Operational Resilience: Striking the Balance with Outsourcers

Outsourcers form the mainstay of many customer operations models and enable firms to focus on activities better aligned with their in-house capabilities. As a result, Outsourcers are likely to face the most scrutiny when it comes to proving their resilience under the Operational Resilience (OR) Regulations.  

For the Outsourcer, it’s not just their reputation on the line, they must also protect and uphold their client’s brand.  Their challenge is that no client is the same or wants the same solution. They will be balancing multiple clients’ needs, and where OR requirements from a client are unique, there is an increased likelihood that these could be at greater risk from disruptions. 

Its therefore critical Outsourcers get this right and learn to balance client demand with regulatory delivery.   

So, where should the focus be?  

Whilst this list could be extensive, it’s important to get the basics right and our experience working with firms on both sides of the fence tells us: 

1. Make contractual agreements watertight and protect commerciality and profitability
2. Implement a robust, reusable and adaptable Operational framework.  
3. Be prepared to evidence and demonstrate resilience, aligned to risk tolerance levels set by yourself and clients. 

We have extensive experience working with Outsourcers and client firms, where we have built robust frameworks which stand up to the most complex scenarios (and clients!). 

If your firm has concerns with readiness of the impending March 2025 deadline to be consistently operating within defined impact tolerances, talk to us today to understand industry best practice and how best to deliver to client demands whilst ensuring regulatory adherence.

Let’s explore the key areas a little more… 

• Protecting Commerciality 

Outsourcers seek to meet the specific needs of multiple clients at the same time, driving efficiencies through standardised processing and economies of scale. There is no one-size-fits-all solution when embedding OR, and Outsourcers will be asked to tailor their service to accommodate the client’s OR framework.  

This is particularly important in the ‘Mapping and Resources’ phase of OR Self-Assessment, where the activities involved in delivering each Important Business Service need to be identified, documented and understood.  The complexity for Outsourcers arises from unique firm-specific processes, as the Outsourcer will be trying to satisfy multiple firms’ requirements at the same time, in the most efficient way possible.  Using a simplified payment request process as an example: 

There are multiple parties involved throughout the customer journey.  All parties are key to the execution of the customer request, and the failure of one could either stop the process in its entirety or give a detrimental level of service to the customer.

• Demonstrating Resilience – The Evidence Challenge  

For Outsourcers, the challenge of evidencing third-party resilience is felt most when scenario testing. Their clients are likely to have dedicated OR teams, and the ability to devote equivalent resources ‘per client’ is an unrealistic expectation, with Outsourcers unable to, for example, attend every scenario testing meeting that their clients are conducting. 

Where this isn’t possible, Outsourcers can provide detailed evidence to support their resilience based on client needs, demonstrating their controls and giving confidence that disruptions can be mitigated. Where firms insist on including regular performance reviews, testing, and due diligence attestations, this will likely be a chargeable service.

• Risk Management – The Client Perspective 

Where Outsourcing service providers fail to manage a disruptive event by not keeping within the recipient firm’s impact tolerances, the recipient firm remains ultimately accountable.  An effective risk management framework needs to be wrapped around OR, and to ensure that this is successfully implemented, firms must consider the following points: 

• • Concentration risk: In some areas of technology outsourcing, particularly in cloud-based services, there may only be a handful of large service providers that provide services to many firms. Arrangements of this type can lead to greater systemic risk, i.e. if one service provider is hit with operational disruption, this will impact many firms in the market.
  • Technological Sophistication: Not everyone is an expert in cloud storage, service platforms, or cyber controls. Without skilled resources, firms may struggle to evaluate third-party providers’ performance and risks.  
  • Negotiation Strength: Smaller firms may struggle to get contractual agreements to check their service providers’ performance.  
  • Third-Party Delegation: When 3rd parties outsource part of their services to a so-called “fourth party”, it can reduce regulated firms’ visibility and control. This is especially problematic if firms don’t have the right contractual protections.

• Redrawing the Line – Tightening Contractual Agreements 

Many firms are discovering the level of detail they need suppliers to provide to evidence resilience is outside current contractual agreements.  Where DORA regulations are more supportive here, setting out the critical contractual clauses that firms need to update, UK regulation is less explicit. 

The need to better evidence resilience has resulted in increasing activity in contract renegotiations, as firms try to secure bespoke services.  This includes scenario testing or custom attestations to meet the defined impact tolerances for technology and data provisions, especially where intra-group dependencies exist.   

In these scenarios, Outsourcers must balance client satisfaction with contractual obligations and resource constraints, resisting demands that are not feasible within the existing or proposed new agreements.  

Incident management is a particular area of focus. It needs to be clear where the decision-making power resides and where additional approvals or extended lead times to maintain tolerance levels exist.  Evidence requirements are no longer just about the traditional business continuity measures of Recovery Time Objectives (RTO) or Recovery Point Objectives (RPO).   

Preventative controls and regular testing are required to ensure that in the event of a disruption, the proposed workarounds are sustainable. There is also the need to demonstrate, via enhanced reporting, that lessons learned from near-miss events are being actively incorporated into future resilience plans. 

• The Cost of Compliance  

The resources, expertise, and budgets required to achieve this presents a significant financial burden. While much of the activity undertaken in everyday operations is included in business continuity, Outsourcers need to ensure they only commit to specific, resource-heavy activities if they are financially accounted for. They must resist the pressure to commit to less flexible arrangements being positioned as inclusive services due to regulatory change. 

Conclusion: Ensuring Outsourcer Resilience  

The FCA and PRA expect firms to be operationally resilient regardless of any outsourcing arrangements.  Firms must be thorough when ensuring their Outsourcers are resilient, assuring themselves that appropriate, sustainable controls and workarounds always exist to maintain services within impact tolerances.   

They must not allow their ability to remain within their impact tolerances to be undermined when services are delivered wholly or partly by third parties, whether these third parties are other entities within their group or external providers. 

For the Outsourcer, developing and embedding OR models that allow them to manage OR in ways that work for their clients as well as for themselves is vital.  Where there is accountability, there will be expectations. Where there is regulatory accountability, those expectations will be heightened, and it’s so important that Outsourcers find the right balance to manage these with their clients.  

This means getting the contractual elements fully established and agreed upon, developing a framework which is scalable, adaptable and most importantly reusable across a client base and finally, be prepared. Be prepared to evidence and demonstrate resilience.  

Here at Simplify Consulting, our team of practitioners are on hand to support you through your Operational Resilience journey, regardless of which stage you might be at. For more information, please visit www.simplifyconsulting.co.uk.