BCBS Sets Out Findings on Outsourcing and Concentration Risk Practices
In a recent statement, the Basel Committee on Banking Supervision, or BCBS, summarized findings of the outreach sessions with private-sector participants and supervisors from various jurisdictions with respect to the practices for third- and fourth-party risk management and concentration risk.
The outreach sessions were aimed to assess the status of better established practices related to third-party risk management and to exchange views regarding evolving practices related to fourth-party risk management and concentration risk. The outreach sessions confirmed the importance of banks implementing the practices set out in the Principles for Operational Resilience (POR) and the revised Principles for the Sound Management of Operational Risk (PSMOR). Among other matters discussed, banks and supervisors noted the following:
- Primary gaps related to firms' third-party risk management include a lack of clarity regarding respective bank and service provider responsibilities, insufficient monitoring of critical fourth parties, inadequate challenge or oversight from second lines of defense, and a lack of developed and tested business continuity plans.
- Banks and supervisors are concerned that a lack of complete supply chain transparency may increase operational risk. Risk-management efforts are focused on immediate suppliers, though key risks stemming from outsourcing arrangements may be driven by suppliers further down the supply chain.
- While several banks maintain formal exit strategies with respect to critical suppliers, they often lack sufficient detail and testing and identifying the appropriate stage to execute a strategy can be unclear.
- There are a range of tools for managing operational disruptions, such as the substitutability of a third-party service provider and contracting for enhanced resilience options or service levels offered by service providers. Exit strategies designed to guide transitions that occur over longer time periods may not be as useful as other tools for curing operational disruptions.
Consistent with the POR and revised PSMOR, outreach participants indicated that the third- and fourth-party risk management arrangements of banks should reflect strong governance and the integration of risk management in their due diligence processes. Participants noted that when using industry-wide consortia to support their risk assessment and due diligence efforts, banks should not outsource their risk management responsibilities. Participants further observed that appropriate business continuity and contingency planning procedures and exit strategies support banks' operational resilience in the event of a failure or disruption at a third party that would impact the provision of critical operations. As a related matter, it was agreed that banks' business continuity plans should assess the substitutability of third parties that provide services to a bank's critical operations and other viable alternatives that may facilitate operational resilience in the event of an outage at a third party, such as bringing the service back in-house. With respect to concentration risk, participants noted that banks should collaborate with service providers in planning for potential failures and developing appropriate options. The Committee will continue to carefully monitor banks' third- and fourth-party risk management and concentration risk-related arrangements as well as potential systemic risks arising from the concentration of services provided by specific entities.
Related Link: Press Release
Keywords: International, Banking, Operational Risk, Operational Resilience, POR, PSMOR, Systemic Risk, Third-Party Risk, Outsourcing Risk, Cloud Service Providers, Business Continuity, BCBS
Featured Experts

Blake Coules
Across 35 years in banking, Blake has gained deep insights into the inner working of this sector. Over the last two decades, Blake has been an Operating Committee member, leading teams and executing strategies in Credit and Enterprise Risk as well as Line of Business. His focus over this time has been primarily Commercial/Corporate with particular emphasis on CRE. Blake has spent most of his career with large and mid-size banks. Blake joined Moody’s Analytics in 2021 after leading the transformation of the credit approval and reporting process at a $25 billion bank.
Previous Article
NGFS Report Makes Recommendations to Address Biodiversity LossRelated Articles
ECB Finds Banks Unprepared for Pillar 3 Climate Risk Disclosures
The European Central Bank (ECB) published results of the 2022 supervisory assessment of climate-related and environmental risk disclosures among significant institutions (103) and a selected number of less significant institutions (28).
NCUA Assesses Credit Union Exposure to Climate-Related Physical Risks
The National Credit Union Administration (NCUA) released a Research Note that examines the exposure of credit unions to climate-related physical risks. In a related development
EBA Issues Multiple Regulatory and Reporting Updates for Banks
The European Banking Authority (EBA) is seeking comments, until July 31, 2023, on the draft Guidelines on the proposed common approach to the resubmission of historical data under the EBA reporting framework.
EC Adopts Regulation on Own Funds, Issues Other Updates
The European Commission adopted Delegated Regulations on own funds and eligible liabilities, on requirements for the internal methodology under the internal default risk model
CDP Platform to Report Plastic-Related Impact, Issues Other Updates
The Carbon Disclosure Project (CDP) announced that its global environmental disclosure platform has enabled reporting on plastic-related impact for nearly 7,000 companies worldwide
IASB to Enhance Reporting of Climate Risks, Proposes IFRS 9 Amendments
The International Accounting Standards Board (IASB) updated its work plan to enhance the reporting of climate-related risks in the financial statements,
BIS Addresses Data Gaps and Macro-Prudential Policy for Climate Risks
The Financial Stability Institute (FSI) of the Bank for International Settlements (BIS) published a brief paper that examines challenges associated with the use of macro-prudential policies to address climate-related financial risks.
FCA Sets Out Business Plan, Launches TechSprint on Greenwashing
The Financial Conduct Authority (FCA) published its business plan for 2023-24. The plan sets out details of the work planned for the next 12 months to achieve better outcomes for consumers and markets
UK Committee Sets Out Recommendations for Next Phase of Open Banking
The Joint Regulatory Oversight Committee (JROC), comprising the Financial Conduct Authority (FCA) and the Payment Systems Regulator (PSR) as co-chairs and the HM Treasury and the Competition and Markets Authority (CMA) as members
ECB Publishes Multiple Regulatory Updates for Banking Institutions
The European Central Bank (ECB) published the results of the 2022 climate risk stress test of the Eurosystem balance sheet,