What are the key risks in outsourcing and third-party arrangements, and what do supervisory expectations (e.g., EBA guidelines) require?
A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.
THE SHORT ANSWER
Outsourcing doesn't transfer accountability — the firm remains responsible for outsourced functions. Key risks: concentration (many firms reliant on one cloud or provider), loss of control and oversight, business-continuity dependence, data security/location, sub-outsourcing (fourth-party) chains, and exit difficulty (lock-in). Supervisory expectations require a register of all outsourcing arrangements, materiality/criticality assessment, due diligence before engagement, written contracts with audit and access rights, security and data provisions, continuity and exit/stress-exit strategies, ongoing monitoring of provider performance, and heightened scrutiny plus regulator notification for critical or important functions. Concentration in the system (especially cloud) is now a macro-prudential concern, reflected in regimes like DORA's oversight of critical ICT providers. The theme: outsource the activity, keep the responsibility and the controls.
WHAT INTERVIEWERS LISTEN FOR
- ✓Accountability stays with the firm
- ✓Risks: concentration, control loss, continuity, data, sub-outsourcing, exit
- ✓Register, due diligence, contracts with audit/exit rights, monitoring
- ✓Critical functions: extra scrutiny + regulator notification
COMMON MISTAKES
- ✗Assuming outsourcing transfers responsibility
- ✗Ignoring concentration/fourth-party risk
- ✗No exit strategy or audit rights
Reading isn't the same as answering under pressure.
Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.
RELATED QUESTIONS
- How do you quantify operational risk?
- Why did Basel move from Value-at-Risk to Expected Shortfall for market risk under FRTB, and what does ES capture that VaR misses?
- What does DORA require for ICT incident reporting, and how does it change operational resilience expectations for financial entities?
- How is climate risk being incorporated into the prudential and risk-management framework?
- What is BCBS 239, and why is risk-data aggregation and reporting capability a supervisory priority?
- Explain the COSO ERM framework.