The risk of outsourcing

Worm's eye view of brick spiral staircase

Lessons from Alsford Page & Gems

In recent months, the regulators have reminded firms in the insurance sector of the importance of understanding the risks associated with outsourcing, and managing the risks and pitfalls that come with operating outsourced arrangements.

In March, the PRA published PS7/21 and SS2/21 Outsourcing & third party risk management which clarified and modernised the PRA’s expectations in this area, particularly from an operational resilience perspective. Insurers and other in scope firms will be expected to comply by 31 March 2022.

Then in April, the FCA imposed a public censure and financial penalty on Alsford Page & Gems (APG) following serious control failings and regulatory breaches relating to appointed representative (AR) sales of extended warranty insurance products.

The FCA found APG’s oversight of its ARs both limited and ineffective. While the issues and pitfalls highlighted by the FCA are specific to APG and principal/AR relationships in the insurance broking sector, they provide useful insights on regulatory expectations for effective oversight and monitoring of outsourcing arrangements more generally.

 A wealth of failings

In 2013, APG diversified its lines of business and started selling extended warranty insurance products to retail customers via a network of six ARs. The additional conduct risks associated with this type of business and customer base (which included vulnerable customers), signalled a change in the firm’s risk profile. The FCA’s final notice highlighted not only the additional conduct risks and associated failings by APG, but also the weaknesses in APG’s control and oversight of the outsource relationships with ARs. This included:

  • Inadequate resources – The firm did not properly assess the adequacy of its resources, skills and capacity to effectively monitor ARs.
  • Deficiencies in contractual agreements – AR agreements did not clearly articulate the oversight role of the firm and delegated too much responsibility to ARs.
  • Lack of clear guidance – The firm did not provide sufficient policy or procedural guidance to ARs in key compliance areas, resulting in inconsistencies in processes and control procedures across the ARs.
  • One size fits all approach – The firm’s AR monitoring programme was neither risk based nor tailored for each AR. The FCA highlighted the lack of a robust risk based monitoring approach which should have considered the terms of the contractual agreement, ongoing suitability and solvency of the third party, the product sold, the sales method, sales volumes, the target market and the number and experience of sales agents involved .
  • Weaknesses in key controls – Key controls such as sales call scripts, file reviews, and audits/visits were poorly designed and implemented. Key controls were ineffective. For example, call scripts mandated by the firm were not sufficient to ensure that sales calls were consistently clear, fair and not misleading to customers. AR audits/visits were not risk based in terms of either frequency or scope and, as a result, provided little value as controls.
  • Over-reliance on AR self-monitoring – There was little input or challenge from the firm. Specifically, ARs monitored their own sales calls with very limited guidance or input from the firm, contributing to variability in approach and quality. Complaints made against ARs were handled by ARs themselves, with limited oversight by the firm. And although ARs were required to submit compliance monitoring reports to the firm, their design did not enable issues to be flagged and were deemed not fit for purpose.
  • Ineffective MI – MI collected from ARs was insufficient, failed to properly consider conduct risks and was poorly used by the firm.  Specifically, the FCA referred to the firm’s lack of analysis of the MI provided by ARs. This included failure to perform analysis (including root cause analysis) of AR sales call monitoring results, cancellations, claims and complaints data. This analysis would have enabled APG to identify thematic or systemic issues.
  • Weaknesses in the three lines of defence risk management framework –There was a lack of oversight and challenge from the second line defence and no proper (i.e. independent) third line of defence.

Lessons for internal audit

The importance of the role of internal audit functions within the three lines of defence risk management framework is clear from the FCA’s conclusions on APG. The firm should have tasked its internal audit function (or equivalent) to review the extended warranty business and ARs. Instead, it treated its Board as the third line of defence, despite its lack of independence.

In light of the ongoing regulatory focus on outsourcing and the lessons learned from APG, what should internal audit functions in the insurance sector be doing in this area?

Identify the full scope of outsourcing arrangements – All firms are likely to have outsourcing arrangements in some shape or form. It is essential that internal audit functions identify the full scope of outsourcing across their organisations. Some may be obvious, such as an outsourced IT or HR function, but others less so, such as where there is delegation of activities to third parties.

Since the FCA’s thematic review TR 15/7: Delegated authority: Outsourcing in the general insurance market, the regulator has consistently emphasised that delegated arrangements should be treated as outsourcing. That means firms and their internal audit functions must consider the whole spectrum of outsourcing within their control framework.

Assess the risks – When assessing the risks that outsourcing presents, firms need to consider a range of factors. In the case of APG, there was a failure to properly consider the conduct risks.

When assessing risks and deciding which outsourcing arrangements to prioritise for review, internal audit functions should consider the full range of risks. This should include conduct, financial, operational and reputational risks and also the associated resilience.

In today’s Covid-19 world, the risks presented by outsourcers may be very different to 12 months ago so it is important that internal audit functions continually monitor these. For those firms in the insurance sector that have outsourced functions in locations such as India, which is particularly suffering the effects of Covid-19 at the current time, this may have a significant knock on effect on operations.

Define approach – There are different options when it comes to the approach to auditing outsourcing arrangements.

Audit approachProsCons
Review of outsourcing governance and control framework

  • Provides assurance on the overall governance and control framework for outsourcing.

  • May be too high level to provide real challenge/insights on specific outsourcing arrangements/ controls.
 

  • Will help internal audit functions form a view on higher risk outsourcing arrangements which could be the focus of future audits.
 
Consideration of outsourcing risks and controls within all audits

  • May provide a deeper understanding and assessment of the outsourcing arrangement in the context of the area being audited.



  •  Risk that some outsourcing arrangements would not be covered depending on which audits are undertaken in any one year.

  • To mitigate this, internal audit would need to map the various outsourcing arrangements to the audit plan so there is clarity over coverage.

Deep dive review of specific outsourcing arrangements

  • Can focus and target higher risk or material outsourcing arrangements and provide deeper challenge over the control framework.



  • Less appropriate or useful if the firm doesn’t have higher risk or material outsourcing arrangements.

  • Need to have a good understanding of each of outsourced arrangement to select the deep dive target.

Provide proper challenge – Whatever approach is taken, it is critical that internal audit functions provide proper challenge over the adequacy of outsourcing arrangements and the control framework. In the case of APG, a number of key controls that were heavily relied upon by the firm were found to be ineffective.

Internal audit functions should ensure that their firms’ controls are effective in mitigating outsourcing risks. Internal audit functions should learn from lessons from APG and ensure they’re asking a number of key questions:

  • Does the firm have adequate resources to manage outsourcing arrangements or are there signs of resource stretch?
  • Does the second line of defence have a clear and effective role?
  • Do contractual arrangements with outsourcers provide a sufficient legal basis and are expectations and roles clearly articulated?
  • Has the firm provided clear guidance to outsourcers and what is the quality of this guidance to ensure consistent application?
  • Is the firm’s monitoring approach to outsourcing risk based? Is the risk assessment truly reflective of the full spectrum of risks?
  • Are key controls of sufficient quality and substance? How are the outputs of key controls (e.g. outsourcer audits/visits) acted upon to demonstrate their use and value?
  • Is the firm sufficiently proactive in managing outsourcing risks or too reliant on outsourced providers’ own monitoring and reporting?
  • How is MI received from outsourcers actually being used? Is it complete and how is it analysed and reported to aid decision-making?

How can PKF help?

PKF can help you in many ways:

  • If your firm does not currently have an internal audit function, please contact us to discuss your options. We can help you to establish an internal audit function that is independent, appropriate for your organisation and meets the expectations of the regulators.
  • If your firm does have an internal audit function, we can help you develop your approach to reviewing your firm’s outsourcing arrangements and risks.
  • If you have outsourcing arrangements in place, we can help you assess these against the PRA’s expectations set out in PS7/21 and SS2/21 Outsourcing & third party risk management.

Contact our experts