Credit unions today rely on third-party service-provider relationships for many, and in some cases, nearly all of their information technology (IT) needs. These partners provide critical services that involve sensitive member information.
While outsourcing has allowed credit unions to take advantage of some of the great advancements and opportunities offered by today's technology solutions, it has also increased their risk, because they are dependent on external providers who may not be fully aware of the requirements and responsibilities faced by financial institutions.
Regulatory scrutiny is now more intense then ever on how outsourced relationships are being managed, particularly those that involve sensitive member data. In order to meet regulatory requirements and ensure outsourced relationships are meeting the credit union's business objectives, a comprehensive service provider management program is essential.
An outsourcing-service provider management program requires more than just written policies. The following four components make up a comprehensive program. Each of these should be tailored to the specific needs and circumstances of your financial institution: A clearly articulated corporate strategy; Defined roles and responsibilities for overseeing outsourced relationships; Policies and procedures for managing third party service providers, and a risk-based approach to overseeing outsourced relationships.
What is the role of outsourcing in your credit union? Is your philosophy to build or buy? Do you prefer to establish joint ventures and invest capital in its partners, or stick to typical service contracts? What is your risk tolerance for service providers that are start-ups, highly specialized, or companies with weak financial positions? These are the types of strategic issues that should be addressed in the outsourcing strategy. The strategy should be formalized, board-approved, and understood across the credit union. Rather than create a separate document, the outsourcing strategy can be incorporated into the CU's overall strategy-plan.
Another important consideration is how outsourcing will be managed. A centralized approach involves establishing overarching policies, processes, and controls that apply to all product and service outsourcing and procurement activities. This is much broader than information systems and includes professional services, facilities, and maintenance and supply contracts. The decision to centralize some or all of the credit union's outsourcing administration should involve consideration of consistency of controls, the ability to leverage expertise and resources (e.g., in areas such as financial analysis, contract review, and administration), and consistency of risk management.
An outsourcing strategy should clarify objectives for risk management, information security, and regulatory compliance. For example, the strategy should acknowledge that the CU's responsibilities for these areas remain in force regardless of whether the activity is performed in-house or outsourced. Accordingly, the information security program, including the risk assessment process, must include outsourced activities. The bottom line is that regardless of where the information resides, the credit union must ensure that it is appropriately protected.
* The Board. The outsourcing strategy should be set at the board level and disseminated across the organization. However, the board's responsibility does not end with the strategy formulation. Oversight of outsourcing activities by directors is a fiduciary responsibility and a regulatory requirement. Therefore, the board must continue to receive periodic reports on outsourced activities, particularly as they pertain to risk management, information security, and regulatory compliance.
* Executive Management. In order to ensure that the outsourcing strategy is implemented successfully, designated roles and responsibilities must be set for key players in the credit union. Executive management plays a crucial role in "championing" important initiatives, delegating appropriate authority, and providing sufficient resources and funding for the outsourcing program. This may involve appointing an outsourcing coordinator and supporting that person's efforts to manage and oversee the credit union's outsourcing policies and procedures.
* Outsourcing Coordinator. The role of an outsourcing coordinator is a key function, particularly for credit unions that adopt a centralized or mostly-centralized outsourcing strategy. The coordinator is responsible for overseeing compliance with the outsourcing policy and ensuring that the risk rating methodology is applied consistently. The outsourcing coordinator also frequently serves as the first level of approval for key decisions (e.g., proposals to outsource a new function or contract with a new service provider). Given the sensitivity and authority required for this position, the role of outsourcing coordinator is most appropriate for a senior manager.
* Relationship Manager. Another key role in the outsourcing program is that of the relationship manager. Relationship managers are designated with responsibility for direct oversight of one or more service provider relationships. Specifically, the relationship manager is charged with day-to-day oversight activities, which include monitoring operating performance and service quality, reviewing financial statements and audit reports, preparing periodic risk ratings, and documenting-updating the relationship oversight strategy.
Cynthia A. Bonnette is managing director of M ONE, Inc., Phoenix. Ms. Bonnette can be reached at 602.957.7479 or at www.moneinc.com
