help the public in the management of their finances. Public deposit their savings in banks with the assurance to withdraw money from the deposits as and when required. Also, banks are responsible for extending loans and advances to people and businesses. Banks perform various types of transactions and activities to support their banking business. These transactions may include making or accepting payments, trading, clearing and settlement of accounts, and custody. Broadly the banking functions can be categorised as below:
- Primary Functions:
- a) Accepting of deposits
- b) Granting of loans and advances
2. Secondary Functions:
- a) Agency functions
- b) Utility Functions
- Outsourcing activities in banking industry
Banking industry is a competitive business with multiple organisations operating in the market with different focus sector. In such a competitive environment, banks continuously face challenges to enhance their operational efficiency, reduce operating costs, and improve its services to their customers. As a result, outsourcing business functions has become an integral part of banking operations. Outsourcing simply means delegating some of the inhouse operations or processes to third party.
Some of the commonly outsourced functions in banking industry are as below:
- IT infrastructure management including managing and operating servers
- Network administration and management
- Core banking application products development and maintenance
- Managing isolated cloud centres
- Managing call centres and phone banking operations
- Loan recovery functions
- Housekeeping and premises infrastructure operations
- Physical security functions
- RBI Guidelines on Outsourcing
The Reserve Bank of India has issued guidelines on Outsourcing to provide direction or guidance to banks, NBFCs to adopt sound and responsive risk management practices for effective oversight, due diligence and management of risk arising from outsourcing activities.
Some important insights of the RBI guidelines:
The guidelines are applicable to material outsourcing arrangements which may be entered into by bank or NBFC with a service provider located in India or elsewhere. The service provider may either be a member of the group/ conglomerate to which the bank or NBFC belongs, or an unrelated party.
The guidelines are concerned with managing risks in outsourcing of financial services and are not applicable to technology-related issues and activities not related to services like usage of courier, catering of staff, housekeeping and janitorial services, security of the premises, movement and archiving of records etc.
Activities that cannot be outsourced:
– Core management functions, including internal audit (internal auditors can be on contract).
– Strategic and compliance functions and decision making functions, such as determining compliance with KYC norms for opening deposit accounts, according sanction for loans and management of investment portfolio.
– However for NBFCs, these functions may be outsourced within the NBFC’s group entities subject to compliance with certain instructions.
Banks or NBFCs which desire to outsource financial services other than specified above would not require prior approval from RBI. However, such arrangements would be subject to on-site/ off- site monitoring and inspection/ scrutiny by RBI.
In regards to outsourced services relating to credit cards, RBI’s detailed instructions contained in its circular on credit card activities would be applicable.
The risk management practices stated in the guidelines provides for :
– Development of comprehensive board approved Outsourcing policy
– Role and responsibility of Board and Senior Management
– Evaluation of risks in outsourcing activities
– Evaluation the Capability of the Service Provider
– Outsourcing Agreement
– Confidentiality and Security
– Responsibilities of Direct Sales Agents (DSA)/ Direct Marketing Agents (DMA)/Recovery Agents
– Business Continuity and Management of Disaster Recovery Plan
– Monitoring and Control of Outsourced Activities
– Redress of Grievances related to Outsourced Services
– Reporting of transactions to FIU or other competent authorities
- Operational risks in outsourced activities
In a quest bring in efficiency and optimise operating costs, outsourcing has become a standard business practice across industries. It has also created new risk avenues for the banks specifically with relation to quality of service, continuity of operations, and compliance with regulations which directly can impact customer satisfaction.
Such risks can arise due to-
- Insufficient knowledge of banking business process
- Lack of adequate training
- Third party practices not in line with bank practices
- Incompetent or under qualified or inexperienced staff deployed by service provider
· Unavailability of required technology competence
- Use of sub-standard technology by the service provider
- Use of unlicensed software
- Non adherence to the SLA by service provider
- Unavailability or Inadequate BCP/DRP plans with service provider
- Failure or insufficient internal controls at service provider
- Lack of awareness of different IT Laws applicable around data protection
Some examples of Operational risks in outsourcing activities:
|1||Risk of unavailability of banking services or interrupted services to the customers|
|2||Risk of data leakage or breach of data confidentiality|
|3||Risk of inadequate data back up and potential data loss|
|4||Risk of cyber threats including identity theft or installation of ransomware|
|5||Hindrance to software development or system development|
|6||Vendor’s system and applications may be vulnerable to external threats|
|7||Risk of delay in project deliveries|
|8||Excessive / Uncontrolled access to shared folders or right to manage shared folders|
|9||Physical or logical access by unauthorised personnel|
|10||Sub-contract by the vendor or operator without adequate approval from the bank|
|11||Threat of infringement of IPR|
- Operational Risk Management
Operational Risk Management is a continuous process of risk identification, risk assessment, providing risk treatment, monitoring and review.
Operational Risk Management (ORM) is at the core of bank’s operations. ORM framework supports in aligning the business control environment with the bank’s strategy by measuring and mitigating risk exposure, contributing to optimal return for stakeholders.
7.1. Risk management framework in outsourcing activities
Risk management framework must follow an approach to identify potential risks and should provide for controls that are in line with the level of risk present in outsourced activities. Special attention should be given to activities that may have a substantial impact on the bank’s core functions and those that are subject to material compliance, legal and cyber risks.
The objectives of operation risk management framework in outsourcing activities are to-
ü Identify key risks associated with outsourced activities at the time of on-boarding of service provider to ensure effective implementation of relevant applicable controls and to provide assurance on effectiveness of the control design and operation.
ü To conduct performance evaluation on key performance indicators or metrics.
7.2. Following approach can be adopted in managing the outsourcing risk
- Risk Assessment:
It is important to carry out risk assessment of the activity prior to engaging in outsourcing activity with external party. A comprehensive checklist can be developed for risk assessment to ensure adequate controls are in place to mitigate probable risk associated with the outsourced activities and recommendation of new controls if current controls are insufficient to mitigate the risk. Further, risk assessment exercise can be done a regular basis to scale up (or scale down) the risk mitigation plans, if appropriate.
Following aspects shall be considered in risk assessment.
- Implications of performing the activity in-house or having outsourced
- Whether outsourcing is consistent with the business strategy and objectives
- Significance of the activity being outsourced in terms of contribution to revenue, capital allocations or importance to overall achievement of strategic and business objectives
- Benefits or outcome achieved by enabling the outsourcing function
- Materiality of the benefits or outcomes achieved in relation to potential risk exposure caused by outsourcing
- Interrelationship of activity to be outsourced with other activities within the
- Cost implications of establishing an outsourcing arrangement
- Concentration of risk i.e. aggregate exposure to a particular outsourcing service provider where the organisation outsources multiple activities to the same outsourcing service provider
- Due diligence and selection of service provider:
It is important to exercise due diligence and perform an objective evaluation of the service provider before engaging into the contract. The extent of the evaluation varies depending on the nature, scope, complexity and strategic importance of the planned outsourcing arrangement.
Following aspects shall be considered in due diligence and selection.
Business Background, reputation and strategy
- Organisational structure and goals
- Financial performance and conditions
- Operations and internal controls enforced
- Any material regulatory issues, compliance findings or breaches relating to
services to be procured
- Verification of required licenses and certifications
- Availability of qualified and experienced staff
- Contract provisions and considerations:
The financial institution should explore the service contract for following clauses.
Compliance with applicable laws, regulations and regulatory guidance
- Rights and responsibilities of each party
- Statement of Work and Term structure
- Structure of Service charges
- Term governing use of institution’s property, equipment
- Support maintenance and customer service
- The ability to sub-contract services
- Contract timeframes
- Right to audit the activities or infrastructure by independent auditor
- The terms of the contract should be clear and unambiguous
The financial institution should also assess the exposure to the legal issues in relation to proposed outsourcing arrangements and get it vetted by institution’s legal and compliance department before signing the agreement.
d. Incentive compensation review:
- Financial institution should also ensure that there is an effective process to review and approve any incentive compensation that may be embedded in service provider agreement.
- Oversight and monitoring of performance:
It is important to monitor the whether the vendor services fulfil the contractual requirements effectively. It will be a deciding factor for the renewal of agreement.
For this purpose, the financial institutions should conduct performance evaluation periodically. A scoring grid can be defined for performance rating.
Vendor performance evaluation can be done on the basis of following parameters.
1) Output of the activity or service of vendor in achievement of business goals
2) Whether the services rendered meet the quality standards, timeliness, specifications as determined in the SLA
3) Whether the services are performed in a competent and professional manner
- Delivery: Delivery of the project or development as per SLA or TAT
1) Submissions of required data or report or MIS
2) Whether the service provider responds to the issues or complaints within the timeframe defined
- Risk and compliance Governance: Sub-contract or outsourced any of its activities pertaining to services being obtained
- Penalty (if applicable as per SLA): Frequency and severity of penalty imposed on the vendor.
f. Business continuity and contingency considerations:
Following aspects shall be considered in evaluation of business continuity plans.
Whether the service provider has robust BCP/DRP plan in line with institutions’ framework.
- Whether the recovery time objects defined by service provider are in sync with institution’s recovery time objects
- Is there capability to handle present work load and scale up resources to cope up with increased work in short notice
- Does the BCP include business relocation plan in the event of disaster
- Expected outcomes from implementation of Risk Management framework
Facilitating identification of key risks associated with vendor activities prior to engaging into the contract
Ensuring duly implementation of applicable relevant controls to mitigate the risks
Ensuring clarity of expectation and quality performance
Minimizing the need for corrective measures due to poor performance
Enabling better decision making on selection of vendor, continuity and renewal of contract arrangements with the vendor
Compliance with RBI guidelines