The Singapore Outsourcing Register: Obstacles and Suggestions to Meet this Regulatory Requirement from a Risk Management Perspective

It is well-known that financial institutions, including those which provide credit rating services such as Moody's, are highly regulated organizations not only by Anti Money Laundering, Data Privacy, and other standard regulations or laws in this field but also by Central Banks or Monetary Authorities such as the Monetary Authority of Singapore (MAS) which imposes the obligation of reporting outsourcing arrangements signed with critical service providers or third parties. The Regulator, as mentioned earlier, requires financial institutions which perform services in Singapore or for the benefit of Singapore to keep an updated register of their existing outsourcing arrangements.

 

Before continuing to explore the obstacles and suggestions to comply with this requirement in adherence to the teachings of the SIG University Third-Party Certification Course, it is appropriate to have a look at the following extract from the MAS Guidelines: While an institution may delegate day-to-day operational duties to the service provider, the responsibilities for maintaining effective oversight and governance of outsourcing arrangements, managing outsourcing risks, and implementing an adequate outsourcing risk management framework (…) continue to rest with the institution, its board, and senior management. (MAS, 2016, p.9). 

 

The information required by the Regulator may come from different sources depending on the company. Two of the most common ones are Ariba and Coupa. These two platforms are fed by collaborators, usually from the Contracts and Procurement Teams, making room for human error. This human error possibility is considered a technology risk vulnerability, specifically a quality risk that may become a regulatory risk, should the accuracy of the Singapore Outsourcing Report be affected.

 

Data reliability is not a "nice to have" but a "must have." Hence it is imperative not only to make sure the software that is being used to keep records of the outsourcing arrangements is aligned with the Business and Regulatory needs but also to have a process in place in which quality control and assurance activities such as "peer reviews" provide certainty that the information that is being entered and subsequently reported is accurate. 

 

Even though the Singapore Outsourcing Register is a Regulatory Requirement, it should be seen as an opportunity to know our third parties, especially as information concerning their materiality, last due diligence, business continuity, last audit, description of the services, alternate service providers and information storage and processing is required. In other words, if this requirement is approached correctly, Johari's Window technique could be put into practice to understand the firm's relationships with its third parties truly.

 

It is tremendously important not to "over-complicate things," so for gathering the information which goes into the Singapore Register Report, Ariba, Coupa, or the software used to this end should "work for us and not against us" for this reason, such platforms should have the necessary and relevant fields to avoid having to reach out to other colleagues (such as Business Owners or Sourcing Managers) via e-mail or having them fill out tedious forms which once again may end up creating the opportunity for human error. 

 

Since the information that goes into the Register comes from different departments (Procurement, Business Owners, Business Continuity, Legal, Compliance, Third-Party Risk Management, and Audit Teams), the necessity of a common risk taxonomy is more than evident as it prevents misunderstandings when providing the information required by the Regulator. Starting a Third-Party Risk Management Program from scratch is not easy, but following robust guidelines from Regulators, such as the Monetary Authority of Singapore, can help identify key risk drivers such as privacy, records, sub-contractor, cloud computing, and legal/ regulatory risks. 

 

It is never a good idea to leave Regulatory Reports to chance: a robust lifecycle management framework must be in place to implement controls that enable Procurement to manage and monitor third-party relationships. This is particularly crucial for the Singapore Register due to the obligation institutions have to notify the Monetary Authority of Singapore of adverse developments: controls such as annual or semi-annual due diligence questionnaires are helpful. Due to the interdepartmental nature of this reporting requirement, an effective RACI matrix must be designed in which Compliance, Procurement, Third Party Risk Management, Audit, InfoRisk, Legal, Tax, and other involved teams have clear roles and responsibilities.

 

This brings up another topic: "Communications Management": to comply with the Outsourcing Register, a process (Standard Operating Procedure) must be designed with repeatable tools (surveys, questionnaires, platform data entry fields) not only to avoid unnecessary re-work and reports (wastes from a Lean Six Sigma perspective) but also to monitor critical 3rd parties effectively and efficiently. Furthermore, a schedule with a communication hierarchy to escalate incidents and setbacks is advised. 

 

Finally, one of the biggest challenges when gathering information, in cases where the institution's databases are outdated or inaccurate, is knowing who must be reached out to when a specific piece of information is needed for the Singapore Register. Procurement platforms should be integrated with the internal Human Resources Information System so that when a Business Owner moves to a different position or leaves the company, the new Business Owner is fed into the Procurement databases.