Global menu

Our global pages


Outsourcing and Third Party Risk Management Webinar

  • United Kingdom
  • Financial services and markets regulation
  • Outsourcing and offshoring
  • Technology
  • Financial services



On 24 June 2021, Eversheds Sutherland hosted a webinar to discuss key questions regarding the topic of outsourcing and third party risk management and key client considerations, following the publication of the PRA’s Supervisory Statement 2/21 (the “SS 2/21”) in March 2021 on this topic.

The webinar was led by Simon Gamlin (Partner and Head of the Technology Group at Eversheds Sutherland). Simon was joined by Orlando Fernandez, (Senior Technical Specialist in the Governance Remuneration and Controls team in the Bank of England’s Prudential Policy Directorate), Lizzie Gilbert (Senior Associate in the Governance Remuneration and Controls team in the Bank of England’s Prudential Policy Directorate), Shanthini Satyendra (Managing Legal Counsel within the Technology & Innovation team at Santander), Victoria Taylor (Senior Legal Counsel at Phoenix Group), and Simon Lightman (Partner at Eversheds Sutherland in the Technology and Outsourcing Group).


The panel provided their individual insights on SS 2/21, and addressed specific questions raised by Simon Gamlin on the topic, such as in relation to the distinction between outsourcing and other third party arrangements, the process of contract remediation, how the SS 2/21 interacts within the everchanging broader international regulatory environment, and managing concentration risk and operational challenges on exit compliance in particular. After this discussion, the panel then opened the floor up to the attendees for a Q&A session.  

Summary of the key questions discussed:

1.    In terms of non-outsourcing third-party arrangements and firms approaching their need to remediate and work out how to manage those, what are your suggestions in terms of how firms’ approach that from a practical perspective?

The PRA attendees highlighted the importance of firms starting to look less at legal definitions and to start focusing on materiality, risk and resilience. The wider panel also stressed the importance of taking a holistic approach to third party contracts, particularly as most organisations will have considerably more material third party contract arrangements than what may have previously been identified as material outsourcing arrangements.

The panel provided valuable insight on the practical approach that firms are taking, pointing to the holistic sourcing strategies that have been developed over time to address principle-based regulation in arrangements with all third parties. Such strategies may or may not provide a clear distinction between outsourcing and non-outsourcing third-party arrangements - however they are generally resilience, risk and materiality based. It was mentioned that firms have been assessing the governance and frameworks that they already have in place and performing a gap analysis to ascertain the extent to which there is a difference in the way that they have treated different kind of third party suppliers in the past.

2.    How would you see the SS 2/21 fitting in with this increased international focus on outsourcing risk, such as DORA or the FSB - how is all this going to come together and how should firms start to manage the fact that they have multiple regulatory regimes which do slightly different things in slightly different locations?

This question echoed an interesting topic raised by attendees in advance of the webinar highlighting that many clients are required to grapple with multiple regulatory regimes across different jurisdictions particularly where they are headquartered in one country but have subsidiaries around the world.

The panel noted that the PRA prepared the supervisory statement against a global and fluid regulatory backdrop and that the PRA was heavily involved with the drafting of the EBA Outsourcing Guidelines. Subsequently, where the PRA has added in extra guidance, this was to help compliment and align to other aspects of the domestic regulatory landscape, such as the Senior Managers Regime. In addition, the panel commented that where the PRA has gone beyond the existing framework, the justification was to advance the operational resilience framework.

The panel also assured the attendees that the BoE, as a whole, has been monitoring systemic concentration risks in the provision of services and financial stability implications since 2017 and that both the Bank and the PRA is very emphatic around identifying common causes whilst simultaneously exploring cross-border regulatory solutions, albeit within a politically challenging environment.

3.    In terms of how firms can sensibly manage that concentration risk, particularly with the cloud vendors, is there anything you think firms should be particularly focused on doing at this point in time to help prepare for clearly what’s more focused on that coming down the line?

The panel discussed the importance for an organisation to be able to be collate and map relevant information (for example, logging contracts) to enable it to identify where concentration risks exist. In addition, it was highlighted that concentration risk is a systemic issue and there is a limit on what organisations can do individually in this regard, reinforcing the need for to the industry approach to remain as robust as possible.

4.    What are you seeing as being important from an operational perspective or from a contract perspective in terms of helping achieve exit compliance?

The panel agreed that the financial services sector has witnessed an increased regulatory focus on business continuity plans and exit strategies and this was the position even before the publication of the latest supervisory statement. The panel noted that firms are very conscious of the exit risks, even at RFP stage. Firms are increasingly focussed on ensuring that contracts address multiple exit scenarios and related planning from the outset whilst simultaneously identifying pre-exit considerations such as cooperation in RFP exercises.

The panel commented that it has become more common for outsourcing contracts to include enhanced flexibility. Interestingly, the panel discussed post contract management and how it is crucial to consider exit as a reverse transition. The panel concluded by discussing stressed exists and the issues around quantification and hidden risks such as maintaining relationships with key staff.

Concluding Remarks

The panel looked forward to seeing how the market would continue to react to the publication of the supervisory statement and also how areas such as concentration risk would continue to be looked at in further detail by the regulators.


Read about part one of our outsourcing webinar series here, on the PRA's 2019 consultation paper.