|
Booklet:
Outsourcing
Technology Services Section: Risk Management Subsection: Risk Assessment and Requirements |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action
Summary 
Outsourced IT services can contribute to operational risks (also referred to as transaction risks). Operational risk may arise from fraud, error, or the inability to deliver products or services, maintain a competitive position, or manage information. It exists in each process involved in the delivery of the financial institutions’ products or services. Operational risk not only includes operations and transaction processing, but also areas such as customer service, systems development and support, internal control processes, and capacity and contingency planning. Operational risk also may affect other risks such as interest rate, compliance, liquidity, price, strategic, or reputation risk as described below.
|
|
Reputation risk—Errors, delays, or omissions in information technology that become public knowledge or directly affect customers can significantly affect the reputation of the serviced financial institutions. For example, a TSP’s failure to maintain adequate business resumption plans and facilities for key processes may impair the ability of serviced financial institutions to provide critical services to their customers. |
|
|
Strategic risk—Inadequate management experience and expertise can lead to a lack of understanding and control of key risks. Additionally, inaccurate information from TSPs can cause the management of serviced financial institutions to make poor strategic decisions. |
|
|
Compliance (legal) risk—Outsourced activities that fail to comply with legal or regulatory requirements can subject the institution to legal sanctions. For example, inaccurate or untimely consumer compliance disclosures or unauthorized disclosure of confidential customer information could expose the institution to civil money penalties or litigation. TSPs often agree to comply with banking regulations, but their failure to track regulatory changes could increase compliance risk for their serviced financial institutions. |
|
|
Interest rate, liquidity, and price (market) risk—Processing errors related to investment income or repayment assumptions could lead to unwise investment or liquidity decisions thereby increasing market risks. |
QUANTITY OF RISK CONSIDERATIONS
The quantity of risk associated with an outsourced IT service is subject
to the function outsourced, the service provider, and the technology used
by the service provider. Management should consider the following factors
in evaluating the quantity of risk at the inception of an outsourcing
decision.
|
|
Risks pertaining to the function outsourced include: | |
 |
Sensitivity of data accessed, protected, or controlled by the service provider; | |
|
Volume of transactions; and | |
|
Criticality to the financial institution’s business. | |
|
|
Risks pertaining to the service provider include: | |
|
Strength of financial condition; | |
|
Turnover of management and employees; | |
|
Ability to maintain business continuity; | |
|
Ability to provide accurate, relevant, and timely Management Information Systems (MIS); | |
|
Experience with the function outsourced; | |
|
Reliance on subcontractors; | |
|
Location, particularly if cross-border (See Appendix C, Foreign-Based Third-Party Service Providers); and | |
|
Redundancy and reliability of communication lines. | |
|
|
Risks pertaining to the technology used include: | |
|
Reliability; | |
|
Security; and | |
|
Scalability to accommodate growth. | |
REQUIREMENTS
DEFINITION
The definition of business requirements sets the stage for all outsourcing
actions and forms the basis for subsequent management of the outsourced
activity. The requirements are developed through a process that identifies
the functions or activities to be outsourced, assesses the risk of outsourcing
those functions or activities, and establishes a baseline from which appropriate
control measures can be identified. These requirements provide a basis
for an understanding between the financial institution and the service
provider as to what the risks are and how they will be managed and controlled.
Key Practices
Sound practices for the development of requirements include:
|
|
Stakeholder involvement—All organizational groups who will be directly involved with the service provider or in using the contracted service should be represented in the development of product and service requirements. |
|
|
Integration—The development should result in requirements that support the subsequent steps of solicitation, selection, contracting, and monitoring. |
|
|
Documentation—Documentation will greatly assist in ensuring that the service contracted and delivered meets the institution’s requirements. Documentation will also allow for subsequent reviews of the processes’ adequacy and integrity. |
Components
The requirements definition phase should result in a detailed document
containing descriptions of the institution’s expectations relative
to the outsourced service. The requirements document may consider, but
is not limited by, the following high level topical components:
|
|
Scope and nature | |
|
Service description; | |
|
Technology; and | |
|
Customer support. | |
|
|
Standards and service levels | |
|
Availability and performance; | |
|
Change management; | |
|
Financial reporting; | |
|
Quality of service; | |
|
Security; and | |
|
Business continuity. | |
|
|
Minimum acceptable service provider characteristics | |
|
Industry experience; | |
|
Management experience; | |
|
Technology and systems architecture; | |
|
Process controls; | |
|
Financial condition; | |
|
Reputation, including references; | |
|
Degree of reliance on third parties, subcontractors, or partners; | |
|
Legal, regulatory, and compliance history; and | |
|
Ability to meet future needs. | |
|
|
Monitoring and reporting | |
|
Measurements and reporting criteria; | |
|
Right to audit; | |
|
Third-party reports; and | |
|
Coordination of responses to security events. | |
|
|
Transition requirements | |
|
Initial migration of data to the service provider; | |
|
Implementation of necessary communications mechanisms; | |
|
Migration of data from the service provider at termination of contract; and | |
|
Staff training. | |
|
|
Contract duration, termination, and assignment | |
|
Start and term; | |
|
Conditions and right to cancel; | |
|
Ownership of data; | |
|
Timely return of data in machine-readable format; | |
|
Costs of transition; | |
|
Limitations, as appropriate, governing assignment to third party; | |
|
Dispute resolution; and | |
|
Confidentiality of institution data. | |
|
|
Contractual protections against liability | |
|
Indemnification; | |
|
Limitation of liability; and | |
|
Insurance. | |
When outsourcing to a subsidiary or affiliate is considered, management must assure that the components outlined above evidence an arms-length transaction. An arrangement between a financial institution and an affiliate or subsidiary should be on terms that are substantially the same, or at least as favorable to the institution, as those prevailing at the time for comparable transactions with a non-affiliated third party.