Building Operational Resilience within Financial Service

In today’s highly interconnected financial landscape, Regulated Financial Institutions (RFIs) are increasingly dependent on external and third-party service providers to enhance efficiency, reduce costs, and stay competitive. While outsourcing offers numerous benefits, such as access to specialised expertise and economies of scale, it also introduces significant risks, particularly in the areas of information security, operational resilience, and regulatory compliance.

Imagine waking up to find that your bank’s IT infrastructure has been compromised, disrupting transactions and exposing sensitive customer data. Such incidents are no longer hypothetical; they are real and growing threats in an era of digital transformation. The rising adoption of financial technologies (FinTech) and IT outsourcing has heightened concerns around governance, data protection, and risk management within RFIs.

Kwame Barnieh

Partner, Head of Advisory, GRC & ESG Services

KPMG in Ghana

mail

To address these risks and strengthen the operational resilience of RFIs, the Bank of Ghana (BoG) in November 2024 introduced an outsourcing directive. This directive establishes comprehensive guidelines to ensure that outsourced activities do not compromise the safety, soundness, or regulatory compliance of financial institutions. By implementing effective governance and risk management frameworks, RFIs can safeguard their operations and maintain stability within the financial sector.

Beyond the Bank of Ghana, other regulators, such as the Securities and Exchange Commission (SEC) and the National Insurance Commission (NIC), have also acknowledged the need for oversight in outsourcing arrangements. The NIC’s Business Plan Guidelines for Insurers require insurers to disclose material outsourcing arrangements, ensuring transparency and regulatory oversight. Similarly, the SEC’s regulatory framework includes provisions for capital market operators to manage third-party risks effectively. Lessons from Ghana’s banking sector crisis underscore the importance of a coordinated regulatory approach to strengthening resilience across all financial sectors. Since capital markets and insurance companies increasingly depend on outside providers for important services, it would be beneficial for the SEC and NIC to improve their plans for managing outsourcing risks to reduce any possible issues that could harm investor and consumer trust.

BoG’s approach aligns with global regulatory trends, as central banks and financial regulators worldwide are strengthening their frameworks for outsourcing risk management. Across Africa, the Central Bank of Nigeria (CBN) has introduced the Operational Guidelines for Open Banking (2023), ensuring that third-party service providers comply with strict security, data protection, and operational resilience requirements. Similarly, the Central Bank of Kenya (CBK) enforces Prudential Guidelines on Outsourcing, which mandate RFIs to establish comprehensive outsourcing policies, conduct due diligence on service providers, and implement strong risk management controls to mitigate third-party risks.

Beyond Africa, regulators are also tightening their oversight of outsourcing arrangements. The European Central Bank (ECB) has established stringent outsourcing requirements under its Supervisory Review and Evaluation Process (SREP), while the Monetary Authority of Singapore (MAS) mandates RFIs to assess third-party risks rigorously. Likewise, the Bank of England (BoE) has developed an operational resilience framework that requires firms to identify and mitigate potential disruptions in their critical business services.

This article explores the multifaceted concept of operational resilience, explores the Basel Committee's insights on operational risks, examines the specific challenges posed by outsourcing, and outlines effective strategies for managing these risks. It also highlights the significant benefits of complying with the Bank of Ghana’s new directive, positioning RFIs to not only survive but thrive in an increasingly complex financial environment.

What is Operational Resilience?

Operational resilience refers to an organization’s ability to foresee, prevent, adapt, respond to, and recover from disruptions while maintaining essential services and functions. For RFIs, operational resilience is not merely about mitigating risks; it involves ensuring continuity in operations during events such as cyberattacks, service interruptions, or interruptions caused by third-party service providers. This concept symbolises a shift from conventional risk management approaches to a comprehensive strategy that prioritises readiness, flexibility, and recovery.

At its core, operational resilience safeguards critical financial services that underpin economic stability and customer trust. RFIs must identify essential operations, such as payment processing and transaction authorisation; assess associated risks; and implement robust oversight mechanisms to prevent service disruptions.

A case in point was Raphael’s Bank in the UK, which outsourced key card processing functions to third-party providers.

On December 24, 2015, a technical fault at one of its card processors led to a complete outage of authorisation and transaction processing services. Over an eight-hour period, more than 3,000 customers were unable to use their prepaid and charge cards, with over 5,000 attempted transactions failing due to the disruption.

Subsequent investigations by the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) revealed significant weaknesses in Raphael’s’ outsourcing governance, including inadequate risk assessment, flawed due diligence by service providers, poorly structured service level agreements, and insufficient business continuity planning. Notably, Raphael had failed to act on lessons from a similar incident in 2014, demonstrating the consequences of poor resilience planning.

This case shows how important it is for RFIs to create solid outsourcing plans, carefully assess risks, and put in place backup plans to keep services running smoothly, even when unexpected problems arise.

The Role of Outsourcing in Operational Resilience

In today’s modern financial ecosystem, which heavily relies on outsourcing for core operations like IT services and data management, operational resilience has never been more crucial. While outsourcing can enhance efficiency and foster innovation, it also introduces complexities and risks that can jeopardise an institution’s ability to function effectively. For instance, if an outsourced IT provider experiences a data breach, it could lead to significant reputational damage and loss of customer trust. Consequently, fostering operational resilience has become a strategic priority for RFIs striving to safeguard trust, meet regulatory obligations, and ensure sustainable operations.

The Basel Committee’s Perspective on Operational Risk

The Basel Committee on Banking Supervision (BCBS) has been at the forefront of highlighting the need for RFIs to manage operational risks effectively. According to the Committee, operational risks, including those arising from failed processes, systems, people, or external events, can have severe repercussions for financial stability. Principles three (3), four (4), and five (5) of the BCBS guidelines on operational resilience encourage banks to find their most important operations, understand their dependencies (like services they rely on from others), and set up systems that keep things running smoothly during tough times. Importantly, the BCBS highlights that operational resilience is integral to the broader framework of risk management. As part of these guidelines, banks are expected to perform risk assessments and due diligence before entering into arrangements with third parties or intragroup entities.

Managing Outsourcing Risks in Banks

Outsourcing business activities to third parties presents various risks that can significantly impact RFIs. These risks extend beyond immediate operational disruptions and data security concerns to include vulnerabilities arising from subcontracting, where third parties further outsource to fourth and even fifth parties. Without robust risk assessment frameworks, RFIs may face reduced oversight, weakened operational control, and exposure to cascading failures across the extended supply chain. If not properly managed, these risks can undermine regulatory compliance, compromise sensitive employee or client information, and ultimately damage the RFI's reputation and long-term stability.

To effectively manage these outsourcing risks, RFIs must adopt a comprehensive approach encompassing risk identification, assessment, mitigation, and continuous monitoring. Key strategies include the following:

RFIs should evaluate which functions are core and non-core. This assessment helps determine the level of risk associated with outsourcing specific functions. The Bank of Ghana mandates that these assessments be submitted by June 2, 2025.

RFIs must ensure that strategic functions such as enterprise risk management, regulatory compliance oversight, fraud detection, cybersecurity governance, and high-level financial decision-making remain in-house. This step is essential for mitigating risks related to losing control over sensitive operations and maintaining integrity in decision-making processes.

RFIs must establish strong governance structures to oversee outsourced functions effectively. This procedure includes revising board committee charters to incorporate the Bank of Ghana’s outsourcing directive, ensuring clear oversight and accountability at the highest level. Additionally, executive management must implement operational controls, such as enhanced due diligence processes, performance monitoring mechanisms, and risk escalation protocols, to manage third-party, fourth-party, and even fifth-party risks effectively.

The vendor management process must include well-defined exit strategies to address potential service provider failures. This process should encompass contingency planning, contractual provisions for termination, and mechanisms for a seamless transition of critical services back in-house or to alternative providers. By embedding exit strategies within the vendor management framework, RFIs can mitigate disruptions, maintain operational resilience, and safeguard essential business functions.

Building strong, transparent partnerships with outsourcing providers fosters better communication and more effective risk management. Regular engagement, performance reviews, and information sharing help align expectations and identify potential issues early. Contracts should include right-to-audit clauses to facilitate this teamwork, enabling RFIs to verify service providers' adherence to regulations, monitor their performance, and address any issues before they escalate. This structured oversight ensures accountability and strengthens the overall resilience of outsourced relationships.

RFIs need to fully comprehend the risks they face, including those that go beyond their immediate third-party providers. Third parties may themselves outsource functions to fourth, fifth, or even sixth parties; such scenarios can create a complex web of risks. Leveraging technology for real-time monitoring is crucial, as it helps track and manage these extended relationships, ensuring transparency and early detection of emerging risks. Additionally, organisations need to think about how they handle data throughout the entire supply chain, including assessments to determine the importance of risk at each stage and quickly address any problems that arise.

Regular training for staff on outsourcing risks and compliance requirements fosters a culture of resilience within the organisation.

By implementing these strategies effectively, RFIs can enhance their operational resilience while managing the inherent risks associated with outsourcing.

The Bank of Ghana’s Outsourcing Directive

Recognising the urgent need for robust safeguards, many countries have implemented regulations to manage outsourcing risks in the financial sector. For instance, the United States, the European Union, and the United Kingdom have established comprehensive guidelines requiring RFIs to assess and manage risks associated with outsourcing, including sub-outsourcing to third, fourth, and even fifth parties.

Regulatory bodies in Singapore, Australia, and Canada stress continuous monitoring and the protection of critical functions to maintain operational resilience, particularly when outsourcing sensitive services.

Similarly, Nigeria has strengthened its outsourcing framework through the Central Bank of Nigeria, ensuring that banks manage risks effectively across all layers of outsourcing.

In this context, the Bank of Ghana (BoG) has introduced its outsourcing directive to address emerging risks and fortify the operational resilience of RFIs. This directive provides clear guidelines for managing outsourced activities, ensuring that any weaknesses are found and fixed before they turn into serious problems that could interrupt important services.

Key aspects of the directive include:

Compliance Deadline: Regulated RFIs (RFIs) must comply with the directive by July 1, 2025; failure to do so will incur an administrative penalty of 1000 units.

Permitted Outsourcing of Certain Core Functions: The directive permits RFIs to outsource certain core functions but mandates strict governance and oversight measures to manage associated risks.

Materiality Assessments Requirement: RFIs are required to conduct materiality assessments for any outsourced functions and submit these assessments to the BoG by June 2, 2025. This requirement ensures that they clearly understand their operational dependencies.

Benefits of complying with the directive

Compliance with the Bank of Ghana's (BoG) outsourcing directive provides numerous benefits for both individual RFIs and the broader financial ecosystem:

Adhering to the directive enables RFIs to improve their governance frameworks and better manage outsourcing-related risks, leading to greater operational resilience. By implementing robust risk management practices, organisations can identify potential vulnerabilities early and minimise disruptions to essential services.

Compliance demonstrates a commitment to regulatory standards and good governance practices, which in turn enhances stakeholder confidence, including customers, investors, and regulatory bodies. It establishes the institution as a reliable and well-governed entity in the financial sector.

By retaining core functions in-house, RFIs can build a stronger operational framework, reduce conflicts of interest, and enhance decision-making processes. This leads to better control over critical operations and ensures that sensitive data remains secure.

The directive aligns with global best practices, as set out by organisations like the Basel Committee on Banking Supervision (BCBS), which provides guidelines on managing outsourcing risks. In countries like Nigeria, the United Kingdom, and Singapore, central banks have also introduced similar directives, emphasising operational resilience and the importance of managing third parties' risks. These international frameworks underscore the importance of ensuring that outsourcing does not undermine the stability of RFIs.

By taking proactive steps to comply with the BoG's outsourcing directive, RFIs can strengthen their operational foundation, safeguard critical services, and contribute to a more stable and secure financial ecosystem. This alignment with global standards helps ensure that Ghana’s financial sector remains competitive, resilient, and robust in the face of emerging risks.

Conclusion

Operational resilience has become a cornerstone of stability for Regulated Financial Institutions (RFIs) in an increasingly complex and interconnected financial landscape. While outsourcing provides opportunities for cost savings, efficiency, and innovation, it also introduces significant risks that can threaten business continuity if not properly managed. Recognising this, the Bank of Ghana (BoG) has introduced an outsourcing directive that establishes a structured framework to help RFIs mitigate outsourcing risks, enhance governance, and strengthen oversight.

A key requirement of this directive is the mandatory due diligence of vendors, which must now be conducted by an independent outsourced firm. This measure ensures that RFIs engage only with service providers that meet strict regulatory and operational standards, reducing exposure to third-party failures.

By proactively addressing vendor risks, RFIs can fortify their internal controls, maintain compliance, and safeguard the financial system from potential disruptions.

With outsourcing becoming more complex, RFIs must take a strategic approach to vendor management, assessing their current outsourcing practices and implementing the necessary safeguards to meet regulatory requirements. By aligning with BoG’s directive, RFIs not only enhance operational resilience but also preserve customer trust and the integrity of Ghana’s financial sector.

How Can KPMG Assist RFIs?

KPMG offers critical expertise to help RFIs navigate outsourcing risks and regulatory requirements. Our services include:

Vendor Due Diligence and Risk Assessment—conducting independent evaluations of service providers to ensure compliance, security, and operational stability.

Contract Review & SLA Development—Structuring agreements that define clear performance expectations, risk mitigation measures, and contingency plans.

Business continuity and disaster recovery planning—developing and testing strategies to ensure seamless operations during disruptions.

Regulatory Compliance involves assisting RFIs in aligning their outsourcing practices with BoG directives and best practices.

Connect with us

KPMG combines our multi-disciplinary approach with deep, practical industry knowledge to help clients meet challenges and respond to opportunities. Connect with our team to start the conversation.

Contact us