4. Application of the Guidance and Proportionality
The Central Bank deems this Guidance relevant to any regulated firm, which utilises outsourcing as
part of their business model. In adopting the Guidance setout herein, regulated firms should always
have regard to the principle of proportionality, whereby the nature and extent of measures to be
applied may be adapted and applied in a proportionate manner. In its consideration of proportionality,
a regulated firm should have regard to the nature, scale and complexity of its business and the degree
to which it engages in outsourcing to implement its business model. The test for proportionality should
always be underpinned by the regulated firm’s outsourcing risk assessment and resulting controls. The
extent of measures applied should also be informed by the regulated firm’s assessment of whether the
outsourced service or activity is deemed critical or important (as set out in Part B Section 2.1 below).
For the purpose of this Guidance, it is intended that the measures set out are to be applied in respect
of a regulated firm’s critical or important outsourcing arrangements, except where it is highlighted that
the requirements should take account of all outsourcing arrangements. However, regulated firms
should determine where it might be prudent to apply the measures to non-critical or less important
arrangements in line with their own risk assessment. Regulated firms may also wish to consider the
application of the Guidance, or aspects of the Guidance, as a matter of good practice, to arrangements
with other third party service providers or vendors, even where these arrangements do not fall within
the definition of outsourcing.
Certain aspects of this Guidance may not be appropriate to all regulated firms, due to their nature,
scale and complexity. The Central Bank acknowledges that it may not be appropriate for certain
smaller, less complex regulated firms to adopt, in full, all measures set out in the Guidance. Regulated
firms may decide to adopt different practices to those covered in this Guidance in ensuring compliance
with the relevant sectoral legislation, regulation and guidelines (as detailed in Appendix 1) and in order
to prudently manage any exposure to outsourcing risk. However, where they do so, the regulated firm
is expected to be in a position to explain the reason, upon request, for proceeding as they have to the
Central Bank. Regulated firms must be able to clearly evidence the rationale for their approach and
that the approach has been considered and approved by the board or equivalent. All regulated firms
must be able to demonstrate that they have appropriate measures in place to effectively govern and
manage outsourcing risk and to ensure compliance with the sectoral legislation, regulations and
guidance applicable to their business.
5. Status
This Guidance should be treated as a guide to good practice with regard to outsourcing. Regulated
firms must always refer directly to the relevant sectoral legislation, regulations and guidance, in force,