Answers / Risk & Compliance

What are the key risks in outsourcing and third-party arrangements, and what do supervisory expectations (e.g., EBA guidelines) require?

A core Risk & Compliance interview question — asked in analyst and associate interviews across IB, PE, and the Big 4.

THE SHORT ANSWER

Outsourcing doesn't transfer accountability — the firm remains responsible for outsourced functions. Key risks: concentration (many firms reliant on one cloud or provider), loss of control and oversight, business-continuity dependence, data security/location, sub-outsourcing (fourth-party) chains, and exit difficulty (lock-in). Supervisory expectations require a register of all outsourcing arrangements, materiality/criticality assessment, due diligence before engagement, written contracts with audit and access rights, security and data provisions, continuity and exit/stress-exit strategies, ongoing monitoring of provider performance, and heightened scrutiny plus regulator notification for critical or important functions. Concentration in the system (especially cloud) is now a macro-prudential concern, reflected in regimes like DORA's oversight of critical ICT providers. The theme: outsource the activity, keep the responsibility and the controls.

WHAT INTERVIEWERS LISTEN FOR

  • Accountability stays with the firm
  • Risks: concentration, control loss, continuity, data, sub-outsourcing, exit
  • Register, due diligence, contracts with audit/exit rights, monitoring
  • Critical functions: extra scrutiny + regulator notification

COMMON MISTAKES

  • Assuming outsourcing transfers responsibility
  • Ignoring concentration/fourth-party risk
  • No exit strategy or audit rights

Reading isn't the same as answering under pressure.

Interviewers don't hand you the model answer — you deliver yours on a clock. Practice this and 1,000+ questions with AI feedback on every answer.

TRY QUICKFIRE →Or train full Risk & Compliance case simulations →

RELATED QUESTIONS