Conduct a risk assessment to ensure an outsourcing
relationship is consistent with an institution’s short- and
long-term goals. A risk assessment considers:
• Strategic goals and objectives of the institution;
• Staff’s ability to oversee outsourcing relationships;
• Importance of the services to the institution;
• Contractual obligations and requirements for the
service provider;
• Contingency plans, including availability of
alternative service providers, costs and resources
required to switch service providers; and
Memorandum, “Risk
Management of
Outsourcing” (Oct. 25,
2000).
Technology Service Provider and Service Receiver
Element
Essential Practices Statement
Industry Standard
Reference
Examination
Handbook
Risk Assessment
Technology Services
Booklet (Jun. 2004),
p. 5.
Audit Booklet (Aug.
2003), pp. 21-22.
Supervision of
Technology Service
Providers Booklet
(Mar. 2003), pp. 1,
4-5.
• Necessary controls and reporting processes.
Reason:
The board of directors and senior management are responsible
for understanding the key risks associated with outsourcing
arrangements and ensuring that effective risk management
practices are in place.
Due Diligence
Management
Booklet (Jun. 2004),
p. 32.
Information Security
Booklet (Jul. 2006) pp.
76-77.
Perform and document due diligence to ensure technology
service providers are managed adequately, competent
technically, stable financially, and insured appropriately.
Reason
:
Performing the due diligence allows management to evaluate
service providers to determine their ability, both operationally
and financially, to meet the institution’s needs. Insurance
coverage provided by the service provider should complement
and supplement the institution’s coverage. The coverage
should be reviewed to determine if it is adequate and
consistent with what the institution would have purchased
without an external provider. Where the service provider’s
coverage is not sufficient, the institution should consider
obtaining additional coverage.
Memorandums,
“Outsourcing of
Technology-related
Products and Services”
(Jan. 16, 2001);
“Risk Management of
Outsourcing” (Oct. 25,
2000).
Technology Services
Booklet (Jun. 2004),
p. 11.
Supervision of
Technology Service
Providers Booklet
(Mar. 2003), p. 6.
Management Booklet
(Jun. 2004), pp. 22,
32, 36.
Information Security
Booklet (Jul. 2006) pp.
76-77.
Include the following elements in the written contract:
• Quality measures (Service Level Agreements or
Contract
ISO/IEC 17799:2000,
Section 4.2.2, “Security
Outsourcing
Technology Services
FCA Essential Practices for Information Technology SPR - 2
Service Provider and Service Receiver Section