Desktop version

Home arrow Computer Science

  • Increase font
  • Decrease font

<<   CONTENTS   >>


Action Summary

The financial institution’s board and senior management should establish and approve risk-based policies to govern the outsourcing process. The policies should recognize the risk to the institution from outsourcing relationships and should be appropriate to the size and complexity of the institution.

The responsibility for properly overseeing outsourced relationships lies with the institution’s board of directors and senior management. Although the technology needed to support business objectives is often a critical factor in deciding to outsource, managing such relationships is more than just a technology issue; it is an enterprise-wide corporate management issue. An effective outsourcing oversight program should provide the framework for management to identify, measure, monitor, and control the risks associated with outsourcing. The board and senior management should develop and implement enterprise-wide policies to govern the outsourcing process consistently. These policies should address outsourced relationships from an end-to-end perspective, including establishing servicing requirements and strategies; selecting a provider; negotiating the contract; and monitoring, changing, and discontinuing the outsourced relationship.

Factors institutions should consider include:

■ Ensuring each outsourcing relationship supports the institution’s overall requirements and strategic plans;

■ Ensuring the institution has sufficient expertise to oversee and manage the relationship;

■ Evaluating prospective providers based on the scope and criticality of outsourced services;

■ Tailoring the enterprise-wide, service provider monitoring program based on initial and ongoing risk assessments of outsourced services; and

■ Notifying its primary regulator regarding outsourced relationships, when required by that regulator.[1]

Tire time and resources devoted to managing outsourcing relationships should be based on the risk the relationship presents to the institution. To illustrate, outsourcing processing of a small credit card portfolio will require a different level of oversight than outsourcing processing of all loan applications. Additionally, smaller and less complex institutions may have less flexibility than larger institutions in negotiating for services that meet their specific needs and in monitoring their service providers.


Risk management is the process of identifying, measuring, monitoring, and managing risk. Risk exists whether the institution maintains information and technology services internally or elects to outsource them. Regardless of which alternative they choose, management is responsible for managing risk in all outsourcing relationships. Accordingly, institutions should establish and maintain an effective risk management process for initiating and overseeing all outsourced operations.

An effective risk management process involves several key factors:

■ Establishing senior management and board awareness of the risks associated with outsourcing agreements in order to ensure effective risk management practices;

■ Ensuring that an outsourcing arrangement is prudent from a risk perspective and consistent with the business objectives of the institution;

■ Systematically assessing needs while establishing risk-based requirements;

■ Implementing effective controls to address identified risks;

■ Performing ongoing monitoring to identify and evaluate changes in risk from the initial assessment; and

■ Documenting procedures, roles/responsibilities, and reporting mechanisms.

Typically, this process incorporates the following activities:

■ Risk assessment and requirements definition;

■ Due diligence in selecting a service provider;

■ Contract negotiation and implementation; and

■ Ongoing monitoring.

Tire preceding comments focus on risk elements specifically associated with outsourcing. For a broader perspective on IT transactional and operational risk, refer to the IT Handbook’s “Supervision of Technology Service Providers (TSP) Booklet,” which addresses outsourcing risk from the service provider perspective.

  • [1] 12 USC 1867 (c) (11), Bank Service Company Act (Banks), and 12 USC 1464 (d) (7) Home Owners’ Loan Act (Thrifts). In addition, Thrift Bulletin 82, Third Party Arrangements (March 18, 2003), states that thrifts should notify the Office of Thrift Supervision at least 30 days before establishing a third party relationship with a foreign service provider.
<<   CONTENTS   >>

Related topics