Information systems outsourcing in Croatian banks: developments 2005–2012

Abstract

Outsourcing of banks’ information systems has become well established and globally spread, but beyond benefits, it carries risks which are of importance to banks and their clients as well as to banking regulators and supervisors. This article briefly presents reasons, risks and regulatory provisions related to banks’ information systems outsourcing in Croatia. Based on two surveys conducted by the Croatian National Bank (CNB), the article explores changes in the scope of information systems outsourcing, perception of risks related to outsourcing and outsourcing reasons in Croatian banks in the period 2005–2012. The article also provides an insight into locations of applications’ and information technology (IT) infrastructure processing. Analysis and conclusions stated in the article should facilitate a better understanding of the subject matter.

Keywords:

• banks
• outsourcing
• information systems
• information technology (IT)
• Croatia

JEL classification:

• G21
• G28
• M55
• O33
• L86

1. Introduction

Throughout the last 10 to 15 years outsourcing has been seen to consistently grow in scale and importance, especially in relation to information technology (IT) enabled services. Outsourcing is increasingly used as a mechanism for cost reduction and achievement of strategic aims, and its potential impact can be seen across many business activities, including IT (Basel Committee on Banking Supervision [BCBS], 2005).

The Global 2010 survey on financial services outsourcing (The Conference Board and Duke Offshoring Research Network, 2010) shows that financial institutions around the world plan to further proliferate outsourcing especially in the area of IT and that IT operations are the most offshored activity – around 34% of all offshoring. As a comparison, 9% of total offshoring relates to software development. Of course, outsourcing is not risk free, and some cases of outsourcing-related difficulties in banks’ operations have been widely publicised (Arthur, 2012). During the past couple of years, so-called cloud computing is gaining more and more prominence, as a number of sources show (Venkatraman, 2012). This development is especially relevant for outsourcing of data processing. However, risks related to cloud computing are significant, and are sometimes difficult to quantify (Heiser & Nicolett, 2008). Outsourcing (part) of the banks’ operations is of great significance to banking supervisors as well as to the banks themselves. Significant problems in the provision of outsourced services might seriously impact key supervisory goals: depositors’ protection and reduction of systemic risk that failure of one key institution will significantly disrupt other important institutions. Because of the prevalence of outsourcing IT-related activities, this area is especially important for the supervision of banks’ information systems (Smojver, 2008, pp. 91–95).

The extent of outsourcing depends on numerous factors, such as strategic focus, availability of resources, operational costs, availability of service providers, risk perception, regulatory requirements, etc. But beyond that, in Croatia, as well as in other Central and Eastern European (CEE) countries, outsourcing greatly depends on strategic vision and decisions of foreign banking groups that own the majority of large local banks.

This article explores the current state of information systems outsourcing in Croatian banks, changes in scope of outsourcing, reasons for outsourcing and perception of outsourcing-related risks in the period 2005–2012. As far as we are aware, this is the first such system-wide research on outsourcing in Croatia. Previous research was primarily case-study oriented (Načinović & Franc, 2012).

2. Background information and research goals

There is no unique definition of outsourcing in literature. For example, outsourcing can be described as the act of transfer of work to an external party (Brown & Scot, 2005), the process of transferring an existing business activity (including the relevant assets) to a third party (Lonsdale & Cox, 1998) or as transfer of responsibility for any IT service, including planning, management and operations to an external service provider (Brown & Scot, 2005). In literature and in practice various terms like in-sourcing, co-sourcing, offshoring, nearshoring are used, as well as their combinations (e.g. nearshore-in-sourcing), to better describe characteristics of the (out)sourcing relationship. Definitions of outsourcing that are the most relevant for banking industry are those defined by BCBS (2005) and European Banking Authority (EBA)¹ (Committe of European Banking Supervisors, 2006) publications. The Committee of European Banking Supervisors (CEBS)/EBA defines outsourcing as ‘an authorised entity’s use of a third party to perform activities that would normally be undertaken by the authorised entity, now or in the future’. The abovementioned publications define expectations from credit institutions in the area of outsourcing in order to promote greater consistency of the supervisory approach within the national legal frameworks. In other words, those guidelines have a direct impact on formal outsourcing regimes or national legislations regarding outsourcing and hence have a strong influence on nature and scope of outsourcing in European banks. Surveys (European Central Bank, 2004) show that banks are aware of outsourcing risks, including loss of control over the activities or services being outsourced, undesirable dependency on the service provider, loss of internal skills, loss of flexibility, high costs/cost transparency, decline in quality/competitive advantage, cultural-social problems, technical constraints, and information protection failure.

In order to ensure the safety and stability of the credit institutions’ operations, the Croatian National Bank (CNB) issued Guidelines on Adequate Management of Outsourcing Risks in 2005 to draw attention to outsourcing matters. The adoption of the Decision on Adequate Information System Management (Croatian Official Gazette 80/2007) in 2007 stated, for the first time, explicit provisions related to the outsourcing of (part of) banks’ information systems. Through the Credit Institutions Act (Croatian Official Gazette 117/2008, 74/2009 and 153/2009) from 2008, provisions related to outsourcing were for the first time incorporated in the banking law (definition and conditions for outsourcing). According to the Credit Institutions Act, a credit institution should have in place a sound system of managing risks related to outsourcing and should ensure that outsourcing does not impair its regular operations, effective risk management, internal control systems and supervision by the CNB. Following the adoption of the Credit Institutions Act, the Decision on Outsourcing (Croatian Official Gazette 1/2009, 75/2009 and 2/2010) was adopted in 2009. The Decision on Outsourcing represents a comprehensive act that sets out the obligations of credit institutions related to outsourcing and lays out in detail the conditions for outsourcing, rules for managing risks related to outsourcing, scope of internal bylaws related to outsourcing, conditions for access to data and documentation and for carrying out on-site examination by the CNB, the minimum contents of agreements with service providers, and the content of the documentation to be assessed by the CNB. It is important to note that Croatian regulatory environment, in relation to outsourcing, is in line with the European Union (EU) regulations.

Beyond global tendencies and (local) legal restraints, it is significant to observe an important regional characteristic. The Croatian banking sector is dominated by banks owned by banking groups from the EU. During the last 10 years around 90% of all banking assets were consistently managed by foreign-owned banks (Croatian National Bank, 2012). The prevalence of foreign ownership of banks is generally present in CEE countries (Raiffeisen Research, 2012). Since most foreign-owned banks are a part of European banking groups, centralisation of certain functions in various group entities and provision of ‘standardised’ services can be seen as a good course, and IT related services are obvious candidates. Figure 1 presents a typical banking group structure and possible outsourcing entities. It is important to note that each type of outsourcing – even intra-group outsourcing – bears some risks, and ownership relationships, the country from which services are provided and the type of institution all change the characteristics of risks.

Figure 1. Typical CEE banking group structure and potential outsourcing service providers.

Source: Authors.

Global developments favour further proliferation of outsourcing, especially because of cost-cutting restraints related to the wider economic downturn and group tendencies for centralisation. At the local level, the Croatian regulatory environment is in harmony with the EU regulations, which also favour outsourcing. Due to these developments, we can expect to see a high level of outsourcing in Croatian banks. However, based on observation and experience from supervision of information systems in Croatian banks, we define the following:

Hypothesis 1. The scope of information systems outsourcing in Croatian banks did not significantly increase in the period from 2005 to 2012.

Additionally, based on the assumption that CNB’s activities and aforementioned publications related to outsourcing, as well as the banks’ own direct and indirect experiences with outsourcing sensitised the institutions to related risks, the second hypothesis is formed:

Hypothesis 2. In the period from 2005 to 2012 Croatian banks’ perception of magnitude of risks related to outsourcing increased.

Furthermore, this article will examine changes in the reasons for outsourcing, try to quantify total level of outsourcing of data processing in Croatian banks and provide an insight into locations of provision of services, while taking into account abovementioned risks and considerations.

3. Data sources and methodology

In May 2005, the CNB conducted a survey in which all the banks in Croatia were asked a number of questions in relation to outsourcing (Croatian National Bank, 2005). Many questions were in line with a survey on outsourcing in European banks whose results were published in November 2004 (European Central Bank, 2004), as to provide a comparison between Croatian banking sector and wider developments. In April 2012, the CNB conducted a survey of banks on a number of issues related to information systems. Some questions were focused on outsourcing of information systems and a number of those questions were identical to questions posed in 2005. This allowed for direct comparison of data on outsourcing collected in 2005 and 2012. The answers to surveys conducted in 2005 and 2012 provide data that is used in proving the hypotheses and exploration of research questions stated in the previous section.

The 2005 survey was sent to all banks (in 2005: 34 institutions), while the 2012 survey was sent to all credit institutions (banks, saving banks and building societies) which, in April 2012, included 37 institutions. It is important to note that all credit institutions responded to all posed questions relevant to this subject matter and Management Boards of every credit institution confirmed the authenticity of submitted data. This allows for a high level of confidence in the validity of the collected data. Since the data from the 2012 questionnaire was not previously published, official permission for usage of aggregated or otherwise anonymised data was obtained from the CNB.

Three groups of questions from the 2005 survey were used in a comparative analysis with the 2012 survey: questions on the extent of outsourcing (14 questions), reasons for outsourcing (nine questions) and risk perception (14 questions). Answers to all questions were recorded by 4-point ordered scales. The last question in each group allowed free input (unstructured data), thus answers to these questions were excluded from analysis. Questions, rating scales and other information are included in Tables 1–3. The structure, contents and scales used for the three groups of questions were identical in both the 2005 and 2012 surveys. Thirty-one banks that were operational in 2005 and 2012 and hence their answers to both surveys were identified and their answers matched to provide a basis for paired comparison. Additionally, in the 2012 survey credit institutions were asked to document all software applications and all ‘infrastructure’ services (e.g. e-mail, directory services, authentication services, log management, firewalls, intrusion detection systems, etc.) that are used in support of banking processes. Information on location of the provision of services was also included, as well as the importance of a particular system for the institution. This data was also analysed so as to measure the extent of outsourcing. Data analysis was performed in R environment (R Core Team, 2012) and additionally, the ‘orddom’ package (Rogmann, 2012) was used.

Table 1. Outsourced activities.

What activities (related to information system) are outsourced?	Nr. of ans. (2005)^1					Nr. of ans. (2012)^4					Changes (Nr.)^2			V-D A (‘12>’05)^3
	1	2	3	4	median	1	2	3	4	median	Decr.	None	Incr.			Cliff’s δ^4		Z^5	p^6
Hardware Maintenance	3	8	11	9	3	11	9	7	4	2	17	7	7	0.339	↓	−0.323		−2.158	0.039	*
Data Processing	20	8	2	1	1	17	11	1	2	1	7	14	10	0.548		0.097		0.722	0.476
Business Application Development	6	8	8	9	3	4	9	9	9	3	5	18	8	0.548		0.097		0.828	0.414
Business Application Maintenance	5	9	9	8	3	4	9	9	9	3	6	16	9	0.548		0.097		0.769	0.448
Management and maintenance (M&M) of operating systems	12	9	6	4	2	22	7	1	1	1	17	9	5	0.306	↓	−0.387	†	−2.834	0.008	**
M&M of telecommunication networks	2	13	5	11	3	13	9	4	5	2	17	10	4	0.290	↓	−0.419	†	−3.243	0.003	***
M&M of databases	10	11	4	6	2	17	7	4	3	1	14	10	7	0.387		−0.226		−1.563	0.129
M&M of security infrastructure	13	9	5	4	2	19	8	2	2	1	14	13	4	0.339	↓	−0.323		−2.559	0.016	*
Internet website development and maintenance	16	4	5	6	1	13	7	9	2	2	9	12	10	0.516		0.032		0.226	0.823
Development and maintenance of e-banking applications	16	5	3	7	1	16	6	3	6	1	11	9	11	0.500		0.000		0.000	1.000
Call centre	21	6	2	2	1	26	4	1	0	1	10	17	4	0.403		−0.194		−1.647	0.110
Helpdesk	25	2	3	1	1	28	3	0	0	1	6	23	2	0.435		−0.129		−1.438	0.161
Data mining	25	3	3	0	1	23	4	3	1	1	4	21	6	0.532		0.065		0.626	0.536

¹ Number of answers in a certain category for a given year. Ordered (ordinal) categories are as follows: 1: Not outsourced, 2: Some components are outsourced, 3: Most components are outsourced, 4: Everything is outsourced

² Number of occurrences of 2012 answers having smaller, same or higher value than respective 2005 answer (limited to the pairs).

³ Vargha and Delaney’s A measure of stochastic superiority, for 2012 answers being higher than 2005 answers (limited to the pairs). Value of A less than 0.36 or larger than 0.64 denotes medium or large effect size (marked with arrows) as recommended by Vargha and Delaney. Direction of arrows signifies increase or decrease.

⁴ Cliff’s |δ| values larger than 0.33 are interpreted as a medium effect (marked with †) and values larger than 0.474 are interpreted as a large effect (marked with ††). Sign marks increase or decrease.

⁵ Estimate of Cliff's δ Z-score. Since data is ordinal and in most cases not normally distributed (as seen from distributions of answers), this is only an approximation and is displayed primarily for orientation.

⁶ p value in relation to estimated Z-score. p values are additionally denoted: less than 0.001 (****), less than 0.005 (***), less than 0.01 (**), less than 0.05 (*).

Source: Authors’ calculation, based on banks’ survey conducted by the CNB.

Table 2. Reasons for outsourcing.

What were your reasons for outsourcing?	Nr. of ans. (2005)^1					Nr. of ans. (2012)^10					Changes (Nr.)^2			V-D A (‘12>’05)^3
	1	2	3	4	median	1	2	3	4	median	Decr.	None	Incr.			Cliff’s δ^4		Z^5	p^6
Better focus on (provision) of core banking and financial services	0	1	16	14	3	3	7	12	9	3	15	10	6	0.355	↓	−0.290		−2.065	0.048	*
Cost reduction	0	2	17	12	3	4	6	18	3	3	16	12	3	0.290	↓	−0.419	†	−3.474	0.002	***
Better control of operating expenses	0	6	22	3	3	5	10	12	4	3	14	12	5	0.355	↓	−0.290		−2.187	0.037	*
Freeing up resources for other projects	2	6	17	6	3	2	8	13	8	3	10	11	10	0.500		0.000		0.000	1.000
Lack of necessary expertise and resources	2	6	15	8	3	3	5	8	15	3	9	9	13	0.565		0.129		0.849	0.403
Business processes reengineering	6	17	7	1	2	9	17	5	0	2	13	11	7	0.403		−0.194		−1.360	0.184
Better service	0	3	14	14	3	4	4	18	5	3	16	13	2	0.274	↓	−0.452	†	−4.030	0.000	****
Access to new technologies	2	5	12	12	3	7	9	11	4	2	20	7	4	0.242	↓	−0.516	††	−3.967	0.000	****

¹ Number of answers in a certain category for a given year. Ordered (ordinal) categories are as follows: 1: Not important, 2: Slightly important, 3: Important, 4: Very important.

² Number of occurrences of 2012 answers having smaller, same or higher value than respective 2005 answer (limited to the pairs).

³ Vargha and Delaney’s A measure of stochastic superiority, for 2012 answers being higher than 2005 answers (limited to the pairs). Value of A less than 0.36 or larger than 0.64 denotes medium or large effect size (marked with arrows) as recommended by Vargha and Delaney. Direction of arrows signifies increase or decrease.

⁴ Cliff’s |δ| values larger than 0.33 are interpreted as a medium effect (marked with †) and values larger than 0.474 are interpreted as a large effect (marked with ††). Sign marks increase or decrease.

⁵ Estimate of Cliff's δ Z-score. Since data is ordinal and in most cases not normally distributed (as seen from distributions of answers), this is only an approximation and is displayed primarily for orientation.

⁶ p value in relation to estimated Z-score. p values are additionally denoted: less than 0.001 (****), less than 0.005 (***), less than 0.01 (**), less than 0.05 (*).

Source: Authors’ calculation, based on banks’ survey conducted by the CNB.

Table 3. Outsourcing risks.

Evaluate risks related to outsourcing	Nr. of ans. (2005)^1					Nr. of ans. (2012)^16					Changes (Nr.)^2			V-D A (‘<12>’05)^3
	1	2	3	4	median	1	2	3	4	median	Decr.	None	Incr.			Cliff’s δ^4		Z^5	p^6
Loss of control over contracted services	6	16	7	2	2	0	16	15	0	2	6	10	15	0.645	↑	0.290		2.065	0.048	*
Operational risk^7	4	14	9	4	2	0	14	16	1	3	8	9	14	0.597		0.194		1.293	0.206
Loss of knowledge and skills within the bank	7	14	10	0	2	5	14	12	0	2	8	10	13	0.581		0.161		1.095	0.282
Financial risk (e.g., the risk of increasing costs)	1	20	9	1	2	0	12	16	3	3	4	13	14	0.661	↑	0.323		2.559	0.016	*
Reputation risk	10	14	4	3	2	1	18	12	0	2	5	10	16	0.677	↑	0.355	†	2.617	0.014	*
Legal risk (e.g., non-compliance with regulations)	10	17	4	0	2	0	24	6	1	2	4	12	15	0.677	↑	0.355	†	2.785	0.009	**
Risk associated with the country of origin of the service provider	23	5	1	2	1	17	13	1	0	1	5	17	9	0.565		0.129		1.072	0.292
Risks related to security of information systems	4	17	6	4	2	1	18	10	2	2	8	11	12	0.565		0.129		0.891	0.380
Cultural and social issues (employee resistance, differences in approach to clients ...)	16	14	0	1	1	9	18	4	0	2	6	9	16	0.661	↑	0.323		2.270	0.031	*
Technical limitations	7	14	7	3	2	3	23	5	0	2	9	15	7	0.468		−0.065		−0.494	0.625
Decline of service quality	6	21	4	0	2	0	26	5	0	2	4	17	10	0.597		0.194		1.647	0.110
Data confidentiality breach	5	17	7	2	2	1	13	15	2	3	7	9	15	0.629		0.258		1.763	0.088
Strategic risk	11	12	8	0	2	0	17	14	0	2	4	11	16	0.694	↑	0.387	†	3.013	0.005	**

¹ Number of answers in a certain category for a given year. Ordered (ordinal) categories are as follows: 1: No risk, 2: Low risk, 3: Medium risk, 4: High risk.

² Number of occurrences of 2012 answers having smaller, same or higher value than respective 2005 answer (limited to the pairs).

³ Vargha and Delaney’s A measure of stochastic superiority, for 2012 answers being higher than 2005 answers (limited to the pairs). Value of A less than 0.36 or larger than 0.64 denotes medium or large effect size (marked with arrows) as recommended by Vargha and Delaney. Direction of arrows signifies increase or decrease.

⁴ Cliff’s |δ| values larger than 0.33 are interpreted as a medium effect (marked with †) and values larger than 0.474 are interpreted as a large effect (marked with ††). Sign marks increase or decrease.

⁵ Estimate of Cliff's δ Z-score. Since data is ordinal and in most cases not normally distributed (as seen from distributions of answers), this is only an approximation and is displayed primarily for orientation.

⁶ p value in relation to estimated Z-score. p values are additionally denoted: less than 0.001 (****), less than 0.005 (***), less than 0.01 (**), less than 0.05 (*).

⁷ For example, risk associated with the loss of data and control over significant business processes, the risk associated with the use of information technology, the availability of services, the risk of interruption of business continuity, transaction risk, etc.

Source: Authors’ calculation, based on banks’ survey conducted by the CNB.

An important consideration for data analysis is the fact that collected data represents the whole population (i.e. all licenced banks responded to the survey), and not just a sample of the population, hence statistical inference was not used. Data were analysed via descriptive statistical analysis and statistical methods that provide quantitative measurement of size of change. Because of a disagreement on applicability of parametric methods in statistical analysis of ordinal data (Johnson & Creech, 1983; Knapp, 1990; (Norman & Streiner, 2003), data from 2005 and 2012 are compared using nonparametric methods. However, choosing the appropriate method proved challenging. Non-parametric Mann-Whitney-Wilcoxon test that compares two samples is suitable only for independent observations and Wilcoxon signed-rank test that is used for comparison of two related samples is not suitable for use with ordinal data (Svensson, 2001). Svensson recommends usage of signed test or McNemar’s test for analysis of paired observations, but those tests are aimed at nominal data and applying them to ordinal data might result in the loss of valuable information. Furthermore, those tests do not measure effect size. Taking all this into account, Cliff’s δ coefficient and Vargha-Delaney’s A statistic were chosen as measures of change. Non-parametric coefficient δ proposed by Cliff (1996) measures the difference between proportion of answers that increased and answers that decreased. Cliff’s δ can have values [–1, 1], where δ = –1 would signify that all values of one group are higher than values of the other group, and –1 denotes the opposite. The effect size was ranked in line with suggestions by other researchers (Romano, Kromrey, Coraggio, & Skowronek, 2006) with |δ| > 0.474 signifying large effect, and |δ| > 0.33 signifying medium effect. Cliff’s δ of ‘within’ type that takes into account only changes in the respective pairs (and not movement of the whole population) was calculated. Vargha-Delaney’s A statistic (Vargha & Delaney, 2000) is a variant of probability of superiority measurement that can be applied to repeated measurements. The coefficient A’s size denotes probability that a randomly chosen subject has higher or lower score in one measurement respective of the other measurement. In this case displayed A shows probability that a randomly chosen bank has a higher score in the second survey (2012) respective to the first survey (2005), hence A > 0.5 should correspond to δ > 0 and vice versa. As suggested by Vargha and Delaney (2000), A < 0.36 or A > 0.64 was taken as an indicator of medium or large effect.

4. Data analysis and results

Data analysis was performed in line with the considerations stated in the previous section. Aggregations of collected data and results of applied tests are presented in Tables 1–5. Tables 1–3 contain comparisons of answers collected in two analysed surveys and mark changes in replies of individual institutions. Tables 4 and 5 present descriptive summary of data on outsourcing of processing of applications and IT infrastructure that was collected in 2012.

Table 4. Outsourcing of application and infrastructure elements processing.¹

		Croatia			Abroad
		In group		Out group	In group			Out group
	Number	Bank%	Service provider%	Service provider%	‘Mother’ bank%	‘Sister’ bank%	Service provider%	Service provider%	Other%
All applications	907	77.84	10.58	5.62	0.33	2.32	1.43	1.87	0.00
Important applications	535	79.63	9.91	5.23	0.37	1.87	2.06	0.93	0.00
All infrastructure	657	92.24	3.04	3.50	0.61	0.00	0.46	0.00	0.15
Important infrastructure	351	91.17	2.56	4.56	0.57	0.00	0.85	0.00	0.28

¹ Answers of all credit institutions are included. All percentages in one row add up to 100%; Column ‘number’ denotes number of applications and infrastructure elements that institutions defined. ‘Important’ applications and infrastructure elements are those that were rated, by credit institutions, as extremely important of very important (on a scale that also included ratings medium importance, low importance and unimportant. The answers are grouped so that, for example, 10.58% in the first row, fourth column denotes percentage of applications that are processed in a service provider that is in-group with credit institution and located in Croatia.

Source: Authors’ calculation, based on banks’ survey conducted by the CNB.

Table 5. Summary of Table 4 results.¹

	Location		Group relationship
	Croatia %	Abroad %	In group %	Out group %
All applications	94.05	5.95	92.50	7.50
Important applications	94.77	5.23	93.83	6.17
All infrastructure	98.78	1.07	96.35	3.50
Important infrastructure	98.29	1.42	95.16	4.56

¹ This table presents summarized results from the Table 4.

Source: Authors’ calculation, based on banks’ survey conducted by the CNB.

Table 1 clearly shows that the only significant change in scope of outsourcing from 2005 to 2012 was a decrease, in line with the displayed indicators of change, which is also a direct proof of the first hypothesis. The most sizeable is the decrease in scope of management and maintenance of telecommunication infrastructure. It is important to note that, as section 2 described, there are ambiguities on what constitutes outsourcing and scope of activities that would ‘normally be undertaken by the authorised entity’ (CEBS, 2006) can be variously interpreted. Because of that, regulations and related CNB’s publications on outsourcing in credit institutions published from 2005 to 2010 tried to better delineate outsourcing from other contractual relationships. Therefore, it could be argued that this decrease in level of outsourcing is really a sign of better understanding of what is and what is not outsourcing. Table 2 shows a decrease in the importance of all provided reasons for outsourcing except in lack of expertise and resources. However, it is interesting to note that median values of responses are, in most cases, still rather high. The most prominent decreases are in access to new technologies and better service which might show a certain disillusionment of credit institutions with outsourcing. As Table 3 illustrates, perceptions of all but one presented risks increased, and more significant are rises in strategic, legal and reputation risks. This increase supports the second hypothesis. However, it is noticeable that absolute levels of perceived risk are still not overly high.

The data in Tables 4 and 5 provide some insight into locations from which applications and IT infrastructure services are provided, and can be easily ‘mapped’ to the structure displayed in Figure 1. It is interesting to observe that the significant majority of processing is (still?) not outsourced, and that between 92% and 95% of applications and 95% to 99% of infrastructure services are provided from Croatia and/or from group entities. It is important to note that two banks of similar size might have different application architecture so that one bank might use an integral banking application to support all or almost all banking processes, while the other bank could use dozens of smaller, more specialised applications as to support the same processes. Still, the presented data is indicative of the outsourcing scope.

5. Conclusion

This study concisely analysed developments in outsourcing of information systems in Croatian banks and showed that the scope of outsourcing did not significantly increase in the period 2005–2012, but that the perception of risks related to outsourcing increased somewhat. The examined data shows that the processing of banking applications and provision of IT infrastructure services is still predominantly done from the banks’ premises, and that the offshoring of those services out of the banking group is still very rare. The displayed data and analyses should facilitate better understanding of current status of outsourcing and related changes. Furthermore, the results provide information that should improve banking supervision in Croatia both directly, by directing focus and planning of banks’ supervision and indirectly, by enhancing banking supervision models that are in development (Smojver, 2012).

Notes

The views expressed in this article are those of the authors and do not necessarily reflect the views of the Croatian National Bank (CNB).

Disclosure statement

No potential conflict of interest was reported by the authors.

Notes

1. On 1st of January 2011, Committee of European Banking Supervisors (CEBS) was succeeded by the European banking Authority (EBA), which took over all existing and ongoing tasks and responsibilities of the abovementioned Committee.