Tuesday, December 31, 2013

IT outsourcing and Guidance on Managing Outsourcing Risk from US federal Reserve

IT outsourcing and Guidance on Managing Outsourcing Risk from US federal Reserve:

Guidance on Managing Outsourcing Risk:

The Federal Reserve is issuing this guidance to financial institutions to highlight the potential risks arising from the use of service providers and to describe the elements of an appropriate service provider risk management program. This guidance supplements existing guidance on technology service provider (TSP) risk,Refer to the FFIEC Outsourcing Technology Services Booklet (June 2004) at http ://ithandbook.ffiec. gov/itbooklets/outsourcing-technology-services.aspx. End of Footnote 2.] and applies to service provider relationships where business functions or activities are outsourced. For purposes of this guidance, "service providers" is broadly defined to include all entities3 [Fotnote -Entities may be a bank or nonbank, affiliated or non-affiliated, regulated or non-regulated, or domestic or foreign. End of Footnote 3.] that have entered into a contractual relationship with a financial institution to provide business functions or activities.

Risks from the Use of Service Providers:

The use of service providers to perform operational functions presents various risks to financial institutions. Some risks are inherent to the outsourced activity itself, whereas others are introduced with the involvement of a service provider. If not managed effectively, the use of  service providers may expose financial institutions to risks that can result in regulatory action,financial loss, litigation, and loss of reputation. Financial institutions should consider the following risks before entering into and while managing outsourcing arrangements.

Compliance risks arise when the services, products, or activities of a service provider fail to comply with applicable U.S. laws and regulations.

Concentration risks arise when outsourced services or products are provided by a limited number of service providers or are concentrated in limited geographic locations.

Reputational risks arise when actions or poor performance of a service provider causes the public to form a negative opinion about a financial institution 
Country risks arise when a financial institution engages a foreign-based service provider, exposing the institution to possible economic, social, and political conditions and events from the country where the provider is located.

Operational risks arise when a service provider exposes a financial institution to losses due to inadequate or failed internal processes or systems or from external events and human error.

Legal risks arise when a service provider exposes a financial institution to legal expenses and possible lawsuits.

A financial institution's service provider risk management program should be risk-focused and provide oversight and controls commensurate with the level of risk presented by the outsourcing arrangements in which the financial institution is engaged. It should focus on outsourced activities that have a substantial impact on a financial institution's financial condition; are critical to the institution's ongoing operations; involve sensitive customer information or new bank products or services; or pose material compliance risk.

The depth and formality of the service provider risk management program will depend on the criticality, complexity, and number of material business activities being outsourced. A community banking organization may have critical business activities being outsourced, but the number may be few and to highly reputable service providers. Therefore, the risk management program may be simpler and use less elements and considerations. For those financial institutions that may use hundreds or thousands of service providers for numerous business activities that have material risk, the financial institution may find that they need to use many more elements and considerations of a service provider risk management program to manage the higher level of risk and reliance on service providers.

While the activities necessary to implement an effective service provider risk management program can vary based on the scope and nature of a financial institution's outsourced activities, effective programs usually include the following core elements:

A. Risk assessments;
B. Due diligence and selection of service providers;
C. Contract provisions and considerations;
D. Incentive compensation review;
E. Oversight and monitoring of service providers; and
F. Business continuity and contingency plans.

Due Diligence and Selection of Service Providers:

A financial institution should conduct an evaluation of and perform the necessary due diligence for a prospective service provider prior to engaging the service provider. The depth and formality of the due diligence performed will vary depending on the scope, complexity, and importance of the planned outsourcing arrangement, the financial institution's familiarity with prospective service providers, and the reputation and industry standing of the service provider. Throughout the due diligence process, financial institution technical experts and key stakeholders should be engaged in the review and approval process as needed 

The overall due diligence process includes a review of the service provider with regard to:
1. Business background, reputation, and strategy;
2. Financial performance and condition; and
3. Operations and internal controls.