Skip to main content

Article 2: Governance and Risk Management

C 14/2021 Effective from 31/5/2021
  1. 2.1 Banks are fully responsible for the risks arising from any process or activity they outsource.
     
  2. 2.2 Banks must have a process for determining the materiality of outsourced activities. This process should consider the potential of the outsourced activity to adversely affect the Bank’s operations and its ability to manage risks, if disrupted or performed poorly.
     
  3. 2.3 Banks’ Risk Governance Framework must include policies and procedures for the assessment of any proposed Outsourcing and the identification, measurement, monitoring and reporting of any risks associated with existing and proposed Outsourcing arrangements.
     
  4. 2.4 The Risk Governance Framework must provide a Bank-wide or, if applicable, Group-wide view of the risks associated with Outsourcing, including any services the Bank provides to, or receives from, other Group members.
     
  5. 2.5 The Risk Governance Framework must, at a minimum, provide for the following with respect to Outsourcing:
     
    1. 2.5.1 A Board-approved policy that sets out how the materiality of a proposed Outsourcing arrangement is assessed and requiring any material Outsourcing arrangements to be approved by the Board, or a committee of the Board;
       
    2. 2.5.2 Policies and procedures to ensure that potential conflicts of interest are identified, managed and appropriately mitigated, or avoided;
       
    3. 2.5.3 Policies and procedures that clearly identify and assign to the Bank’s departments, committees, internal control functions, or other individuals, the roles and responsibilities with regard to Outsourcing and determine in which cases and at which stage, they should be involved;
       
    4. 2.5.4 Policies and procedures to ensure all material risks related to Outsourcing are identified, measured, managed or mitigated, and reported to the Board in a timely and comprehensive manner;
       
    5. 2.5.5 Ensure that any outsourced critical business functions are covered in their disaster recovery and business continuity plans, that Outsourcing service providers are fully prepared to implement them and that Outsourcing service providers have their own disaster recovery and business continuity plans to resolve disruptions at their end.

    2.6 Banks must ensure that Outsourcing service providers maintain an appropriate level of information security, risk management, and service delivery.
     
  6. 2.7 Banks are responsible for the compliance with all relevant laws and regulations applicable to their outsourced activities.