Banks must have an appropriate risk governance framework in place in accordance with the Central Bank’s risk management Regulations and Standards. This risk governance framework must be comprehensive and include within its scope any outsourced business activities and specifically address the additional risks that arise when a business activity is outsourced, including but not limited to:

1. 1.Operational risk arising from inadequate processes or systems, insufficient or inadequately trained or supervised staff, fraud or error on the part of the outsourcing service provider;
2. 2.Compliance risk arising from failure by the Outsourcing Service Provider to adhere to laws and regulations or the Bank’s policies, standards or codes of conduct;
3. 3.Vendor lock-in and business continuity risk, arising from inadequate contractual and practical arrangements to ensure an outsourced business activity can be either transferred to another service provider or the Bank itself without undue delay, or discontinued without significantly disrupting the Bank’s operations, or its ability to manage risks;
4. 4.Concentration risk arising from relying on the same outsourcing service provider for multiple outsourcing arrangements, or from reliance by different outsourcing providers on the same subcontractor;
5. 5.Governance and internal control risk arising from excessive outsourcing as a whole, in a specific domain or department, or overreliance on third parties in the operation of the business;
6. 6.The aggregate risk from all outsourcing arrangements and the marginal risk of any proposed outsourcing arrangement.