Skip to main content
Version date: 4 December 2023 - onwards

Annex 1: Relevant Developments at the Standard Setting Bodies

BCBS

In March 2021, the Basel Committee on Banking Supervision (BCBS) issued Revisions to the Principles for the Sound Management of Operational Risk (PSMOR) and Principles for Operational Resilience (POR) [See BCBS (2021), Revisions to the Principles for the Sound Management of Operational Risk, March, and BCBS (2021), Principles for Operational Resilience, March.]. The PSMOR establish principles for operational risk management and the POR seek to promote a principles-based approach to strengthen banks' ability to withstand operational risk-related events that could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures or natural disasters.

The PSMOR recognise third-party arrangements (including outsourcing) as an important component of a bank's operational risk management framework and overall risk management programme. This is best illustrated by Principle 9 ("Banks should have a strong control environment that utilises policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies"). Paragraph 54 outlines the responsibilities of the board of directors and the senior management in understanding and managing operational risk associated with outsourcing arrangements and provides a list of the key components of a robust outsourcing management framework.

In the POR, the reference to third-party arrangements is even more prominent. Each of the POR's seven high-level principles explicitly indicate their applicability to third-party arrangements. They conclude that outsourcing of services to third parties is an important factor for banks to consider when strengthening their operational resilience and that a consistent implementation of the existing third-party dependency management is essential.