Prudential Regulation Authority SS2/21 Compliance Checklist | NCC group
What is SS2/21 Third-Party Outsourcing and Risk Management?
The PRA expects UK financial services firms to have robust business continuity measures in place for “essential business services” and specifically requires any significant cloud outsourcing arrangement to adopt the highest possible resiliency option.
PRA Outsourcing Regulations: Solutions to Support Compliance
Provide the necessary materials to work with an alternative third party to rebuild an outsourced SaaS application.
1. Assess the risks of ALL third-party agreements
The PRA states that it expects firms to assess the materiality and risks of third party arrangements, whether or not they fall within the usual definition of outsourcing.
We encourage you to review your current third-party software portfolio using risk assessment tools or work with an independent specialist to assess potential risks associated with your organization’s extensive reliance on a service provider.
Consider the size and complexity of the business areas that could be affected by a disruption to this outsourced function.
style=”Left margin:0px; Right margin:0px”>Would a service disruption prevent you from complying with policy?
Would it affect your financial performance? Would you still be able to carry out the activities of your core business areas?
2. Categorize third-party dependencies by criticality and concentration risk
PRA SS2/21 states that in-scope firms must maintain an up-to-date register of outsourcing relationships, distinguishing between material (or high-risk) and non-material outsourcing relationships.
All applications that are deemed essential must have an exit plan, which means you should categorize the essentiality of third parties based on the role they play in supporting critical business services.
This allows you to prioritize the highest-risk vendors and focus your efforts where they’re needed most. That way, you instantly reduce the biggest risks to your business when you experience a stressed exit.
Wayne Scott, our head of regulatory compliance, explains what is meant by a stressed exit.
3. Conduct a supplier risk assessment and due diligence
Once you’ve determined which services are most important to your business, you need to conduct proper due diligence on any prospective service provider.
A superficial assessment is not enough to proactively assess and mitigate risks. Therefore, ensure that your due diligence practices reflect the materiality and risk assessment from the previous steps. For significant (or high-risk) outsourcing, your due diligence process should consider the following:
- Whether the software provider has the ability, capacity, resources, organizational structure, and authority to reliably provide the service.
- The software providers are able to meet standards for service quality, security and reliability during the contract period.
- Any subcontracting or working with additional parties that may be required, together with any risks that these additional relationships may entail.
- Potential Conflicts of Interest.
4. Review procurement procedures immediately
It is important to remember that entering into a contract with a third party does not mean that the responsibility and accountability has also been outsourced to the third party.
For this reason, we encourage you to develop an onboarding process for all new third-party software providers. This ensures that any future applications you add to your software inventory will have a proven working stressed exit plan as soon as they are procured rather than when they go live.
5. Document and test business continuity and exit plans
The PRA expects you to demonstrate that you can remain flexible to provide critical business services when disruptions occur. As you create your stressed exit plan, make sure it’s comprehensive, well-documented, and tested regularly if possible.
We recommend implementing software resiliency measures such as escrow agreements and verification to protect outsourced software and ensure compliance with PRA policies.
Software escrow agreements combined with escrow verification provide companies with the legal and technical certainty to bring a critical service back in-house or to migrate the necessary materials to migrate to another service provider to rebuild the outsourced service, should it an interruption occurs.
Head of Product & Solution Architecture, Jamie Mackay explains how Software Escrow can be used to meet PRA SS2/21 requirements.
6. Continuous Monitoring
Ongoing supplier monitoring throughout the life of a third-party relationship is critical. Engagements with third parties don’t end after the evaluation phase – or after your stressed exit plans have been made.
Continuously review and revise your due diligence activities, sourcing policies, and both tangible and intangible applications as the business and any third-party relationships evolve.
Identify any current intangible services that have the potential to become a significant overtime effort and ensure these are built into your stressed exit plan to avoid having to adapt when new issues arise.
The central theses
- Review your current third-party software portfolio and assess potential risks associated with your organization’s reliance on a service provider.
- Categorize the materiality of third-party providers based on the role they play in supporting critical business services to ensure the highest-risk providers have the necessary exit plan for stressful situations.
- For high-risk outsourcing arrangements, ensure due diligence processes check that the software vendor has the ability, capacity, and resources to reliably deliver the service.
- Develop an onboarding process to ensure a proven working stressed exit plan is in place as soon as new third-party applications are procured, not at go-live.
- Software escrow and verification solutions are an essential part of any business continuity plan as they grant regulated companies the right to access the outsourced application and provide a company with the knowledge needed to implement its exit plan accordingly.
- Continuously review and revise your due diligence activities and procurement policies to ensure all current non-essential services can be integrated into your stressed exit plan.