Risk Mitigating Action Plan
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.8.3 Risk Register
[Insert location/hyperlink to external location of this document]
[We have included a template for this document in 02_Manual_Supporting_Docs.]
7.9 Outsourcing
Outsourcing is defined as using a third-party to carry out any activity or service that your firm relies upon or would usually complete themselves. This can range from basic service providers such as mailing companies or stationers, through to outsourcing operational or regulatory requirements such as having external IT providers or lead generators.
Where a firm outsources any function or activity that is regulated by the FCA, the firm is still responsible for complying with the regulatory requirements and will be held accountable for any failings or breaches. It is for this reason that the company, has robust controls and procedures in place to identify, check, assess and monitors any 3rd party service provider with whom it establishes a relationship.
7.9.1 General Requirements
Under the FCA Handbook section SYSC 8.1, with reference to the rules and guidance contained therein; the company confirms that it complies with the below rules and guidance as provided under the regulatory system.
The company agrees to: –
- avoid any undue operational risks when relying on a service provider for all or part of an operational function
- not outsource any important operational risk that may impair the quality of the firm’s internal control or the regulators ability to monitor the firm’s compliance with our obligations under the regulatory system
- implement policies and procedures which govern the use of outsourcing and any service provider used
- implement procedures to carry out due diligence checks and assessments on any service provider used for outsourcing and to record all checks for audit purposes
- to carry our frequent and rolling audits (physical and remote) on any service provider in relation to their conduct, ability to perform the outsourced task and required compliance
- ensure that the service provider has the correct ability, capacity and any required authorisation to carry out the required function
- ensure that the service provider protects any sensitive and/or confidential information supplied to them in the course to the business relationship
- identify and implement disaster recovery and business continuity procedures and contingencies for any service or function that has been outsourced and to carry out periodic reviews and texts of any such plans