SS2/21 Outsourcing and third-party risk management, building better supplier relationships

SS2/21 Outsourcing and third-party risk management, building better supplier relationships

PRA guidance has the potential to forge stronger partnerships between firms and their suppliers.

Over the last few months many firms have been implementing appropriate measures to meet the regulatory requirements set out in SS2/21: The PRA’s expectations in relation to outsourcing and third-party risk management. This has demanded they take a close look at their supplier arrangements.

SS2/21 provides a consistent approach to the management of outsourcing across PRA regulated firms and complements the regulatory focus on operational resilience. Through BDO Regulatory Solutions and BDO FS Advisory, we have been supporting clients to help interpret what the requirements and expectations mean for their organisation. For some larger firms, where risk management, supplier due diligence and contingency planning is already well established, this regulation acts as a new lens to review the arrangements already in place, prompting improvements where necessary. Smaller firms who may be less mature in their approach to third party risk management are finding themselves with more to do to meet the new regulatory perspective on operational resilience and supplier management.

SS2/21 puts focus on supplier arrangements

Recent world events have heightened the imperative to improve operational resilience. While unprecedented in modern times, the pandemic proved the need for firms to be prepared for responding quickly to the unexpected, particularly when it comes to maintaining critical services and protecting customers. As well as helping firms navigate regulatory requirements, during the pandemic we provided the resources to help clients handle increased levels of customer contact and to pick-up when other supplier arrangements failed.

One important feature of SS2/21 is the focus on supplier arrangements. PRA SS2/21 states:

“The PRA expects firms to conduct appropriate due diligence on the potential service provider before entering into an outsourcing arrangement, and to identify a suitable alternative or back-up providers ...”

While this may seem onerous on both firms and suppliers it is a major step in assuring operational resilience. It also has the potential to bring parties together and forge much stronger and more vertically integrated partnerships, which is good for firms, suppliers, and the wider economy. 

More effective and sustainable partnerships

In the case of material outsourcing, the PRA expects firms’ to consider the things that could present risk to their provider’s ability to ensure continuity of service. This includes: business model, scale and ownership; capability, expertise, and reputation; resources; and the ability and capacity to provide the service in the event of a sudden spike in demand.

As a regulatory expert we are very much aware of how SS2/21 impacts our clients, and we are collaborating with them to support their compliance with the requirements. We also recognise how the expectations indirectly impact us as a supplier. We already have robust internal controls to assure our provision of services, which go a long way to satisfy the conditions of SS2/21, and we are considering what more we can do. Suppliers who embrace this can turn it to a competitive advantage, realising an opportunity to get closer to their clients, better understand their needs and build more effective and sustainable partnerships.

What’s next for firms?

Over the forthcoming months firms' operational resilience arrangements will be put-to-the-test, either as the regulator makes spot checks, or as external events exert pressure. Firms whose arrangements fail will put them under scrutiny and result in remediation, either in putting things right for customers, or in further work to meet expectations.

Even firms who were in decent shape for the 31 March deadline still have on-going work to do: ensuring all relevant third-party arrangements have been considered, reviewing legacy outsourcing agreements (those entered before 31 March 2021), as well as on-going review, testing, analysis and improvement.

Click here for PRA SS2/21, Outsourcing and third-party risk management.