Assessing your Outsourcing Governance Framework

In March 2022, the Central Bank of Ireland fined BNY Mellon Fund Services €10.78 million for 16 regulatory breaches relating to outsourcing.

The breaches arose because of the organisation’s failure to –

  • Have in place an adequate outsourcing governance framework
  • Comply with regulatory obligations regarding outsourcing
  • Engage openly and transparently with the regulator

Below, we’ll investigate what exactly the CBI expects when it comes to the first two failings mentioned above.

Outsourcing Governance Framework

In early 2021, the Central Bank of Ireland released their Consultation Paper on Cross-Industry Guidance on Outsourcing with the final guidance document being published in Dec 2021. The final guidance document outlines expectations regarding outsourcing governance.

Below are just some of the questions you should ask yourself when assessing your outsourcing governance framework.

  1. The role of the board and senior management team
    1. Are the board and senior management team aware of their role with regard to outsourcing?
    2. Are there appropriate structures in place to facilitate the effective oversight of your outsourcing universe?
    3. Are you/they aware of sector-specific legislation or regulation, and does your framework satisfy these obligations?
    4. Does the firm have the appropriate knowledge and skills to effectively satisfy your outsourcing obligations and operate your governance framework?
    5. Can you easily identify, manage, measure and report on risks associated with your outsourcing arrangements?
    6. Is there an appropriate outsourcing register in place?

“The board and senior management of regulated firms are ultimately accountable for the effective oversight and management of outsourcing risk within their business”


  1. Strategy and policy for outsourcing
    1. Is there a documented outsourcing strategy in place? (along with associated policy and procedures)
    2. Is the outsourcing policy approved by the board, on at least an annual basis?
    3. Does the policy satisfy the regulator’s minimum requirements?
    4. When creating your outsourcing strategy, have you considered items such as your extent of outsourcing, functions you plan on outsourcing, etc.
    5. Can you demonstrate how outsourcing risks will be managed and mitigated?


  1. Record Keeping
    1. Does the outsourcing register satisfy the regulator’s expectations?
    2. Is the register suitable to the needs of the firm? (e.g. nature, scale and complexity)


  1. Outsourcing of Risk Management & Internal Control Functions?

If the firm outsources the risk management role or another internal control function, can you:

  • Demonstrate that the board and senior management team are satisfied that there are no significant concerns about the governance, risk management or internal control arrangements of the firm?
  • Demonstrate you have adequate oversight of these functions?
  • Demonstrate you have applied due care if / when outsourcing PCF and CF functions?


Regulatory Obligations Regarding Outsourcing

While the Cross-Industry Guidance on Outsourcing sets out quite a comprehensive view of the Central Bank’s expectations with regard to outsourcing, firms should also be cognisant of their own sector-specific legislation / regulation and ensure compliance with this also. For example:

  • If you are a MiFID firm, are you aware of your outsourcing obligations under MiFID II?
  • If you are a credit union, are you aware of your obligations under the Credit Union Act / Credit Union Handbook?
  • If you are bound by IORP, are you aware of your outsourcing obligations?
  • And so on

Firms should conduct comprehensive gap analyses against each of the key pieces of guidance, legislation and regulation that apply to them. Following on from this, firms should create action plans to address any findings and document all outputs from the exercise. The board and senior management team should be kept up-to-date on the progress on your path to compliance.


CalQRisk – a Governance, Risk Management & Compliance Solution

Click here to download our Outsourcing Policy Template

CalQRisk is a modular Governance, Risk Management & Compliance solution. It includes a dedicated outsourcing/third parties module where users can create and maintain their outsourcing registers. Not only that, users can also streamline and automate their due diligence process while demonstrating effective oversight to the regulator through the point-and-click reports. Click here to request a tailored demonstration for your organisation.


Recent News

forward thinking imagery

Incident vs Crisis

Not every incident/event is a crisis, but it can have the potential to become a crisis if not ...
Read More
Logging in to attend a CalQRisk webinar

Operational Resilience vs Business Continuity 

At first glance, you might think Operational Resilience is just Business Continuity (BC) by another name, but there ...
Read More
Central bank of ireland building

Assessing your Outsourcing Governance Framework

In March 2022, the Central Bank of Ireland fined BNY Mellon Fund Services €10.78 million for 16 regulatory ...
Read More
laptops on a table doing risk reports

Cybersecurity – What are the risks?

With changes to working culture, and more people working from home than ever, businesses can see the importance ...
Read More
IWD2022 employee spotlight

International Women’s Day Spotlight – Fiona Kiely

It's International Women's Day and today we would like to shine the spotlight on our very own Fiona ...
Read More
risk assessment

10 Key Steps to getting Operational Resilience off the ground

It can seem daunting to begin a brand-new process for your business. However, risk assessments are an easy ...
Read More
CalQRisk and CUMA

CalQRisk at CUMA Spring Conference

CalQRisk will be attending the CUMA Spring Conference & AGM 2022 – “Changing Landscapes” The conference takes place ...
Read More
regtech 100 2022 badge

CalQRisk included in the RegTech 100 List

Now in its fifth edition, the list recognises the world’s most innovative technology solution providers that offer products ...
Read More
risk management cogs and gears of plan

Thematic Review of Risk Management Maturity – Summary of Key Findings

Thematic Review of Risk Management Maturity – Summary of Key Findings Earlier this year, the Central Bank of ...
Read More
Sunday Business Post Logo

Business Post – Improving the Odds

We were delighted to be featured in the Business Post recently. In the article, our CTO discussed the ...
Read More