• OM-2.2 OM-2.2 Board and Senior Management Responsibilities

    • OM-2.2.1

      The board and senior management are responsible for understanding the operational and reputational risks associated with outsourcing arrangements and ensuring that effective risk management policies, procedures and practices are in place to manage the risks in outsourcing activities. Outsourcing policies and risk management activities should encompass:

      (a) Policy for developing a business case for outsourcing of activities including policy for ascertaining the materiality of services to be outsourced;
      (b) Procedures for determining whether and how activities can be outsourced;
      (b) Processes for conducting due diligence in the selection of potential outsourcing service providers;
      (c) Sound structuring of the outsourcing arrangement, including ownership and confidentiality of data, as well as termination rights;
      (d) Programmes for managing and monitoring the risks associated with the outsourcing arrangement, including the financial condition of the outsourcing service provider;
      (e) Establishment of an effective control environment at the bank and the service provider;
      (f) Development of viable contingency plans; and
      (g) Execution of comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing service provider and the bank.
      Added: January 2020