Third-party dependency management (Principle 5)
Principle 5: Banks should manage their dependencies on relationships, including those of, but not limited to, third parties or intragroup entities, for the delivery of critical operations. [Further BCBS guidance on outsourcing of services can be found in documents published through the Joint Forum (BCBS-IOSCO-IAIS), Outsourcing in financial services, February 2005.]
31. Banks should perform a risk assessment and due diligence before entering into arrangements including those of, but not limited to, third parties or intragroup entities, consistent with the bank's operational risk management framework, [The management of dependencies articulated in this principle should be consistent with and conducted alongside the control and risk mitigation policies as articulated in paragraph 51 of Principle 9 in the PSMOR.] outsourcing/third-party risk management policy and operational resilience approach. Prior to the bank entering into such an arrangement, the bank should verify whether the third party, including, if relevant, the intragroup entity to these arrangements, has at least equivalent level of operational resilience to safeguard the bank's critical operations in both normal circumstances and in the event of disruption.