Page 32 - Insurance Times February 2022
P. 32
Such risks can arise due to- 6. Operational Risk Management
Y Insufficient knowledge of banking business process Operational Risk Management is a continuous process of risk
Y Lack of adequate training identification, risk assessment, providing risk treatment,
monitoring and review.
Y Third party practices not in line with bank practices
Y Incompetent or under qualified or inexperienced staff Operational Risk Management (ORM) is at the core of
deployed by service provider bank's operations. ORM framework supports in aligning the
business control environment with the bank's strategy by
Y Unavailability of required technology competence
measuring and mitigating risk exposure, contributing to
Y Use of sub-standard technology by the service provider optimal return for stakeholders.
Y Use of unlicensed software
Y Non adherence to the SLA by service provider 7.1. Risk management framework in
Y Unavailability or Inadequate BCP/DRP plans with service outsourcing activities
provider Risk management framework must follow an approach to
Y Failure or insufficient internal controls at service identify potential risks and should provide for controls that
are in line with the level of risk present in outsourced
provider
activities. Special attention should be given to activities that
Y Lack of awareness of different IT Laws applicable around
may have a substantial impact on the bank's core functions
data protection and those that are subject to material compliance, legal and
cyber risks.
Some examples of Operational risks in
outsourcing activities: The objectives of operation risk management
framework in outsourcing activities are to-
Sr No. Risks
Y Identify key risks associated with outsourced activities
1 Risk of unavailability of banking services or
at the time of on-boarding of service provider to ensure
interrupted services to the customers
effective implementation of relevant applicable controls
2 Risk of data leakage or breach of data and to provide assurance on effectiveness of the control
confidentiality design and operation.
3 Risk of inadequate data back up and potential Y To conduct performance evaluation on key performance
data loss indicators or metrics.
4 Risk of cyber threats including identity theft
or installation of ransomware 7.2. Following approach can be adopted
5 Hindrance to software development or in managing the outsourcing risk
system development
a. Risk Assessment:
6 Vendor's system and applications may be
It is important to carry out risk assessment of the activity
vulnerable to external threats
prior to engaging in outsourcing activity with external
7 Risk of delay in project deliveries party.
8 Excessive / Uncontrolled access to shared A comprehensive checklist can be developed for risk
folders or right to manage shared folders assessment to ensure adequate controls are in place to
9 Physical or logical access by unauthorised mitigate probable risk associated with the outsourced
personnel activities and recommendation of new controls if
current controls are insufficient to mitigate the risk.
10 Sub-contract by the vendor or operator
Further, risk assessment exercise can be done a regular
without adequate approval from the bank
basis to scale up (or scale down) the risk mitigation
11 Threat of infringement of IPR
plans, if appropriate.
32 The Insurance Times, February 2022
