UK Finance has published a paper on the PRA’s supervisory statement on outsourcing and third-party risk management (SS2/21). The paper summarises the key elements of SS2/21 and reminds firms that they are expected to comply with the PRA’s expectations by 31 March 2022. The paper also highlights the following challenges faced by industry:
- interdependencies between operational resilience and third-party risk management (TPRM) – clear linkages must be established between firms’ operational resilience agendas and TPRM programmes;
- views on broader contract remediation – a plan should be developed to tackle legacy remediation of all other contracts at minimum at their point of renewal;
- sub-outsourcing – firms should develop an understanding of their fourth party or sub-outsourcing population through methods such as inclusion in the due diligence process or supplementary steps in supplier assurance; and
- appropriate level of assurance on third parties – solutions relating to due diligence or assurance outcomes need to be embedded into a firm’s operating model, with agreed control framework and risk thresholds.