Central Outsourcing Officer (COO)
Minimum Requirements for Risk Management (MaRisk)
AT 9 Outsourcing
12 Each institution that performs outsourcing shall establish the position of a central outsourcing officer at the institution itself. In addition, depending on the nature, scale and complexity of the outsourcing activities, the institution must establish a central outsourcing management function to support the central outsourcing officer.
The tasks to be performed include, but are not limited to, the following:
(a) Implementing and further developing an appropriate outsourcing management and corresponding control and monitoring processes,
(b) Creating and maintaining full documentation of outsourcings (including subcontracted activities and processes),
(c) Supporting the business units with regard to internal and statutory requirements for outsourcing,
(d) Coordinating and reviewing the risk analysis pursuant to number 2 conducted by the responsible units.
Central outsourcing officer
The central outsourcing officer shall be assigned to an organisational unit that is directly subordinated to the management board. He or she can also be attached to other units provided that a direct reporting line to the management board is ensured.
Small, less complex institutions may also entrust this function to a member of the management board.
The head of the central outsourcing management function can also be appointed as the outsourcing officer.
13 The outsourcing officer or the central outsourcing management function shall prepare a report on the critical or important outsourced activities and processes at least once a year and shall make this available to the management board. In addition, ad hoc reports must be submitted. Taking into account the information available to the institution or the institution’s internal evaluation of the quality of the services provided by the service provider, the report shall contain an assessment of whether the services provided by the external service providers correspond to the contractual agreements, whether the outsourced activities and processes can be appropriately managed and monitored and whether further risk mitigation measures are to be taken.
Reporting by small, less-complex institutions
It is sufficient for small, less-complex institutions to report in the context of management board meetings.