Outsourcing risk under spotlight

The banking industry in Kenya is changing rapidly and dramatically. Ongoing technology innovations and developments have enabled banks to come up with an array of products, services and delivery channels.

One result of these changes is that local banks increasingly rely on external service providers to offer customers enhanced services without the various costs involved in owning the required infrastructure or maintaining the human capital required to deploy and operate it.

While using external service providers has helped manage costs, provide expertise, expand product offerings, and improve services, it has also introduced risks that local banks need to address.

The Central Bank of Kenya has released revised draft Prudential Guidelines and Risk Management Guidelines for institutions licensed under the Banking Act.

In the guidelines, CBK identifies outsourcing within the banking sector as an emerging service area that requires a comprehensive risk management program.

Outsourcing can involve either transaction processing or business processes. CBK basically defines outsourcing as the use of a third party – either an affiliate within a corporate group or an unaffiliated external entity – to perform activities on behalf of the bank.

The new guidelines require local banks to establish comprehensive outsourcing risk management programs to govern their external service providers’ relationships.

According to CBK, these risk management processes should include risk assessments, selection of service providers, contract review, and monitoring of service providers.

Outsourced relationships should, at a minimum, be subject to the same risk management, security, privacy, and other policies that would be expected if the bank were conducting the activities in-house.

What is clear from the CBK guidelines is the responsibility of the bank in the outsourcing relationship.

While these institutions can outsource certain business functions, they cannot delegate their compliance and risk management obligations.

Ultimately, banks are expected to monitor and manage the compliance risk of its vendors. The issuance of these guidelines by CBK is not only timely but relevant to corporations in Kenya.

The growing reliance on third-party providers is an increasingly uncomfortable trend for risk management professionals in Kenya.

Many businesses in Kenya are outsourcing critical services to third parties without fully understanding the risks involved.

Most of these organisations base their outsourcing decisions on cost and performance, forgetting the risk implications until much later in the process.