Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Outsourcing Risk Management
Financial institutions increasingly rely on service providers,
software vendors, and other third parties. Complex institutions
often have an institution-wide vendor management program that
encompasses all of these relationships. IT departments can contract
with third parties for a large number of services including data
processing, software development, equipment maintenance, business
continuity, data storage, Internet access, and security
The board of directors and senior management are responsible for
ensuring appropriate oversight of outsourced relationships.
Technology needed to support business objectives is often a
critical factor in deciding to outsource. Managing such
relationships is not just a technology issue; it is an
enterprise-wide corporate governance issue. An effective
outsourcing oversight program should provide the framework for
management to understand, monitor, measure, and control the risks
associated with outsourcing. The board and senior management should
develop and implement enterprise-wide policies and procedures to
govern the outsourcing process including establishing objectives
and strategies, selecting a provider, negotiating the contract, and
monitoring the outsourced relationship.
Some factors institutions should consider or address
The time and resources devoted to effectively manage outsourcing
relationships will depend on several factors, such as the
criticality of outsourced processes, staff knowledge, and
complexity of systems.
Detailed information on this topic is available in the IT
Handbook's "Outsourcing Technology Services Booklet."