Transcript Slide 1

Outsourcing risk
Wade Martin
Risk Manager - Cbus Super
Risk Management Declaration
• the Trustee has assessed the risks of
outsourcing any business activity;
• is satisfied that the risks and relevant
controls relating to these risks are
appropriate to the Trustee, having regard
to the size, business mix and complexity of
business operations and the operational
capabilities of the Trustee itself.
Trustee Duties – s52 SIS Act
• to perform the trustee’s duties and exercise the trustee’s
powers in the best interests of the beneficiaries;
• to formulate, review regularly and give effect to a risk
management strategy that relates to the risks that arise in
operating the entity;
Risk Appetite
• Has the Board clearly articulated its appetite to outsource? What
tolerances have been defined?
• Whilst 231 mandates the inclusion of certain provisions, the
nature of those provisions will ultimately be reflective of an
entity’s risk appetite. Consider:
• Caps on liability and indemnity
• Insurance
• Subcontracting
Risk Management Framework
In assessing the options for outsourcing and entering into the
agreement, Trustee must be able to demonstrate that:
• It has taken into account the changes to the risk profile of
the business activity; and
• How this changes risk profile is addressed within the
trustee’s RMF.
Outsourcing risks
•
•
•
•
•
Non-compliance
Adequacy of resources
Business disruption
Remuneration and pricing
Offshoring
•
•
•
•
•
Exit and transition risks
Liability for loss
Underperformance
Conflicts of interest
Data security and privacy
Links to other Prudential Standards
•
•
•
•
•
Business Continuity Management
Conflicts of Interest
Investment Governance
Governance
Risk Management
Internal Control Framework
•
•
•
•
•
Tiers of outsourced providers
Outsourcing Policy
Due diligence
Delegations
Linking outsourced provider profiles to:
– business risks
– business processes
– incidents and breaches
Appointment process
•
•
•
•
•
Business case
Selection process
Change in risk profile
Adequacy of resources
Board & Committee
involvement
•
•
•
•
•
All para. 21 matters
Monitoring procedures
Renewal process
Contingency plans
‘Best interests’ determination
Monitoring
•
•
•
•
Adequacy of resources to monitor and manage the relationship
‘Appropriate level’ of regular contact
Process for performance monitoring including service levels
Consider:
–
–
–
–
–
Provider’s resources
Data management
Conflicts
Compliance
Offshoring and subcontracting
Offshoring
•
•
•
•
Definition
Offshoring risks
Subcontracting
APRA consultation process
Offshoring Risks
•
•
•
•
•
Country risk
Compliance
Contractual risk
Access risk
Counterparty risk
• Choice of law
• Security and confidentiality of
information
• Monitoring of the arrangement
Assurance
•
•
•
•
Internal Audit requirement
APRA variation of para. 33
Practical experience
Risk Management Declaration