Many organisations choose to outsource critical functions or services to third parties/contractors. However, outsourcing the work does not outsource the responsibility. Globally, in many industries, regulators have now taken a keen interest in how organisations manage outsourced activities that are seen as “critical”. Below, we’ve listed 10 things you should be asking when outsourcing a critical function and/or choosing a new supplier.
- Policies & Procedures – does the supplier have appropriate policies and procedures in place? This may be dependent on the nature of the service, but you should be checking if the organisation has key policies in place such as information security, health & safety, etc.
- Data / Information Security – what data protection/information security controls are in place? Regardless of the information to be shared, all organisations should have adequate cyber security controls in place. Where will the information be stored/processed?
- Disaster Recovery/Incident Response – if a disaster were to happen, what would happen to the supplier’s service levels? You should check their disaster recovery/business continuity plans to ensure the recovery time objectives are acceptable. Does the supplier have a formal incident response plan that is reviewed and tested on an annual basis? Does the plan include specific actions to respond to a cyber incident?
- Insurance – does the supplier have adequate insurance coverage and can they demonstrate this?
- Track record – can the supplier provide references of similar organisations that use their service/offering? This helps demonstrate that the supplier has the adequate skills/expertise to deliver on their service levels. How financially sound is the service provider? What percentage of their business does the work they will be doing for you represent?
- Reporting – can the supplier provide periodic reports on service levels? For example, you might want to know uptime/downtime if it’s an IT supplier.
- Regulatory change – what happens if there’s a regulatory change that impacts the service? Will this be covered in the existing service offering or will the organisation need to pay extra for a new/additional service? Is the supplier regulated – if so, can they demonstrate compliance with the required regulation, etc.?
- Key People – Who will be managing/delivering the service on your behalf? What experience and competence do these people have? Are there enough of them?
- Concentration – How many critical functions are you outsourcing to this supplier? Would a failure of the supplier mean serious damage to your organisation?
- Sub-Outsourcing – Does the supplier intend to sub-outsource some element of the service? Is this acceptable? Will the service be performed in a country that is acceptable in terms of compliance and quality?
Once you’ve chosen a new supplier/outsourced function, the supplier should become part of your ongoing due diligence/monitoring programme depending on their criticality.
For more information on how CalQRisk can assist with your supplier/outsourcing risk management efforts, click here.
Recent News
CalQRisk Shortlisted as Best Technology Partner in Housing Digital Innovation Awards
CalQRisk has been named a finalist in the Housing Digital Digital Innovation awards. CalQRisk is nominated as best ...
Read More CalQRisk Achieves G-Cloud 14 Approved Supplier Status
Delighted to confirm that following on from our GCloud 13 supplier status, that CalQRisk has been listed as ...
Read More CalQRisk named as Finalist for Cyber Security Provider of the Year at the Cyber Insurance Awards Europe
CalQRisk are thrilled to be finalists for the Cyber Security Solution Provider of the Year at the Cyber ...
Read More Volunteer Succession Planning – ‘Tomorrow’ has arrived.
Strong succession planning is critical for the viability of all businesses but can be particularly challenging for volunteer-led ...
Read More What is CSRD?
The Corporate Sustainability Reporting Directive (CSRD) is a framework for non-financial reporting which is mandatory for large companies ...
Read More CalQRisk Triumphs at the 2024 FS Awards, Winning Compliance and RegTech Award
At a distinguished ceremony held at the iconic Mansion House, CalQRisk emerged as the proud recipient of the ...
Read More NoFrixion Selects CalQRisk for its DORA Compliance Efforts
NoFrixion, the Embedded Banking company based in Dublin, Ireland, has announced its partnership with CalQRisk to ensure compliance ...
Read More CalQRisk is a finalist in the FS Awards
CalQRisk has been named as a finalist in the competitive and prestigious FS Awards for the Compliance and ...
Read More CalQRisk Customer Support Manager wins Rising Star at Irish Early Career Awards 2024
Congratulations to our Customer Support Manager, Eimear Farrell, who was named as a Rising Star in the Fintech ...
Read More CalQRisk wins Pitch Competition at ESCO Cyber Solution Days Event, Kilkenny, September 2024
The Cyber Ireland (CI) CISO Forum and ESCO Cyber Solution Days event took place in the Lyrath Hotel, ...
Read More