You might not expect a blog post about the risks of outsourcing IT services from a service provider. But I believe that it is very important that all parties understand the potential risks involved, specifically in the banking sector.
With this understanding we can all take precautions to mitigate any risk, starting with a risk evaluation.
Risk evaluation by the Bank
The working group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds has suggested the following three steps to mitigate risks:
- Identification of the role of outsourcing in the overall business strategy and objectives aligned with corporate strategic goals.
- Comprehensive due diligence on the nature, scope and complexity of outsourcing it services to identify the key risks and risk mitigation strategies – such as security practices and environment control of the service provider.
- Analysis of the impact of such arrangement on the overall risk profile of the bank and whether adequate internal expertise and resources exist to mitigate the risks identified.
Risks involved in outsourcing IT Services by the bank
In my experience working with financial institutions and banking clients, the following are the most commonly identified risks associated with outsourcing IT services.
- Strategic risk – business conduct of the service provider can be against the strategic goals of the bank.
- Reputation risk – poor services of the service provider could be harmful for the reputation of bank and will harm customer relationships.
- Operational risk– technology failure, inadequate infrastructure or any error in providing IT services by the service provider.
- Legal risk – potential for a case of non-compliance with the privacy, consumer and prudential law.
- Country risk – due to political, social climate in the country in which service is outsourced.
- Contractual risk – risks related to compliance with the terms of the contract between service provider and the bank.
Materiality of outsourcing
The Bank also needs to assess the materiality of outsourcing to ascertain whether an outsourcing arrangement is material to the business context or not. This will mitigate risk and ensure better control when outsourcing it services.
Materiality of the services outsourced can be determined on the basis of criticality of service, process, or technology to the overall business objectives.
Criteria that can be considered in determining the materiality of proposed outsourcing including:
- Size and scale of operations which are outsourced,
- Potential impact of outsourcing on parameters such as cost of outsourcing as a proportion of total operating costs, earnings, liquidity, solvency, funding capital, risk profile, among others, for the Bank,
- Nature of functions outsourced,
- Extent of control and oversight exercised by the bank on vendor managed processes – the ability of bank staff to influence day to day operations and decision making or to exercise sufficient oversight over the day to day activities performed by outsourced providers,
- Degree of control exercised by banks on outsourced entities, regardless of a conglomerate entity structure,
- Impact on data privacy and security – whether access to customer data has to be extended to staff of the service provider,
- Whether the bank has adequate flexibility to switch service providers, so that the risk of being attached to a single service provider is adequately mitigated and the aggregate exposure to a single service provider.
Once a decision has been made about outsourcing some or all of the Bank’s IT services, and the risks have been properly evaluated, it is essential that the Board and Senior Management understand their responsibilities to the bank.
Role of the Board and senior management
While an institution may delegate its day-to-day operational duties to a service provider. The responsibility for effective due diligence, oversight and management of outsourcing it services and accountability for all outsourcing decisions continue to rest with the Bank, Board and senior management.
The board and senior management have the responsibility to institute an effective governance mechanism and risk management process for all outsourced operations.
The Board is responsible for:
- Instituting an appropriate governance mechanism for outsourced processes, comprising of risk based policies and procedures, to effectively identify, measure, monitor and control risks associated with outsourcing in an end to end manner,
- Defining approval authorities for outsourcing depending on nature of risks in and materiality of outsourcing,
- Assessing management competencies to develop sound and responsive outsourcing risk management policies and procedures commensurate with the nature, scope, and complexity of outsourcing arrangements,
- Undertaking a periodic review of outsourcing strategies and all existing material outsourcing arrangements.
Senior management is responsible for:
- Evaluating the risks and materiality of all prospective outsourcing based on the framework developed by the Board,
- Developing sound outsourcing policies and procedures for implementation by Line Managers,
- Periodically reviewing the effectiveness of policies and procedures,
- Communicating significant risks in outsourcing to the Board on a periodic basis,
- Ensuring an independent review and audit in accordance with approved policies and procedures,
- Ensuring contingency plans have been developed and tested adequately.
Selection of service provider by the Bank
Having carried out risk evaluation measures and with the full support of the Board and senior management, the next step is to identify a service provider who will perform the outsourced function.
Proposals submitted by service providers should be evaluated in the light of the organisation’s needs, and any differences in the service provider proposals as compared to the solicitation should be analysed carefully.
To access the capability of the service provider to comply with the outsourcing agreement, it is important to carry out due diligence. Due diligence should involve an evaluation of all information about the service provider including qualitative, quantitative, financial, operational and reputational factors, as follows:
- Past experience and competence to implement and support proposed activities over the contractual period,
- Financial soundness and ability to service commitments even under adverse condition,
- Business reputation and culture, compliance, complaints and outstanding or potential litigations,
- Security and internal control, audit coverage reporting and monitoring environment, business continuity management,
- External factors like political, economic, social and legal environment of jurisdiction in which the service provider operates and other events that may impact service performance,
- Business continuity arrangements in the case of technology outsourcing,
- Due diligence for sub-service providers,
- Risk management, framework, alignment to applicable international standards on quality / security / environment, etc., may be considered,
- Secure infrastructure facilities,
- Employee training, knowledge transfer,
- Reliance on and ability to deal with sub-contractors.
IT services that a bank can outsource
In our experience here are the most common IT services that a bank can outsource:
- Front line IT support – Service/Support Desk,
- Activities such as Debit card printing and dispatch, verifications, etc.,
- Technology Operations,
- Banking Operations,
- Cash Management and Collections,
- Fiduciary and Trading activities,
- Technology Infrastructure Management, Maintenance and Support,
- Application Development, Maintenance and Testing,
- Transaction Processing including payments, loans, deposits,
- Sourcing, Leads Generation,
- Customer Service helpdesk / call centre services,
- Marketing and Research.
While there are clear benefits in the outsourcing of IT services to an external provider, risk evaluation is fundamental and you should expect any IT service provider to be focussed on this.
With the right IT service provider a bank can enhance its efficiencies in operations, by increasing the ability to acquire and support current technology; and allow management to focus on key management functions – such as better customer service and other core services.
If you have any questions concerning risk evaluations or outsourcing IT services in the banking sector, please get in touch.