Outsourcing Also Out of Bounds?
While outsourcing has allowed credit unions to take advantage of some of the great advancements and opportunities offered by today's technology solutions, it has also increased their risk-especially if providers are not fully aware of the requirements and responsibilities faced by financial institutions.
As noted in the first part of this series (CU Journal, Sept. 22), an outsourcing-service provider management program requires more than just written policies. Four components make up a comprehensive program: A clearly articulated corporate strategy; defined roles and responsibilities for overseeing outsourced relationships; policies and procedures for managing third party service providers; a risk-based approach to overseeing outsourced relationships (Topics 1 and 2 were covered in Part 1).
Policies and Procedures
The roles and responsibilities outlined above should be clearly defined in the credit union's written outsourcing policy. The outsourcing policy and supporting procedures should reflect the overall strategy for service provider management and define what is required of all relevant parties to meet business objectives and ensure regulatory compliance. To be effective, the policy should be board-approved, management-endorsed, and distributed to all relevant parties.
Many CUs have found it effective to model their outsourcing policy on the November 2000 FFIEC Guidance, "Risk Management of Outsourced Technology Services." The guidance focuses on four key areas: a risk assessment-business case analysis pertaining to the initial outsourcing decision; guidelines for service provider selection and due diligence; considerations for contracts and service level agreements; and ongoing supervision. Your policy should address these areas and define specific requirements for consideration and documentation.
A risk-based approach to managing service provider relationships is essential. Not all relationships require the same level of supervision, and thus, a relationship management strategy should be established for each. The extent of the strategy may vary from active monitoring (e.g., review of financial statements, internal control evaluations, compliance with service level agreements, etc.) to limited monitoring combined with contract provisions and insurance requirements. Ultimately, the appropriate strategy will depend on the nature of the service provided, whether the service involves confidential or critical data, whether it is covered by regulatory requirements, and the ease-difficulty of replacing the service.
The best approach to risk-based relationship management is a holistic one-it is applied company-wide and considers the full life cycle of the relationship. This begins with the initial decision to outsource a particular service and evolves through the due diligence process, initial contract negotiations, contract-agreement renewals, relationship management, risk monitoring, and termination.
The initial decision to outsource a particular service or function requires a feasibility analysis that considers the business objectives, requirements, costs, implementation timeframe, and potential providers. The risk assessment associated with this step in the process should be focused on the nature and criticality of the service and whether it is best managed internally or externally. Once a decision to outsource the service has been made, the focus of subsequent risk assessments will center on the service provider's participation in the risk-management efforts.
In order to manage service provider relationships based on risk, establishing a risk rating methodology is critical. The methodology should define criteria for risk rating relationships based on key characteristics. At origination of a vendor relationship, the relationship manager should assign an initial risk rating and document an appropriate oversight strategy that may include specific contract covenants, periodic financial and operational reports, etc.
The range and definition of risk ratings should be customized for your credit union. The ratings can be as simple as "Low-Medium-High" to a more complex combination of letter or numerical grades. The key is applying the methodology and definitions consistently. This is where the outsourcing coordinator is important.
The relationship strategy and risk rating will drive relationship management in terms of the nature and extent of monitoring and documentation required. The outsourcing policy should provide guidelines for the frequency of risk rating reviews and reassessment. Generally, annual reviews for all relationships and semi-annual or quarterly reviews for higher-risk relationships are an effective practice.
Cynthia A. Bonnette is managing director of M ONE, Inc., Phoenix. Ms. Bonnette can be reached at 602.957.7479 or at www.moneinc.com