Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Outsourcing Risk Management
Financial institutions increasingly rely on service providers, software vendors, and other third parties. Complex institutions often have an institution-wide vendor management program that encompasses all of these relationships. IT departments can contract with third parties for a large number of services including data processing, software development, equipment maintenance, business continuity, data storage, Internet access, and security management.
The board of directors and senior management are responsible for ensuring appropriate oversight of outsourced relationships. Technology needed to support business objectives is often a critical factor in deciding to outsource. Managing such relationships is not just a technology issue; it is an enterprise-wide corporate governance issue. An effective outsourcing oversight program should provide the framework for management to understand, monitor, measure, and control the risks associated with outsourcing. The board and senior management should develop and implement enterprise-wide policies and procedures to govern the outsourcing process including establishing objectives and strategies, selecting a provider, negotiating the contract, and monitoring the outsourced relationship.
Some factors institutions should consider or address include:
The time and resources devoted to effectively manage outsourcing relationships will depend on several factors, such as the criticality of outsourced processes, staff knowledge, and complexity of systems.
Detailed information on this topic is available in the IT Handbook's "Outsourcing Technology Services Booklet."