Presentation on theme: "Outsourcing risk Wade Martin Risk Manager - Cbus Super."— Presentation transcript:
Outsourcing risk Wade Martin Risk Manager - Cbus Super
Risk Management Declaration the Trustee has assessed the risks of outsourcing any business activity; is satisfied that the risks and relevant controls relating to these risks are appropriate to the Trustee, having regard to the size, business mix and complexity of business operations and the operational capabilities of the Trustee itself. the Trustee has assessed the risks of outsourcing any business activity; is satisfied that the risks and relevant controls relating to these risks are appropriate to the Trustee, having regard to the size, business mix and complexity of business operations and the operational capabilities of the Trustee itself.
Trustee Duties – s52 SIS Act to perform the trustee’s duties and exercise the trustee’s powers in the best interests of the beneficiaries; to formulate, review regularly and give effect to a risk management strategy that relates to the risks that arise in operating the entity;
Risk Appetite Has the Board clearly articulated its appetite to outsource? What tolerances have been defined? Whilst 231 mandates the inclusion of certain provisions, the nature of those provisions will ultimately be reflective of an entity’s risk appetite. Consider: Caps on liability and indemnity Insurance Subcontracting
Risk Management Framework In assessing the options for outsourcing and entering into the agreement, Trustee must be able to demonstrate that: It has taken into account the changes to the risk profile of the business activity; and How this changes risk profile is addressed within the trustee’s RMF.
Outsourcing risks Non-compliance Adequacy of resources Business disruption Remuneration and pricing Offshoring Exit and transition risks Liability for loss Underperformance Conflicts of interest Data security and privacy
Links to other Prudential Standards Business Continuity Management Conflicts of Interest Investment Governance Governance Risk Management
Internal Control Framework Tiers of outsourced providers Outsourcing Policy Due diligence Delegations Linking outsourced provider profiles to: – business risks – business processes – incidents and breaches
Appointment process Business case Selection process Change in risk profile Adequacy of resources Board & Committee involvement All para. 21 matters Monitoring procedures Renewal process Contingency plans ‘Best interests’ determination
Monitoring Adequacy of resources to monitor and manage the relationship ‘Appropriate level’ of regular contact Process for performance monitoring including service levels Consider: – Provider’s resources – Data management – Conflicts – Compliance – Offshoring and subcontracting
Offshoring Definition Offshoring risks Subcontracting APRA consultation process
Offshoring Risks Choice of law Security and confidentiality of information Monitoring of the arrangement Country risk Compliance Contractual risk Access risk Counterparty risk