Outsourcing risk management

Over the years, companies making the strategic decision to outsource have benefited from its many advantages, including allowing them to concentrate on their core business.



Onur Ozdemir - Director - Advisory & Consulting - Deloitte

Basak Seckin - Senior Manager - Advisory & Consulting - Deloitte

Houcine Abdelhedi - Consultant - Advisory & Consulting - Deloitte

Published on 1 April 2021

Share this article


Outsourcing is a strategic decision that is growing in popularity across multiple industries, including the financial sector. It encompasses a multitude of activities that evolve over time and through technological innovations, so its management and associated risks are constantly changing. This development has led to local and European regulatory authorities applying more extensive regulations on outsourcing and increasing their focus on outsourcing during their onsite inspections.

While outsourcing offers multiple advantages, it can also present disadvantages and harmful consequences for a company if the inherent risks of their chosen outsourcing model are not properly identified. But what exactly is outsourcing and how should companies assess and mitigate its inherent risks?

Outsourcing is when one company entrusts another company (service provider) to carry out part or all of an activity. An outsourcing contract binds the company wishing to outsource its activities to the company that performs said outsourced activities.

The main outsourcing models are:

This model allows companies to outsource an entire business process—such as accounting, finance, customer relationship management or even human resources—to a specialized external service provider, instead of just part of a process. When companies do not have a specific qualification or skill in a particular business process, BPO allows them to be more productive and focus on their main objectives and strategy.

This is when companies outsource their IT activities to a specialized external IT service provider, including:

  • IT systems management/operation services;
  • Consulting, development and maintenance services; and
  • Hosting services and infrastructure ownership.

This model allows companies to access via the internet various external resources such as servers, networks, databases or applications. Access to these resources is shared, configurable, self-service and on-demand. Companies can save on the costs of maintaining, developing and securing IT equipment while having immediate access to a reliable infrastructure on a global scale.

There are three main service sub-models that companies can select, based on their needs and IT resources:

  • Infrastructure as a Service (IaaS);
  • Platform as a Service (PaaS); and
  • Software as a Service (SaaS).

As suggested by the European Banking Authority’s (EBA) guidelines on outsourcing arrangements (EBA/GL/2019/02), the decision process for companies wishing to outsource their activities should include a pre-outsourcing analysis phase. This analysis should determine, on the one hand, the objectives and extent of the outsourcing and, on the other, the requirements and consequences of the outsourcing for this company. In general, the analysis should include the following:

  • An assessment of the materiality of the activities to be outsourced;
  • Due diligence; and
  • A conflicts of interest assessment.

During this phase, companies should also determine the different categories of risks they may face within the framework of the outsourcing of its activities. These risks can be legal, operational, financial or reputational. To be able to manage these risks, companies wishing to outsource their operations must identify and assess each of these risks and their exposure to them.

In an ever-evolving market, as the outsourcing of services increases, so do the inherent risks. Here are some of the key risks involved.

Risk of non-compliance with current legislation

Regarding outsourcing arrangements, the EBA has released EU-level guidelines while the CSSF has its own Luxembourg-level guidelines. As outsourcing may include the hosting or processing of personal or client data, EU and local authorities have defined several data protection rules that also apply. If a company does not consider these guidelines, it may risk applying an outsourcing policy that does not comply with local and EU regulations.

Concentration risk to a specific service provider

If companies outsource many of their activities to a specialized service provider, whether a parent company or an external one, they can create a strong dependency on the specific supplier that may not have been sufficiently evaluated.

If the service provider is no longer able to provide all the outsourced activities and operations for whatever reason, this may significantly affect the company and even spark a crisis situation.

Risk of data and information loss

Outsourcing activities can increase the risk of inappropriate use of companies’ data, which may affect the protection, integrity and availability of the data.

Risk of information system unavailability

In the context of ITOs, an entity that lacks efficient controls over its IT environment may risk the unavailability and damage to its information systems. These entities could, for example, have non-segregated environments, a vulnerable network, and unsuitable user access.

While outsourcing can give companies a strategic advantage, it can also be very risky if the arrangement is not sufficiently supervised. To address the major risks associated with outsourcing, companies can implement various risk control mechanisms:

Contract management

To prevent the risk of damage to the quality of outsourced services, the entity and its service provider must agree to a clear and explicit contractual management of these services (e.g., level of quality). This contract should also include the outsourcing parties’ duties and obligations as well as contractual clauses.

Oversights and monitoring of outsourced activities

Organizations should regularly monitor outsourced activities to maintain control over their quality. This monitoring can involve a regular review of various key performance indicators (KPIs) relating to outsourced activities, which can be formalized in an outsourcing contract between a company and its service provider. This allows companies to maintain a global view of the quality of their outsourced services.

Consultation between stakeholders

To avoid loss of quality, governance and information, companies and their service providers must have a trusting and communicative relationship. All parties involved in the outsourcing must consult each other regularly by establishing different governance committees.

Internal control framework

Entities with an internal control framework should include the periodic review of available audit and assurance reports such as SOC1 or SOC2. This allows them to verify that their service providers maintain an adequate control framework.

Three-lines-of-defense model

First line of defense

An operational management function that is assigned to each outsourced activity to closely monitor the service quality and risks.

Second line of defense

A risk management function that performs independent outsourcing oversight that challenges the first line of defense.

Third line of defense

An internal audit function that performs independent audits of the outsourced activities.


Companies have several outsourcing models to choose from, which should be adapted to their strategy and their regulatory and legal context.

Entities should properly identify their outsourcing risks at the pre-outsourcing stage and closely maintain these risks during the lifecycle of the outsourcing arrangement. Companies must understand that this is not a one-time activity but an on-going process.

Companies can optimize their outsourcing strategy by implementing governance models and oversight control frameworks that address the various risks associated with the outsourcing arrangements.

Share #DeloitteInsideNow


Regulatory Risk

Organizations must meet the demands of the complex regulatory landscape, but be flexible enough that the regulatory program keeps pace with a rapidly changing environment– all with an industry-focus. Is your approach to regulatory risk designed to preserve value and power performance?

© 2021. See Terms of Use for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see to learn more about our global network of member firms. The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at