|
|
Risk Management of Outsourced Technology Services: A Starting Point
Courtesy of RLR Management Consulting
In its November 28, 2000 statement, the Federal Financial Institutions Examination Council (FFIEC) provided a framework for financial institutions (hereafter referred to as FIs) to identify, measure, monitor and control "the risks associated with outsourcing technology services." In line with its Y2K guidance, the regulatory interagency advised FIs that they cannot outsource responsibility for engaging or managing technology services they outsource. Rather, the FFIEC asserts that, as with Y2K, so here too the risks inherent with outsourcing arrangements on the part of the FI are too great to leave responsibility for managing them solely to the service provider. The FI must directly assume responsibility for managing those risks, from vendor selection to contract negotiation to ongoing vendor oversight. FIs should expect that in future examinations their regulator will be using the 11/28 statement as the definitive framework for reviewing the FI's due diligence.
What follows is a matrix that attempts to take much of that guidance, and make it actionable for the FI. The matrix does not attempt to exhaust all inherent risks associated with outsourcing arrangements, nor does it exhaust all the guidance offered by the FFIEC. Each FI will have aspects unique to its situation that deserve special study and attention, and the FFIEC is considerably more detailed in their statement, particularly in the area of contract negotiation. Rather, what follows is an attempt to provide a starting point for the FI to build its customized plan, based on the guidance of the FFIEC's statement, along with the practical experience that RLR Management Consulting has developed in working with hundreds of FI's who regularly outsource their technology services.
We hope you find it helpful, and we are here to clarify or expand on any of the ideas that follow. Further, should your institution need assistance in building, implementing, or reviewing its customized plan, we are here to help.
| VENDOR SELECTION PHASE |
Type of Risk |
Recommended Financial Institution (FI) Measures to Mitigate Risk |
The service provider, due to financial weakness, could go out of business and, by doing so, significantly disrupt the FI's business and cause customer dissatisfaction. |
Perform a financial analysis of service provider and determine whether or not to do business if there is significant financial weakness. |
|
At a minimum, consider having termination language in the contract to allow the FI an "out" if such financial condition worsens. |
|
Create a contingency plan that allows for smooth conversion to an alternate provider in the event the provider does fail. |
|
Be sure to include all key service providers in this analysis, including those that provide data processing, item processing, Internet banking (if different than above), and Internet access. Because Internet Banking and Internet Access providers are offering services that directly touch the FI's customer, particularly close attention to these providers is warranted. |
|
| The service provider's system may not meet the FI's current and/or emerging needs, resulting in inefficient operations and/or constraint in offering competitive products and/or services to customers. Risk to the FI's reputation can result accordingly. |
Develop a comprehensive Request for Proposal (RFP) or Decision Support matrix and compare several service provider offerings before making a selection. |
|
Consult with existing customers, user groups, and partners of the providers to gather information about the provider's reputation and performance. |
|
Consider engaging independent resources in supporting the FI's evaluation process. |
|
The service provider may lack appropriate operating or security controls, which, if breached, could cause financial or reputation loss to the FI. |
Thoroughly review 3rd party reviews and/or complete* SAS-70 reports to determine an appropriate level of controls exist. |
|
Review contingency plans of provider, and the results of their completed tests. |
|
Ensure all locations that handle operations are included in scope of the review. |
|
* Ensure you review a Type II SAS 70 including schedules 1 and 2, which covers both policy and practice in enforcing published controls.
| CONTRACT NEGOTIATION PHASE |
Type of Risk |
Recommended Financial Institution (FI) Measures to Mitigate Risk |
Ambiguity as to the scope of services to be provided and the corresponding responsibilities of the service provider and FI can cause delayed implementations, inefficient operations and potential transaction losses. |
Ensure that the service provider's response to an RFP or other requests for written information are incorporated into the contract by reference. |
|
Request the service provider detail clearly the responsibilities of the service provider and the FI during implementation and ongoing. If a systems administrator is required at the FI, ask that the expertise and experience of this individual also be documented. |
|
A standard contract provided by the service provider may protect the interests of the provider with little or no protection for the FI. The FI risks exposure in the event of disputes that may arise from time to time during the course of the contract. |
Consider engaging outside counsel to customize contract and balance interests more equitably. |
|
Pay particular attention to the areas covering limitation of liability. Ensure the contract is explicit on the liability of the service provider in the event the security of their system is breached and financial loss results. |
|
Consider adding performance standards (i.e., system availability of 99+%) and penalties in the event the service provider fails to meet them. |
|
Carefully examine and negotiate the right to terminate the contract and penalties (if applicable). |
|
The service provider's knowledge and observance of regulatory requirements applicable to its business, and those of the FI is critical. The provider's failure to perform satisfactorily in this area can expose the FI to potential criticism by its regulatory agency along with potential penalties. |
Ensure the responsibilities of the service provider and FI are clearly delineated in the contract. |
|
Ensure that the service provider's responsibility for security and confidentiality of the FI's resources are specifically addressed. The provider's commitment to disclose security breaches to the FI should be detailed in the contract. |
|
The failure of the service provider to regularly share 3rd party audits, financials, and ongoing contingency plan testing can prevent the FI from detecting potential problems with the service provider. |
Contract should detail the frequency with which these ongoing reports will be provided. |
|
Contract should stipulate that these reports will automatically be sent to the FI. |
|
| IMPLEMENTATION PHASE |
Type of Risk |
Recommended Financial Institution (FI) Measures to Mitigate Risk |
The absence of sufficient human resources on the part of the FI can delay the implementation, and ultimately hamper ongoing operations. |
Identify early on in the project the resources needed by the FI, both in terms of time, expertise and experience. |
|
Ensure that appropriate resources are dedicated to the project from the beginning of the implementation to the system "cutover." |
|
The absence of sufficient representation from different areas within the FI can result in ineffective system setup, internal conflicts within the institution, and re-work during or after the system implementation. |
Establish from the outset a project "team" that provides sufficient representation of the FI's key stakeholders. |
|
Establish project reporting from the team to senor management to ensure that decisions being made by the team are consistent with management strategy and direction. |
|
Develop a method by which to properly escalate when there is project slippage or conflict. |
|
Absence of establishing adequate internal controls for new systems and/or processes can lead to operational losses and customer dissatisfaction. |
Request materials from the service provider and/or other FIs on new controls and processes they established when implementing the same system. Determine the appropriateness of such controls for your FI. |
|
Clearly document new responsibilities of staff and include in job descriptions. |
|
Limit system access based on job need, and establish appropriate segregation of duties and dual control procedures. Pay particular attention to transaction risks in new system offerings (i.e., Internet Banking Funds Transfer, and Bill Payment). |
|
In the area of Internet Banking, the lack of clearly defined customer responsibilities can expose FI to losses and cause customer dissatisfaction. |
Ensure that online banking agreements clearly delineate customer's and FI's responsibilities. |
|
Develop specific agreements covering transaction types that have greater transaction risk (i.e., wires, ACH transfers). Ensure that such written agreements are on file before initiating such transactions. |
|
| ONGOING OVERSIGHT OF SERVICE PROVIDER |
Type of Risk |
Recommended Financial Institution (FI) Measures to Mitigate Risk |
The unexpected failure of a service provider can significantly disrupt the FI and cause customer dissatisfaction. The ongoing financial pressures on service provider could result in "softening" operating controls, which in turn could cause financial loss or customer dissatisfaction. |
Review ongoing financial information provided by service provider. |
|
For service providers of Internet Banking only, review and assess quarterly financial results and whether provider remains on target to achieve profitability. |
|
Continually review contingency plans and ensure that alternate providers remain viable options in the event primary provider fails. Ensure that cost and conversion timeframes are known and factored as part of ongoing plan. |
|
Review closely the updated contingency plan tests of the service provider and specific actions taken to address identified deficiencies. |
|
Follow up on deficiencies noted in audit reports and request written responses. |
|
Failure of provider to perform service satisfactorily can cause disruptions to the FI's operations and may result in customer dissatisfaction. |
Assign responsibility within the FI to monitor and evaluate the service provider on an ongoing basis. |
|
Ensure that service levels are being maintained, and that service outages are promptly reported and resolved. |
|
Document areas of dissatisfaction with service provider and maintain comprehensive records of service provider's responses. |
|
Closely monitor customer complaints for those systems that directly "touch" the customer (i.e., ATMs, Internet Banking, etc.). |
|
Periodically meet with service provider to review performance issues and assess service provider plans to improve. |
|
Take active role in service provider user group and establish alliances to help oversee service provider performance, while sharing costs to do so. |
|
Security breaches of the service provider's system or the FI's system can cause financial loss and loss of reputation. |
Continually review security policies, practices and reviews of the service provider's system. |
|
Have the internal audit function perform a review of both the controls the service provider employs as well as those of the FI for adequacy and comprehensiveness. |
|
Review closely whether the controls of the core service provider "carry over" to an Internet Banking offering. |
|
Determine the adequacy of preventative and detective controls for those transactions that involve funds transfers within or outside the FI. |
|
Consider engaging 3rd party assistance in security intrusion testing in the event that such resources are unavailable within FI. |
|
Consider partnering with other FIs who use the same service provider in performing security reviews of service provider. |
|
The service provider may not keep pace with customer requests for new products and/or services, potentially resulting in negative reputation, customer dissatisfaction and/or customer defection. |
Keep current with the service provider's product and service development plans for the coming year. |
|
Establish contact with other FIs who use the same service provider and determine their level of satisfaction with new product and service offerings. |
|
Survey customers regularly to determine their appetite for new products and services. Be proactive in ensuring the FI remains in tune with customer needs. |
|
RLR Management Consulting, Inc. (RLR), is a nationwide consulting firm focused on providing high quality consulting assistance to financial institutions in the areas of corporate strategy, organizational analysis, operations management, general management, information technology, and regulatory compliance. RLR has assisted over 100 banks in California and nationwide on various technology and operational issues. Visit their website at www.rlrmgmt.com.
|
|
|
