|
Booklet:
Outsourcing
Technology Services Section: Risk Management Subsection: Service Provider Selection |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action
Summary 
After
identifying the work to be performed and the necessary controls, a financial
institution solicits responses from prospective service providers. The
primary tool for the solicitation is the Request for Proposal (RFP). The
RFP also supports subsequent contract negotiations.
REQUEST FOR PROPOSAL
A financial institution should generate the RFP from the information developed
during the requirements definition phase. While the level of detail may
vary for any particular procurement, the RFP should describe the institution’s
objectives; the scope and nature of the work to be performed; the expected
production service levels, delivery timelines, measurement requirements,
and control measures; and the financial institution’s policies for
security, business continuity, and change control. It also requests responses
addressing those requirements as well as the fees each service provider
will charge.
Once management distributes the RFPs and receives responses, it should
evaluate the service provider proposals against the institution’s
needs. When the institution evaluates the proposals, it may find that
the proposals do not completely agree with the RFP. For example, the service
the service provider proposes may include different processing workflows
or reporting schemes, pricing formulas or techniques, or the response
to information requests may not be complete. If the institution considers
proposals that differ from the RFP, the institution should evaluate the
differences against its requirements and clearly understand how the changes
will affect the institution’s objectives and service expectations.
The institution should evaluate material differences using a process similar
to the one used to develop the requirements initially. An institution
should negotiate a resolution to any differences between the RFP and the
service provider proposal before contracting with a service provider.
DUE DILIGENCE
A financial institution should perform due diligence on the service provider’s
response to an RFP as well as the service provider itself. Due diligence
should serve as a verification and analysis tool, providing assurance
that the service provider meets the institution’s needs. Due diligence
should confirm and assess the following information regarding the service
provider:
|
|
Existence and corporate history; |
|
|
Qualifications, backgrounds, and reputations of company principals, including criminal background checks where appropriate; |
|
|
Other companies using similar services from the provider that may be contacted for reference; |
|
|
Financial status, including reviews of audited financial statements; |
|
|
Strategy and reputation; |
|
|
Service delivery capability, status, and effectiveness; |
|
|
Technology and systems architecture; |
|
|
Internal controls environment, security history, and audit coverage; |
|
|
Legal and regulatory compliance including any complaints, litigation, or regulatory actions; |
|
|
Reliance on and success in dealing with third party service providers; |
|
|
Insurance coverage; and |
|
|
Ability to meet disaster recovery and business continuity requirements. |
Other important elements include probing for information on intangibles,
such as the third party’s service philosophies, quality initiatives,
and management style. The culture, values, and business styles should
fit those of the financial institution. When a foreign-based service provider
is considered, the evaluation should assess the relationship in light
of the above items as well as the information discussed in Appendix C,
Foreign-Based Third-Party Service Providers.
Financial institutions may perform due diligence on one or more of the
service providers that respond to the RFP. The depth and formality of
the due diligence performed may vary according to the risk of the outsourced
relationship, the institution’s familiarity with the prospective
service providers, and the stage of the provider selection process.
Once institutions issue RFPs, receive and evaluate responses, and perform
due diligence, they enter into contract negotiations with one or more
of the service providers they have determined can best meet their needs.